Not only that, but if the DBA actually DOES learn the system well, is he then not allowed to be DBA anymore? 

That sort of thinking is screwed, and not standard at all.  I don't know how the auditing company is coming up with these things; I'd guess it has more to do with mis-understanding/mis-representing a valid security concept than with pure stupidity.  But one never knows, I guess.

Keep us posted, man.

cl