How do I perorm a firewall audit?

You will need to pull, at random, around 10 change requests since the last audit. The basic questions you should be asking when you audit a firewall change are:

Is the requester documented, and is s/he authorized to make firewall change requests?
Is the business reason for the change documented?
Are there proper reviewer and approval signatures (electronic or physical)?
Were the approvals recorded before the change was implemented?
Are the approvers all authorized to approve firewall changes (you will need to ask for a list of authorized individuals)?
Are the changes well documented in the change ticket?
Is there documentation of risk analysis for each change?
Is there documentation of the change window and/or install date for each change?
Is there an expiration date for the change?

http://www.techyv.com/article/10-system-admin-must-have-tools