Just for continuities sake, I don't see anyone here describing requirements, I see them offering solution (or solutionizing in management speak )

Most people are talking about auditing access to SQL server - how does that help if all access is through a single account? How does that help you identify unauthorised changes to your data? How does that help prevent fraud?

I put it to you that you, and in my experience the auditors as well, are assuming that by 'logging everything' you have achieved something useful and/or complian with SOX.