The SANS Audit Advice and Resources* website has a free checklists section:
6 VMWare Settings Every IT Auditor Should Know About
5 Things Every IT Auditor Needs to Know About: SSH Configuration
PCI/DSS Self Assessment Tools Update!
OpenDNS.com: Verifying Free Web Filters
Active Directory Security Checklist
Auditing Web Applications: Part 1**
Auditing Web Applications: Part 2**
Auditing Web Applications 3: Validating Session Controls**
If you ever have a chance to take a SANS class (or another one), I strongly recommend it. I took a wireless auditing class from SANS and it was excellent.
* If “sans” means without (e.g., a sans serif font has no serifs), does that mean SANS really doesn’t have any advice? Or that you should just go without it?
** This is a five part series, and as of this post, only these have been published.