Sure can do so. It all depends on what a company can get away with.
If the database is ms sql it is possible to fails on SOX as long as the auditor knows what they are asking for and what the answer supposed to be. Many of them actually do not :). Is it a good thing or a bad thing - depends on who is talking.
And anyways as long as it's shown that the progress is being made (how fast - nobody asks, can put budget depending things etc... many ways to delay the fix and put it on more comfortable schedule) etc all comes to negotiations what is called what.
Beware of a DBA as your auditor. that is a trouble;)
I mean it is very easy to make a legitimate case, ask several simple questions like so:
let's imagine there is a database 'finance'.
If I would audit I'd ask for
- list members of sysadmin, dbo, data reader, data writer, ddl admin, security admin on the server and database level to begin with.
- list all the users and non system groups in 'finance', if there are AD groups, include all the members and through which groups do they become the members of the groups in question with SID's
- list of privileges for each user and each group in finance
- list of privileges of public group
- if there are database logins and it is sql server 2000 I'd ask to provide network trace of the login operation (and see if there is an ssl certificate in place) and ask how many ws's that access 'finance' database with the accounts listed as database logins do not have the certificates. if they chhose to encrypt all traffic - their business
- for each user listed there would be a question - how often do they change passwords
- how many users know database login password for each of the logins
- if there is discovered something like buildinadmins with sa rights , then questions like how exactly system administration job requires access to 'finance' database will be asked
- can ask to show a confirmation that only modifications that are made to the finance database are coming from particular legitimate application and how exactly any other modifications from something like query analyzer are rejected/controlled etc...
- and so on we go... limit is - your imagination, no limits that is 🙂
it is not about that ms sql is bad or impossible to lock down by any means, any commercial database has problems or can be set up the way to cause problems. it is all about who finds it first and what to do next