The rules can be done multiple ways and it really depends on your comfort level with regular expressions. While I lean on heavy usage of complex inverse regex (which I believe to be better than simple forward matching), you should plan around how maintainable the work will be.
I can give a basic guideline, start with simple rules first. Use basic patterns and multi-line matching as following:
aaa authentication login default group tacacs\+ local\r*
aaa authorization exec default local group tacacs\+ if-authenticated\s*\r*
aaa accounting exec default start-stop group tacacs\+\r*
aaa accounting commands 15 default start-stop group tacacs\+\r*
aaa accounting network default start-stop group tacacs\+\r*\n
This would be a single regex rule with that pasted into the block. You have to understand that there are hidden \n characters at the each of those lines which is why I leave them out, it also makes the rule more readable for people less familiar with regex's.
This pales in comparison though with a more advanced rule that is completely unreadable:
^aaa [^ans]
^aaa n(?!ew-model\r*\n)
^aaa s(session-id common\r*\n)
^aaa a[^cu]
^aaa ac(?!counting )
^aaa accounting [^ecn]
^aaa accounting e(?!xec default start-stop group tacacs\+\r*\n)
^aaa accounting c(?!ommands 15 default start-stop group tacacs\+\r*\n)
^aaa accounting n(?!etwork default start-stop group tacacs\+\r*\n)
^aaa au([^t]|t[^h]|th[^eo])
^aaa authe(?!ntication login default group tacacs\+ local\r*\n)
^aaa autho(?!rization exec default local group tacacs\+ if-authenticated\s*\r*\n)
These would all be under the advanced rule with each line being a separate "must not contain" rule under a "must not contain" main rule.
Could this easily be recreated? Will anyone besides the creator understand it when the policy is violated? Currently with NCM, I would say not without training or a very good understanding of regex. Take these things into consideration when planning. Both of these rules have similar results, the more complex one will tell you which line in the configuration is wrong. The simple one will just tell you something is wrong, but not on which exact line.
Starting with simple rules will get your network compliant, moving to advanced rules makes sense once you have a good baseline. As well, I always keep both sets of rules and create different reports, one being called "Detailed" and one being called "Basic" this way if I ever move on from my position there is a set of easily maintainable rules.
Lastly, to answer your question directly, there is no guide to implementation. That's up to the end user and best practices are discovered through trial and error. I think my guidance above is about the closest thing anyone has posted relating to it.