Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Sarbanes Oxley reporting

RE: Sarbanes Oxley reporting

From: Brian Haas <>
Date: Tue, 13 Feb 2007 15:30:02 -0800
Message-ID: <>

Your auditors seem to want a lot more information than ours do (at least from a database standpoint). Last audit I was asked for backup logs for 25 random dates and a system generated list of DBA accounts. I guess that's the problem with Sox, they don't really know what they want.  


[] On Behalf Of Jared Still Sent: Monday, February 12, 2007 10:48 AM To: Oracle-L Freelists
Subject: Sarbanes Oxley reporting  

Those of you that work in the USA, or even for USA based companies know what I'm referring to here.

I am curious what type of reporting you do to document the tests for your SOX controls in regards to Oracle databases.

The Sarbanes Oxley legislation is rather loosely written, leaving its interpretation pretty much open to negotiation between a company and its auditors.

The reason for asking is that my reports have been accused of being too verbose, or rather, have too much data, and not enough information.

I disagree, and if anyone reading them would simply read the instructions on the first page, they would not have so much difficulty.

But I digress.

It would be most interesting to see what kind of reports others are using to Satisfy SOX requirements for Oracle.

Comments on possibly improving the reports I am currently generating would also be welcome.

The following types of reports for Sarbanes Oxley are supplied for various tests throughout the year. All are in Excel.

Each Excel file is for a single database.

This one does require some guidance if the auditor is unfamiliar with the privileges.

  System Accounts: All known Oracle/Application/Busisness specific   database accounts are documented here, with the account owner and purpose.
  eg. SYSTEM, SCOTT, SAPR3, FNDAPP, etc. accounts

  Known Roles : Similar to System Accounts, but for Database Roles

  Account Reconciliation: List of accounts in the database. Those not found
  in the System Accounts worksheet are flagged in Red.

  Access Reconciliation: Roles assigned to accounts. Accounts not found   in the System Accounts worksheet are flagged in Red.

  Role2User: Roles assigned to users/roles, in ROLE order. Unknown accounts
  flagged in red.

  Role2Privilege: Similar to Role2User, but for individual privileges.

  User2Privilege: Similar to Role2User, but for user/role mapping to   privileges, in user/role order.

Changed/new/deleted objects are highlighted in blue.


That does it for my reports.  I'm looking for ideas on
how to consolidate this data into something auditor are
more likely to read without looking quite so confused 
when doing so.

Discussion of how others are satisfying SOX reporting 
requirements for Oracle databases should be interesting
and useful.


Received on Tue Feb 13 2007 - 17:30:02 CST

Original text of this message