An "official" answer
Kimberly,
It is difficult to answer your question properly, because strictly speaking, there is nothing called a "CMM Audit".
The purpose of the CMM is not certification, as is the case for ISO.
OK, now I will come down off my soapbox.
There are two types of operations which can be performed using the CMM.
The first is called "SCAMPI" (Standard CMMI SM Appraisal Method for Process Improvement), and generally occurs as follows (simplified explanation): A assessment team consisting of 1 or 2 outside experts plus 2 - 4 internal people reviews a representative cross-section of running projects, looking at the written procedures and the documented evidence, and then interviews with key people in the organization, including groups of development engineers. From this gathered information, the assessment team judges which key practices of the CMM are satisfied and which areas need additional work. These findings are presented back to the organization and then to Management as the basis for Continuous Improvement.
The second method is called SCE (Software Capability Evaluation) and consists of a customer's experts visiting a supplier or potential supplier and evaluating the maturity of the supplier's processes against the CMM. This has more the flavor of an audit.
This, of course, is the "official" description. In reality, many factors can influence the real performance of these assessments, so that they can become more like audits.
I hope this provides the information you were looking for.
Bruce (SEI-trained as a Lead Assessor in 1996)