Having been on both sides of the audit game:
1. Audits can't check for everything. It would be impossible from a time/effort perspective and the purpose of an audit is not to QA. At most, an audit can check for a sample of possible issues, selected semi-randomly (risk-weighted).
2. As such, audits tend to focus on broad processes and controls. E.g., does Air Canada have X process in place to mitigate against risk Y, and if so where is the evidence?
3. The unfortunate reality is that item 2 often devolves into chasing documentation (paperwork) against a checklist of risk items.
It's not an auditor's job to go through Air Canada's manuals/SOPs line by line to see if there are gaps (that's Air Canada's job). The auditor is there to check if there are specific controls in place, and that those set of controls -- as a whole -- are generally adequate and effective.