Query restrictions aren't so much about denying access to documents as it is never showing them the ones they can't access. Your auditors are probably looking for a 'smoking gun' of a user who tried to access something and was denied -- this doesn't happen, because the documents they're restricted from opening are never displayed in the hitlist.
If you need to provide SOMETHING to the auditors, show them the query restriction and the list of users who are subject to it. This is especially useful if the query restriction is written as "branchno=1234" instead of "branchno!=5678" -- the first selects ONLY what they can see. The second prevents them from seeing something, but allowing everything else.
When writing query restrictions, I try to write them in such a way that "That which is not expressly permitted is forbidden." That's how my friends describe driving in Montreal.
Good luck with the audit!
-JD.