Minor comment inline below... |Comment inline |On Sat, 15 Jan 2005 16:39:28 +0800, Hemant K Chitale |<hkchital@xxxxxxxxxxxxxx> wrote: |> >Auditors require personal accountability, which requires personal accounts. |> > |> |> That would then include Auditing every action by these accounts. |Not necessarily. Pleasing auditors so they will sign off on your |financial accountability |and doing the right thing are not the same thing. Think Venn diagram. |> > Ours identified critical systems, and those are the systems that are |> > audited. |> |> Yes, I would expect that too. However, somewhere along the line we have |> got the impression that implementation of controls has to be the same across |> all systems. |Not for SarbOx compliance. Except possibly where actions in development systems may have consequences in production systems. I've been told that I may be blocked from development tools. This will make it rather difficult to help applications staff. Plus, as other people have said, a lot of this seems to be up to the individual auditor's interpretation of SOX. We've run into differences between auditors at corporate vs. auditors at divisons (auditors working for the same company). And by the way -- Jared made reference the other day to written change control documentation. We have workgroups in different locations around the world and our process is wired together with email here and there (mostly just "you have been assinged this" or "change xyz has reached status something". In the past, auditors were satisfied with a demonstration that emails would happen. Now they are asking for all such mail in a 20 day period 8 months ago. And I had the same question for emailed system alerts. I'm not saying "don't use email" but...I get a lot of mail. Saving mail (which ones?) for a 1 year period would be a real headache. Kip Bryant |-- |Jared Still |Certifiable Oracle DBA and Part Time Perl Evangelist |-- |//www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l