I keep repeating in this blog...audit everything. Audit your auditing software. Audit your security auditors. Audit audit audit.
And software cannot do EVERYTHING for you. Some brains and analytics need to be involved in any good security policy:
Audit your security software