If I set up a separate schema, wouldn't the SysAdmin have access to it? Couldn't he put himself in the group the schema is restricted to?
Also, the "remote" database wouldn't have to be on a flash drive. It just occurred to me that it could reside on the payroll operator's local drive. When he starts to process executive payroll, the Front End could dynamically link to the tables in the database on his local drive, giving the linked tables the name for programs are looking for.
Does this alter your previous response?
Yes & no. The biggest issue for me is that a removable device or a remote system are going to be very, very easy to corrupt. If you don't do a proper shutdown and yank the removeable disk or turn off or disconnect or even sleep, the remote system, BOOM! You're suddenly not looking at carefully secured data, but at a corrupted database that is offline with inaccessible data. Which, brings up backups. How are you managing those? Are they encrypted and locked away from the sysadmin?
Generally, most companies recognize the fact that certain people are going to be able to hack into the systems if they choose to. You make it somewhat difficult for them to do it and you set up auditing, and then you go with the fact that these people have been hired into positions of responsibility as professionals and will be expected to behave as such or could face firing and even prosecution. Pretty standard stuff. Most legal auditing requirements that I've seen don't require you to prevent all access, but rather have a mechanism or restricting it (restricting) and auditing it. Keep the list of who can have access very small, maintain that list, know who can do it, know who has done it.