Mind you that failing an audit can have catastrophic consequences. With regards to SOX:

"Non compliance penalties range from the loss of exchange listing, loss of D&O insurance to multimillion dollar fines and imprisonment. It can result in a lack of investor confidence. A CEO or CFO who submits a wrong certification is subject to a fine up to $1 million and imprisonment for up to ten years. If the wrong certification was submitted 'willfully', the fine can be increased up to $5 million and the prison term can be increased up to twenty years." (taken from sox-online.com)

With regard to PCI, it can be something like "What a shame, you can't do business anymore!"

Not to say that the policy in question was appropriate or in any way properly matched to the requirement, but if that extraneous middle manager five levels up doesn't get his audits in order, that nice pile of money that pays the salaries of those "working-class saps" might well end up vanishing in a heartbeat.

Holy crap, guys, you mean that constantly archiving every minute detail of my life activities/social networks/purchase decisions on services that have no obligation to protect any semblance of my privacy and, in fact, end up owning the data that I am perpetually shoveling into them might be a bad idea???

More seriously, people need to start considering the ramifications of all the data they give away for free. It's not necessarily always a bad thing to do, but the corporations aren't going to be the ones to put user privacy above profit/obligation.

I don't know if I'd go so far as to say "disturbing and objectionable" but definitely the kind of joke-in-poor-taste that results in an awkward half-chuckle and then a silent room.