All database access using $this->db is already protected against SQL injections. Scan the code for handwritten queries using $this->db->query(), those will need attention. Ideally, convert them to active record/query builder queries, to benefit from the built-in protection.
As for input, there are two approaches: filter on input or encode on output. CI advocates the first through xss_clean(), I prefer the last, by encoding all data that goes to a view, I don’t like the idea of (automaticly) maiming input which you might need later. Encoding data before sending it to the view also means you don’t have to worry about how variables are handled in your views.
No matter which approach you take, it should be combined with form validation, which should already capture most of the nastyness. So form validation needs to be checked for every form.
If the forms are using form_open() from the form helper, you can enable CSRF protection in the application config file. So do that, and check all views. If they have a hardcoded form tag, change it to use form_open().
Also check if the security key is defined in the config (wasn’t required in 1.7.2), make sure sessions (if used) use the database, and the session cookie is encrypted.