tadamichi - Fotolia
Auditors, both internal and external, will always find something wrong with your systems. That is what they do, and part of the plan-do-check-act (PDCA) cycle that is fundamental to improving security across the board.
If an auditor does not find anything that needs fixing, then go find another one, as you are wasting your money on auditors that do not give you the chance to improve.
Any security professional worth their salt should embrace the advice and gaps found by good auditors with open arms. They certainly should not try to brush it under the carpet in the hope their bosses will not find out, as this cover-up behaviour leads to data breaches and people losing their jobs.
As infosec professionals, we all have a duty of ethical disclosure to the companies we work for. Tell them how it is, because it is not "our" risk to evade, it is the company’s. If senior management decide to ignore risks, then that is their problem, as long as we have all done our jobs as professionals and escalated risks up the food chain.
Culture has a lot to do with this. I recollect a certain Japanese company that was rife with insufficient financial controls, yet there was great fear about reporting these to senior management. In fact, the culture was so bad that this went unchecked for several years and became the norm. The company lost billions in the fallout that followed.
As an auditor myself, I find myself in constant battles, more so because PCI DSS audits have annual deadlines whereby companies must prove continued compliance by a certain date or face being struck off the list. This punitive approach is not always the right way to go, and I have seen qualified security assessors put under pressure to sign off systems that are not even halfway compliant.
Advice? Listen to your auditor. Engage them early so there are no surprises, and leave yourself enough time to fix any gaps.