Auditors are my biggest security problem.
You are all under the mistaken assumption that the purpose of an auditor is to improve your security and/or catch errors in accounting. Their purpose is to do neither. In fact, their purpose is to find nothing wrong, or at least nothing of substance that happened on current management's watch. They have to find the usual minor things, and it's OK, even salutary for them, if they find something huge that happened under prior management and dismissed auditors.
Interesting reading on the Dshield mailing list.