I don't see a huge security issue with a separate schema. Thus, I don't see why this would necessarily fail an audit. That seems to be an overly broad claim.
I have separate dbs that specific power owners have full read, write and ddladmin to (but no db level permissions, i.e., they can't directly backup the db, drop the db, add users, etc.), and we pass an audit every year.
SQL DBA,SQL Server MVP(07, 08, 09) A socialist is someone who give you the shirt off *someone else's* back.