This is the most important question that you can ask your security auditor.
Are they a pure and independent auditor, or are they companies with something else to sell who also conducts audits? You can get enterprise blockchain solutions for security audits.
You don't want a company that sells solutions to conduct your security audits, because it is likely they found a problem that the repair solution was running away.
Do you do real analysis, and provide useful reports?
Beware of the security auditor that gives you a 100-page report. Quantity in no way signifies quality in a security audit.
What you want from a security auditor is a thorough report that focuses on issues that are relevant to you. Any security audit can find 100 trivial problems. You want an audit that tells you which 5 issues are important.
Do you have a quality team?
Consulting firm guys straight out of college are useful for some things, but understanding complicated computer networks and the vulnerabilities associated with them is best left to dedicated security engineers.
Hey, aren't you the guys who sell us our IT?
Don't hire the same guys who set up your system to audit your system. As much fun as it would be for them to grade their own work, you probably won't get the most honest results from them.