There is a white hat is black hat. Is audit from the branded companies like positive or groupib. This is all, of course, is a lot depends on the volume of work and goals.
If you have a simple website in-house, then it is relatively easy. But if a CMS or large infrastructure, and the complexity and time increase. Not very clear what you want: a piece of paper, you're good, or to the bitter torment of a hacker to find a vulnerability in those areas in which you doubt :)
In any case, look to the side of the security scanners like acunetix.com or metascan.ru they do the same thing, dig only basic knowledge, but automatically. It's faster and cheaper.