Mind you that failing an audit can have catastrophic consequences. With regards to SOX:
"Non compliance penalties range from the loss of exchange listing, loss of D&O insurance to multimillion dollar fines and imprisonment. It can result in a lack of investor confidence. A CEO or CFO who submits a wrong certification is subject to a fine up to $1 million and imprisonment for up to ten years. If the wrong certification was submitted 'willfully', the fine can be increased up to $5 million and the prison term can be increased up to twenty years." (taken from sox-online.com)
With regard to PCI, it can be something like "What a shame, you can't do business anymore!"
Not to say that the policy in question was appropriate or in any way properly matched to the requirement, but if that extraneous middle manager five levels up doesn't get his audits in order, that nice pile of money that pays the salaries of those "working-class saps" might well end up vanishing in a heartbeat.