This depends solely on the type of business you are in. I am curious as to the level of auditing as well. Can you clarify the goals you are looking to accomplish?

Is this specifically a SQL security project or are you looking for a full level security audit which might include infrastructure assessments, server and router hardening etc.

David.