For SQL Server 2008 and later Audit, configuration permissions are governed via ALTER ANY SERVER AUDIT and ALTER ANY DATABASE AUDIT permissions. We recommend creating limited permission SERVER ROLES for admins rather than making them SYSADMIN. Where permissions
aren't sufficiently granular to allow them to do what you want without over privileging them, signed stored procedures can be created to allow them to perform operations with business logic constraints. If these limited privileged admins don't need to administer
triggers, triggers might also be useful in enforcing business logic requirements on operations.
Additionally, SQL Server 2008 and later Audit support multiple audits. We recommend using this to have 2 layers of audit records - one that is synchronous and never gets turned off that simply records all Audit configuration changes, and a second one that
is potentially asynchronous (thereby faster and lower perf overhead) and audits everything else needed. This second audit may need to be modified occasionally, such as during schema upgrades, but the first audit records what changed.