Re: The only thing that audits protect you from are auditors and regulators
Done two types of implementation (not security) audits in the past. Ones for companies who were largely in a mess and were surprised when their issues (rather than the implementer issues) were highlighted as the most important. And ones from companies who didn't really have a problem but really encouraged identifying anything that was found and went on to fix it.
So there are good reasons to audit as well as bad ones. Ironically given how they make their money, Deloitte's problems look like they needed an audit but never got one.