The list you create for this customer should include the following:
Are all updates and patches current on the server? Is YOU automatically configured?
Are all updates and patches current on the workstations?
Is there sufficient documentation on the server (administrator's logbook and so on)?
Is the server physically secured within a server room or other area?
Are all services running on the server required?
Is someone assigned to keeping abreast of security threats/developments through cert.org or another site?
Is the boot menu password protected?
Are users aware of security policies regarding best practices for passwords?
Are currently installed packages up-to-date and known to be secure?
Is remote administration allowed?
What level of encryption is used for passwords?
Are certificates used, and, if so, what level of encryption is applied to them?