As a means of examining the events your system is auditing, the following query is helpful:
SELECT name as 'Audit Name',
status_desc as 'Audit Status'.,
audit_file_path as 'Current Audit File'
FROM sys.dm_server_audit_status
The current list should show roughly 33 if you are meeting the government STIG requirement for SQL 2016:
TRACE_CHANGE_GROUP
DATABASE_PRINCIPAL_CHANGE_GROUP
SERVER_PERMISSION_CHANGE_GROUP
USER_CHANGE_PASSWORD_GROUP
DATABASE_OBJECT_CHANGE_GROUP
SERVER_ROLE_MEMBER_CHANGE_GROUP
DATABASE_OBJECT_ACCESS_GROUP
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
SERVER_OJBECT_PERMISSION_CHANGE_GROUP
SERVER_PRINICPAL_CHANGE_GROUP
DATABASE_ROLE_MEMBER_CHANGE_GROUP
FAILED_LOGIN_GROUP
DBCC_GROUP
SERVER_STATE_CHANGE_GROUP
DATABASE_PRINCIPAL_IMPERSONATION_GROUP
DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
SERVER_PRINCIPAL_IMPERSONATION_GROUP
BACKUP_RESTORE_GROUP
DATABASE_PERMISSION_CHANGE_GROUP
LOGOUT_GROUP
DATABASE_CHANGE_GROUP
AUDIT_CHANGE_GROUP
DATABASE_OWNERSHIP_CHANGE_GROUP
SERVER_OJBECT_CHANGE_GROUP
LOGIN_CHANGE_PASSWORD_GROUP
SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
SCHEMA_OBJECT_ACCESS_GROUP
SCHEMA_OBJECT_CHANGE_GROUP
SERVER_OPERATION_GROUP
DATABASE_OBJECT_CHANGE_GROUP
DATABSAE_OPERATION_GROUP
If you are picking these up in the monitor (*.sqlaudit), please provide an explanation of how this is done.
Thanks