Chris, that is the kind of info I'm looking for. SOX seems to be primarily centered around all things financial.

The paper trail for code changes, etc, can you point me to a specific portion of a white paper or any article that explains that need regardless if financial or not. We have a couple 100 databases, next to none are financial in nature.

Thanks for all the replies.

I've learned we are using EthicsPoint. As part of the usage and justification, we have the following within one of our websites: "The National Association of College and University Business Officers (NACUBO) provided guidance in its Advisory Report 2003-3, The Sarbanes-Oxley Act of 2002: Recommendations for Higher Education, by describing this reporting mechanism as a best practice for higher education. Publicly traded companies are required by law (Sarbanes-Oxley Act of 2002) to have an anonymous reporting system to address accounting and auditing misconduct. In addition, colleges and universities that receive federal awards may possibly be required to follow Public Company Accounting Oversight Board (PCAOB) regulations at some point in the future."

Just an overwhelming amount of items to read at this point. I need to talk to our CFO and Internal Audit Director. My supervisor is in favor of having the hosted databases include/retain db_owner rights for the group requesting the hosting. Therefore, they can Write, remove, etc. The justification is that without that ability, these satellite entities would not want to relinquish the kind of current ownership that they are accustomed to. I need to be able to say "That's fine, but if we do that, we are not compliant with ????". Right now I can't say that or point to anything that says that. And there very well may not be anything here that would make that scenario non-compliant with non-financial data. Frowned up, sure, by me only apparently. Sigh.

Again, thanks for reading and giving advice!