The word 'audit' covers very different services. An automated vulnerability scan is not the same as a manual penetration test, and neither is the same as an architecture review.
The real timeline for a company of 50–200 employees is typically: two days of information gathering, three to five days of active analysis depending on scope, and two days of report writing. Total: one to two weeks.
The final report must include a classification of findings by real business risk, not just technical severity. A critical vulnerability on a development server disconnected from production does not carry the same impact as a medium flaw in the ERP.
The most valuable part of an audit is not the list of problems. It is the remediation order and the conversation about what to fix, what to transfer and what to temporarily accept.