There are bad auditors, of course. Having had the displeasure of working with KPMG (not in a code-security-audit setting, mercifully), I genuinely don't understand how their staff can be allowed within a ten mile radius of source code.

The ideal way to authenticate audits IMO would be for the audited entity to link back to a PDF or other report hosted on the auditor's site.