Maybe Im used to PCI (or what had been CISP) audits, but they aren't bad. Most of the PCI requirements are pretty common sense, and depending on how large of a processor you are dealing with the requirements are actually negotiable. Having worked with some of the largest FEPs on PCI, they are able to get away with murder (storing CVV, storing complete acct info in the clear, non-operational firewalls, etc., etc.) If you work for a "mom and pop" shop merchant you won't have that luxury though.

As far as what I see for audit reports, it depends on what is being auditing against. Many vendors in the security space are coming out with canned PCI reports in their products. For example wireless IPS vendors have a canned report.

I give anyone going through PCI their first time two bits of advice. First is be prepared to sell your security. Granted I primarily work with very large FEPs, but Ive found its not as much what you have but more how you sell it to the auditors. Sad but true. The second is that PCI requirements are updated from time to time. Today it is mostly network security, but rumor is next year there will be more requirements around application development and security. I've also been told by auditors that the data-at-rest requirements will be updated. I would suggest you keep current between audits as they do change.

Oh, and good luck.