Interesting topic:
Well I have seen enough bashing of Auditors. I am an IT auditor and yes CISA too working on Sarbanes
Recently we are auditing a client who is running Solomon on SQL Server and other Oracle Database applications.
I am working with one of the top risk consulting companies. Our intrepretation of the Sarbanes Oxley act is for IT - in addition to all other Controls, Segregation of Duties is a key control. That control requires Development and DBA functions be carried out by 2 seperate individuals.
I am not sure if Keykeeper idea is a good one. However, from complaince perspective, Database Developers cannot access the production environment. The same applies to SDLC- developers cannot QA and certify their own work.
That is how Sox compliance mandates and we auditors intrepret - The remediation is upto each client and How each company is going ot handle is open.
Madhav Vedula CISA
Sr.Internal Auditor