A recent poster mentioned having to trust somebody sometime and I largely agree, but the compliance (internal controls, whatever) group doesn't need high level access, they need to be able to check logs and to see if internal controls are being followed, but that doesn't translate into high level access, maybe for the tools but not necessarily for the people themselves.

In many cases I wouldn't trust the compliance people with high level access, the reason? They often don't have strong knowledge of the software, they are usually "process" people they know more about security and process than SQL Server or Windows. But then again that is my experience, mileage may vary..

CEWII