Our IT department is broken up into three groups, Development, Network and SQL Admin.

The Development Group has no “sa” access to the production servers at all. If a change needs to be made, change control goes into effect. The proper paperwork must be filled out explaining what you are trying to accomplish and why. The change goes to the SQL DBA who uses an assigned login/password for the group to accomplish this.

We use 5 logins/passwords to do various SQL tasks, one for each level of administration, with only one sa account. We also adopted a tool that will alert us to any changes on the DB’s/Network. We opted against building an in house product for fear of whoever designed it would be gone some day and no one would support it.

In essence SOX gives you guidelines to follow, how you work with in those guidelines is up to you.

HTH

Marty