i have a db that i designed to hold data from security logs from servers. security was a big concern for me. it's not the most glam solution but what i did was i created staging tables to temporarily hold the data coming in via ETL. there is a sql login that has write access to these tables with the password in plain text on 30 some servers if not more. every hour or so there is a process to move data to the real tables from which the reports run. these real tables are locked down to the point where only a few logins even have read access. most of the data is presented via email.

it doesn't work for everyone, but for ETL instead of keeping track of the data changes what about staging the data first and then inserting it into tables with more security on them to negate the need for auditing?