Risk Based Approach
The Regulator cant be eveywhere all of the time,it is simply impossible, so most audits within industry are carried out through a 'risk based approach'. In other words if your organisation ranks high on a risk matrix then audits and surveillance will be more frequent. Conversely if your risk ranking is low, then audits won't occur as frequently.
Its interesting, everybody blames the Regulator when something goes pear shaped, yet not many Operators are willing to wear their own share of blame for doing something that contravenes the law or regulations ?