As a "renter" of security audits I have a choice:-

1. I give nothing and pay for the hours of information gathering by the auditor.

2. I give the basics, let them check them directly and get on with their job.

Whether the auditor is internal or external there is a cost to the information gathering phase. Done properly and in an organization of reasonable size you add a significant period to the audit. Thus you add significant cost.

It's very easy for the organization to regularly carry out the information gathering phase, especially from an external point of view, by carrying out the standard passive footprinting techniques that any potential attacker might try on a quarterly basis - Pay special attention to avenues that might lead to social engineering techniques... It has a cost, but the cost is less overall than that of a full blown audit of the same facet.... Hell, a lot of it could be scripted..... I prefer the manual approach, but that's me - it gives me a more "granular" view of my publicly available "assets"....