As a current Security and IT Compliance manager and a former SQL Server DBA, I would also add the following items to the things to audit for:
1) Encryption (Transparent Data Encryption or other disk based encryption) as data at rest is becoming more and more of a requirement and the Key Management Processes.
2) Disaster Recovery or Business Continuity Process documentation. Have you documented/tested your failover processes? What is the Recovery Point Objective (RPO or the amount of acceptable data loss) and Recovery Time Objective (RTO or the amount of time allowed to come back online) and do these values match the business requirements?
3) Restore tests. I don't ask about backups, I ask about restores! Backups are no good unless the restore works!