We have a similar thing on our audit. My suggestions would be
1, limit the scope of the documentation to only the machines that process business critical information and process cash / financial transactions. These are most likely what concerns the auditors.
2, have a written policy that states what your update policy is. Could be as simple as All automatic Microsoft updates are installed as delivered by Microsoft, and application specific updates per the software vendors schedule. If the auditors are really concerned it will be noted in the management letter, and then you and your boss can determine the resolution, (Ignore, or Comply)
3. the Log as Gary suggested for all servers, this can be valuable for you too when trying to reconstruct the chain of events when something is broke.
4. If you use contractors or vendors, make sure they update the log also.
5. What is the concern level from your management? If they are concerned you need to be concerned also. If they don't see it as an issue to spend resources on, then it isn't that important of an issue to them.
Dave