Contracting experts to perform security scans on your network is a must and should be done at least annually. However, you should also maintain the ability to perform your own security audits on a least a quarterly basis. Any time a change is made to an operating system, application, server, or part of your infrastructure, a focused audit should be performed to insure the configuration change did not introduce any new security issues. As anyone who has run an audit will tell you, the value of the tool is in the methodology it utilizes to create the report. No one has time to sift through a ream of paper looking for the needle in the proverbial haystack. Pick your tool carefully.