We have seperation of duties.  All promotions (data/schema) come through the DBA's.  We have an audit trail of paper.  The developers fill out a form for the promotion.  Their manager must also sign off on it.  We do the promotion, sign it and put it in a 3 ring binder.  We do this for all databases (SQL, Oracle, DB2, Adabase).

I don't know about others, but the auditors we got seem very green.  We got told to "audit all transactions on all platforms" basically.  We told management that it would require 2 to 4 times the hardware for CPU, memory, ect.  Management went back to the auditors and said that was not realistic.  No word yet on where this will go.

Our department's philosphy up to this point has been, if there are actions and processes that need to be scrutinized, the application should be auditing those.  Actions that need to be tracked (who update what row, what purchasing amount) should be tracked in the application.

Has anyone been hit with "List of those approved to change the list of those approved to be on the list of those who can request promotions?"  Our security people are dealing with that.

Joseph