The risk with such audit is that you don't know what results there will be. In theory the report could say "all good, nothing found" although that's an extreme example
Because of that, a (public) bug bounty program is obviously "attractive" too, as you just pay for actual results/bugs (in theory starting such program is free.) But then there is no guarantee that experienced researchers will have a look at it and there is no real "report" for stakeholders/users. Also I would assume that with an audit you can trust the security company a bit more and give a bit more clues/information about the infrastructure and the researchers could be allowed to use tools that are normally not allowed within bounty programs.So in the end up to you and the company you work for hehe.
But if you do happen to offer a bug bounty program (either after or without the audit), do let me know hehe.
