Re: update statement PL/SQL

Terry Dykstra wrote:

> SOX is process oriented. You document certain things (processes) that you
> do/don't do and why you aren't doing them. How you document that and
> control that is not up to the SOX auditors, but to the company itself. You
> need to show that you are doing due diligence and all that good stuff. As
> our company is headquartered in the US, I have to deal with the SOX auditors
> all the time. At no time in all our audits has there been any requirement
> to document DBA activity yet (other than showing user security, privileges
> etc). Touching financial systems, now that is a different story. If it
> potentially can affect the financial statements, then beware.

That is not the advice being given to public companies out here. The process part is but the ability to audit changes created by SysAdmins and DBAs has been part of the requirements to have an audit signed off at all of the large companies of which I am aware.

One company that was still using Oracle 7 was told point-blank that if they couldn't audit what their DBAs were doing they would not get the auditors sign-off and that this equated, unequivocally, to upgrading to 9i or above.

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)