I know it's sometimes a pain and can take time, but you might want to consider putting out an RFP for an application test. Depending on the size of your company and procurement policies, you might be required to put the job out for bid anyway. It also gives you a good idea about what's out there. Let me warn you however, that if you're only looking to satisfy an audit requirement, you're probably wasting your time, as you'll probably be force to choose the lowest bid, which will most likely provide the least value in the long run, not to mention a false sense of security.
There are many things to include in the RFP, but the major points that come to mind at the moment are as follows:
- Company information (size, qualifications, location (important if testing is on-site), personnel bios, insurance, etc.)
- Technical Methodology (as detailed as possible)
- Tools used
- Reporting (make them include a sample)
- References (3 professional references seem to be the norm, which should be past clients)
There are many places one can place the RFP, such as magazines (SC, Infosec.), listserves (e.g., securityfocus.com) and of course you can always pick the top-10 replies to your query on slashdot and send the RFP to them. You should get at least 5-6 responses.