Barkingdog - Wednesday, October 18, 2017 8:42 PM
It's going to be different for everyone depending on the company, available resources, etc.
Most places I've been at use some type of change control processes and some kind of ticketing software and we would rely on those for a lot of the auditing documentation.
We never made any changes in production without the tickets and having everything go through change control. That can be the documentation. If the DBA implementing the changes has to sign off on the ticket indicated what work was done, when it was completed, etc then that can be the proof of this getting done. If SQL Server users needed to be added or deleted, it went through the change control process, ticketing system. Password changes for the service accounts went through the same thing. If someone needed access to some more secure database for some business reason, that was all done through that process - when the elevation was enabled, how it was monitored and when it was disabled. You can get a pretty good set of documentation for audits by using those types of programs, processes.
Sue