Hi,
Ask your auditors to provide their tests - they should be able to provide this and don't take no as an answer.
Generally the tests for maintenance of config tables are SE16, SM30 or similar with S_TABU_DIS in change mode.
The same applies for change client protection settings but usually the check is specified against table auth group SS.
Different auditors have different levels of check but these are the basic specs