As per Microsoft: "Event ID 612 indicates that a change in audit policy has been made on the local computer. The logging of Event ID 612 is the expected behavior when you restart Windows XP SP2". See ME840633
for information on this event.
Indicates that a change was made to the audit policy. The description shows the current policy. A "+" sign indicates that the policy is enable, a "-" that is disabled. For example, the following:
- + Directory Service Access
Indicates that the the successful attempts to use the directory services will not be audited (the "-") but the failures will be (the "+").
See the link to the "Auditing policies - their meaning and recommended settings" article for a description of the auditing policies.
This event is also logged each time that the server refreshes its local security policy. This is the case when the user recorded in the event description is the name of the computer itself (i.e. SERVER1$).
This event occurs (even if the policy doesn't actually change) if you have a policy applied to the server (or the containing OU/AD) via the Active Directory. When the server boots, it sets its audit policy according to the local settings, then the AD forces its settings on the server and this creates the 612 in the event log, even if the local policy is identical to the applied policy.
So, in my case, nothing to worry about, behaviour by design.