That's just it. There are no security challenges to it. I don't allow users to use xp_CmdShell directly. I don't allow apps to execute it directly (never mind them having SA privs). They have no chance of elevating their privs because they cannot use it that way but, even if they could, they wouldn't get far because I also limit what the SQL Server login and the SQL Server Agent login have privs to do. So far as audit goes, you can bet your sweet bippy that the stored procs that use xp_CmdShell log who called them. Heh... I even do that with some of the stored procs that don't call xp_CmdShell.

As for auditing, lets ask the question about how many apps that have insert/update/delete privs that don't pass the identity of the person using the app. Now That's a concern and that includes SSIS.