I have been around more than one audit. Most of them, including the IT auditor, would be baffled by seeing the statement [font="Courier New"]SELECT * FROM TransTbl WHERE EntryDt > DateAdd('y',-1,GetDate())[/font].

They generally just put into the IT do you have the rules written down and can you give me the Excel SS of these 50 accounts or these reports. So once the SW is "certified" they just accept the certificate, and don't look in the background.

But I've done enough of this stuff over the years that I don't do stuff that is at risk of security without something written down. I also make sure that if there is a financial change I have it written down before I do it.

My current company has to observe the HIPAA and PIPEDA (CDN HIPAA) regs. They have a security department that if you forward onto them the request -- and they approve it -- you are legally off the hook for anything. I like that.