As the DBA for revenue-generating applications, I am frequently invited by my CIO to meetings with Sarbanes-Oxley auditors to discuss the security and integrity of corporate data. In a nutshell, we're expected to answer any number of questions, via appropriate documentation, about who has access to our data, how access is granted, and how we are monitoring to prevent someone from sneaking in, logging on, and doing something they shouldn't be doing.
My CIO and I have looked at a number of commercial solutions for documenting Sarbanes-Oxley compliance. However, we decided to use SQL Server 2005's built-in tools to create our own "home-grown" auditing system.
The article continues at