Yes, the "audit" tag is required. It specifies one of the ways you want files in the project containing the ".audit" file to be audited (you can specify multiple "audit" tags if different portions of the project should be audited differently). But, no, the ".audit" file is always
taken into account when an audit is run.
Assuming that the referenced audit rule set is loaded in the user's workspace, it will always be used to audit any file in the project that passes the inclusion and exclusion patterns you have specified (if any). If the audit rule set is not loaded in the user's workspace, the default audit rule set will be used instead.
Note that you can specify an audit rule set that is checked in as part of the project and CodePro will automatically load that audit rule set in order to use it. This avoids the question of whether or not users have loaded the audit rule set into their workspace. Details on how to specify different locations for the audit rule set can be found here: