>sometimes these audits are people asking the managers "do you do this?".
I work for one of the large pro services firms that does internal audit, compliance/risk projects, strategy consulting, etc.
I'd argue that unless there are explicit sets of controls that HAVE to be tested as part of the project scope (which is usually defined by regulatory requirements), most audits are just people asking questions and ticking off boxes on a checklist. Most of the bigger firms even staff these projects with fresh graduates that often know absolutely nothing about what they're auditing.
Conducting an audit doesn't necessarily mean that you check everything. Often, auditing is looking for evidence as to whether a particular procedure was followed or not.
For example, say you're auditing a large company for compliance against a information security management system under ISO 27001, and you're checking to see whether the organisation you're auditing actually does keep its operating systems patched and its anti-virus software up to date.
You'll certainly ask questions about whether, how and how often the updates are done but you're probably not going to check every single server, desktop and laptop because that would be too expensive. What you'll probably do is check a sample, and if all the devices in the sample are all up to date, you'll tick that box and move on.
If, on the other hand, you find that half the desktops you check haven't been updated, then that's evidence that the updates policy isn't being followed, and would trigger further investigation, and probably a failure on that specific audit point.
The equivalvent check in the VW case would be to run a test of the engine's emissions. It's not unreasonable for the methodology used to be based on that used by the regulatory body, in which case, it would have passed the audit.
Nothing you're saying is wrong or theoretically unsound. But in practice, 'looking for evidence'-type activities are frequently glossed over, even by very reputable audit firms.
