Often organisations have a   SQL server security policy  dictating the 'sa'  login is disabled. There is some sound reasoning behind this policy. The primary reason is to decreases the surface area available to attack - and is a common principle of security. 

When this is a requirement - I'll  add some code to disable 'sa'  as part of the  build  and certification process. But , from time to time - the 'sa' login will be re enabled, so it's important to build an alerting or reporting mechanism identifying the exception. 

The sql statement to check if 'sa' is disabled.

SELECT name, is_disabled FROM sys.server_principals where name='sa'

To disable the 'sa' login use 

ALTER LOGIN sa DISABLE;

Normally - I build these checks into a daily Health Check or a custom alert . 

There are other tactics employed to disguise\block logins to sa - for example , renaming the sa is common method used.

Read more on SQL Server security 

SQL Server Security Violations Report for t-sql tuesday (SQL Server ...

Powershell sql server security audit (SQL Server DBA)

Database Security Countermeasures against hacker attacks (SQL ...