I don't see a huge security issue with a separate schema. Thus, I don't see why this would necessarily fail an audit. That seems to be an overly broad claim.
I have separate dbs that specific power owners have full read, write and ddladmin to (but no db level permissions, i.e., they can't directly backup the db, drop the db, add users, etc.), and we pass an audit every year.
SQL DBA,SQL Server MVP(07, 08, 09) Prosecutor James Blackburn, in closing argument in the Fatal Vision murders trial: "If in the future, you should cry a tear, cry one for them [the murder victims]. If in the future, you should say a prayer, say one for them. And if in the future, you should light a candle, light one for them."