First, make whatever you can pluggable. Loose-coupling, good form, all that jazz that's all over programmers.stackexchange.com. That way if somebody wants to change out username / password for domain auth, you can sell it as an easy feature. Similarly with changing logging from text files to syslog to databases.
- Authentication and Authorization
- Logging
... and that's about it. Keep unauthorized users out and limit authorized users to their roles, log behavior, and maintain integrity (application specific, but basically be careful of irreversible changes). Everything in an audit really boils down to those behaviors. Code with the idea that you'll log everything and use configuration to turn off things you don't want. Create permissions with roles and focus on the business logic of what users might do.
Can UserA
see cost pricing? Can they set sales pricing? Ask a lot of questions of yourself like that. If your application is flexible and comprehensive in those areas I mentioned, you'll be able to meet most any standard out there.