Because you still have to met the requirements of 8.2.2 and show enough implementation of the audit program. One audit isn't sufficient to meet the 'status and importance' aspects nor to demonstrate effective implementation of audits.
One system wide audit might 'cut it' for a CB auditor, but it would be a big risk, IMHO. Furthermore, one audit is only going to give you a snapshot of the system at that time, and to gain confidence that the system is being implemented and confirm that there are no obvious 'holes' for the CB auditor to find, so more audits will be required.
It occurs to me also that even if one system wide audit was done, there's still going to be a need for follow-up audits to verify closure of findings, so which ever way you slice it, one audit isn't enough............
One system wide audit might 'cut it' for a CB auditor, but it would be a big risk, IMHO. Furthermore, one audit is only going to give you a snapshot of the system at that time, and to gain confidence that the system is being implemented and confirm that there are no obvious 'holes' for the CB auditor to find, so more audits will be required.
It occurs to me also that even if one system wide audit was done, there's still going to be a need for follow-up audits to verify closure of findings, so which ever way you slice it, one audit isn't enough............

