First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.
The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.
This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.
There's no "typical log size" for exchange as this is dependant on activity, not the product itself.
There's an interesting discussion on the microsoft support site here which might be relevant (extract follows).
i had the same issue, and it turned out to be 2 users with android phones in a sync loop on contacts. I basically ran reports showing the top 10 mailboxes by item count (as opposed to size), and was able to narrow it down to the 2 problem users that way (their item count was incrementing very quickly compared to everyone elses. Running the report every 3 minutes let me find the trend
The poster suggested running the following powershell script as their "report"
Get-Mailbox -database databasethatkeepsgrowing | Get-MailboxStatistics | Sort-Object ItemCount -descending |Select-Object DisplayName,ItemCount,@{name="MailboxSize";exp={$_.totalitemsize}} -first 10 | Convertto-Html | out-File c:\temp\report.htm
I reckon you could see this issue from any device that might have problems, including outlook itself if a user or two have messed up OST files or badly behaved plugins - keep in mind that transaction logs aren't just a list of mail but a list of, well, transactions which includes mail but can also include anything that changes the properties of an object in your message store, which can be any number of things. I'd suggest that the high CPU you've noticed could be very relevant, and worth checking out at least.
In addition to that lot, I'd be checking for things like spam relaying and the like, but I'm sure you're all over that.
Best Answer
This might be kind of a pain (since audit logging is turned off), but you can review Powershell history. Since everything in Exchange 2007/2010/2013 is Powershell based, you can see where someone ran the cmdlet Add-MailboxPermission with the associated parameters. To find the log of Powershell commands, open up eventvwr.msc. Instead of looking in the usual Windows Logs area, look in Applications and Services Logs. You will see a MSExchange Management event source which has all the powershell execution history.
I just checked on my own 2010 environment and added a full mailbox permission, and it pops right up in that log.