Periodically, an internal auditor would stop by my desk and ask me to show them all the users and permissions on a particular database. This is easily gathered, and most of us know how to do this. I produce this list, and send it on to the requestor. The next question is What has changed?. I do not have this information, and have to tell them I do not know.
So, after a couple iterations of this (I will not admit how many) I finally devised a simple way to store this information to adequately respond to this question.
The article continues at http://sql-server-performance.com/articles/audit/Automate_Audit_Requests%20_p1.aspx