And how does one administer the server without sysadmin? OP, you have to explain to the auditor that the DBA must have access to everything. Sensitive data should always be encrypted, but who will do the encryption? I think your auditor doesn't know what he/she is doing. You must explain to them that the DBA is the top of the chain for data. If it is sensitive data that shouldn't be encrypted (HR stuff for example), then the DBA must be a trusted individual in the company. The auditor shouldn't care who has access to the data as long as the person having access is in the DBA or HR role. When I managed this type of data, I had a brief session with HR to fully understand my role in protecting the data and the sensitivity of it. Imagine telling someone that they are responsible for guarding what is in a room, but the room is locked and they don't have the key. When someone with a key comes, how do you know what they are taking in and out?