I recently collaborated with Idera to produce a short whitepaper on the top 5 things to audit in SQL Server (database engine). You can grab it for free here (registration required):
None of this is earth shattering. The whitepaper contains the the first set of things I look at when auditing the internal security of SQL Server. Part of what spurred this effort was a series of conversations I had with friends of mine who are internal auditors, developers, and system administrators who had been audited by an outside firm recently. The results provided by the outside auditors were less than satisfactory.
If you have an auditor come into your organization and he or she doesn’t cover these items, you probably aren’t getting your money’s worth. Really, these are the starting point and a good audit should cover much more. However, grab the whitepaper, audit yourself, and take care of the “low hanging fruit.”