It is my reading of SOX that what is and is not acceptable is totally up to the auditors. The provision (section 440?) of SOX that is causing all the work is actually only one paragraph long and is not very specific. As such it is up to the courts to determine what it means. That has yet to happen. As such if the auditors say your books are OK and the CFO and CEO are willing to put their names on the bottom line you could in fact do nothing new. But after what happened to Andersen most auditors are in cover their behind mode. Some of the requirements being placed on companies are just not practical or useful. There is a court case saying that the government went to far in their actions against Andersen. Depending on how it comes out there could be a major shift in where auditors put their emphasis. Unfortunately for most of us auditors make money on the current process so you can expect the worse. What the act definitely requires is that a firm take steps to protect the integrity of its data. You must have written procedures for updating production data and proof that you follow them (paper trail). Right now what constitutes valid procedures is whatever the auditor says. IMHO -- Mark D Powell -- -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Hemant K Chitale Sent: Friday, January 14, 2005 9:49 AM To: bdbafh@xxxxxxxxx; Michael.Kline@xxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx Subject: Re: Sorbanes Oxley for dummies? -- more questions Not having read the book , but I, too, have a number of questions. My current employer, being NASDAQ listed, is also undergoing preparation for a SOX Audit in 2005. 1. How do you handle Password Controls for "root" and "oracle" accounts ? If you have 200 servers and 80 databases, how do you ensure that you do NOT write down the passwords somewhere [other than the on the sheet of paper in the IT Security department's safe] and yet remember the passwords ? Some [un-named] persons I know use the *same* password on all the 20 or 50 odd servers. Would that be acceptable ? 2. How do you Audit actions by DBAs ? Create seperate DBA accounts in the Database ? If you have 3 alternate DBAs supporting multiple databases, should each DBA have a named account in each database ? 3. Should all your SOX controls implemented as part of IT General Controls [COBIT Framework] apply to *all* your Servers and Databases, even those that are not Critical or Key systems [ie those with no financial impact] {assuming that a SOX Compliance Team identifies only a certain set of 8 or 10 systems as Key Systems} ? Can you selectively apply controls to non-Key Systems ? -- //www.freelists.org/webpage/oracle-l