Is there a way to audit the use of the local admin if someone needed to log directly into hardware? A random example might be a problem where an admin would access the switch locally to change a port type from access to trunk. I'm not seeing in the documentation where this is possible. Audit would like to see controls around this password to see when it's used.
You could achieve something by disabling the local status page (under Network-Wide/General) and then making your process that someone has to enable it (which causes a log entry to be made), make their change, and then disable it.