If you're looking at using WSUS, might I recommend the Shavlik mailinglists at
http://www.patchmanagement.org/ Other great sites:
http://wsus.editme.com and
http://www.wsus.info There is a client process: "%WINDIR%\System32\wuauclt.exe"
As well as a service:
Automatic Updates: path to exe: "C:\WINDOWS\system32\svchost.exe -k netsvcs"
Logs on via LocalSystem.
That info is from my own Windows XP Pro SP2 machine.
I'm not all that familiar with Integrity. But a log is maintained locally on each machine:
%WINDIR%\SoftwareDistribution\ReportingEvents.log
This log details all actions taken by the Automatic Updates service as well as the Windows Update Automatic Updates Client (wuauclt.exe).
I'm not sure if that will help you in defining checks or not. On occassion I have had to delete the \SoftwareDistribution folder entirely to remedy an apparent local database corruption issue. This has the effect of trashing that log file, so if you've got a remote user who had to take that kind of drastic action you've just lost your ability to check.
You could also use WMIC to query the machine for current updates installed, that might be a more robust solution since it does not rely on WSUS at all. Stay tuned I can find some info on that for you.