Interesting topic:

Well I have seen enough bashing of Auditors. I am an IT auditor and yes CISA too working on Sarbanes

Recently we are auditing a client who is running Solomon on SQL Server and other Oracle Database applications.

I am working with one of the top risk consulting companies. Our intrepretation of the Sarbanes Oxley act is for IT  - in addition to all other Controls, Segregation of Duties is a key control. That control requires Development and DBA functions be carried out by 2 seperate individuals.

I am not sure if Keykeeper idea is a good one. However, from complaince perspective, Database Developers cannot access the production environment. The same applies to SDLC- developers cannot QA and certify their own work.

That is how Sox compliance mandates and we auditors intrepret - The remediation is upto each client and How each company is going ot handle is open.

Madhav Vedula CISA

Sr.Internal Auditor