Well, from security point of view "audit anything you need" is wrong! Better is "audit all except what you know for sure is legitimate", which is exactly the standard phrase any auditor uses - "outside the normal use of an application". The problem is to find as much legitimate things as possible - as you mentioned.
Worse yet, sometimes (should I say most of the time) it's not possible to figure that out in deterministic way. Often, you can only distinguish non-legitimate operations after playing with collected data in some BI tool. The level of collection... well it's fine-tuned as you need and as you go through your analysis. Like start with connection audit, add some DDL, more, add some DMLs on some object and etc. until you are comfortable.
For example, if you take Audit Vault - it's actually just pre-configure audit data warehouse with OLAP tools configured to play with audit data. OK, maybe I am over-simplifying but that's an idea and it seems like a very good approach.
Regarding a highly paid auditor - you don't pay for good advice - you pay for a stamp. ;-) Usually, it doesn't make you any secure. For that you need to hire another guys and they won't give you any stamps. ;-)
Actually, it has nothing to do with just IT. Every auditor must have the balls to "stamp" its customers.
I guess you do know what is meant ny "outside the normal use of an application". I would get confised on such a generic recommendation from a highly paid auditor.
Actually you don't want to audit everything, just audit the things you need. That way you can minimize the auditing you do.
Raj ---------------------------------------------- Got RAC? -- http://www.freelists.org/webpage/oracle-l
-- Best regards, Alex Gorbachev