We had our first CoBIT audit. From the sql side I can only say the auditors want us to have policies, e.g. password expiration and complexity, and also prove that the policies were actually implemented. They also wanted to know all sql users created or deleted in the last year, the actual create\delete request, and what proof we have that done the tasks. BTW: For us, they did not provide any examples showing exactly what they are looking for.
My problem is not so much meeting their requests (which I think are often reasonable) but other than Excel, maybe SharePoint, or a database table as an IT person I have no way to capture the flood of new documentation that will be required to document these tasks. And capturing is not the full story. I need to be able to retrieve answers to their questions from the data at least twice a year when they revisit us.
How do you manage all the CoBit (HIPPA, etc.) information you are now required to keep for audits?