I always try to be "general" yet "informative". We all know how dynamic recommended security configurations are. I'd modify what the consultant said to include "as of the install date". I'd also run the Microsoft Baseline Security Analyzer on the servers (assuming they are MS), and place the report in the server change management program. That should give you a decent starting point for change management tracking anyway...
_________________________
Expressions posted here are not necessarily those of my employer(s).