Skip to content

Personal tools
You are here: Home » Of Interest » Articles of Interest » SOX Requirements for DBAs in Plain English
Who Are You?
I am a:
Mainframe True Believer
Distributed Fast-tracker

[ Results | Polls ]
Votes : 2637

SOX Requirements for DBAs in Plain English

by James McQuade

Sometimes, you felt as if you were going to die. Sometimes, you were ready to kill someone yourself. The auditors made your life painful, and you had to assign more and more resources to address their concerns. And, they exposed problems that were quite embarrassing — simple things, mind you, but oh, how lax some of your control procedures had become.

Well that’s over now. You’ve remedied the problems, and as painful as the audit process was, you know you’re better off for it. A whopping 88 percent of companies believe that Sarbanes-Oxley (SOX) did more than guarantee a clean set of books.1 Adhering to SOX improved business processes and business performance, and involved most of IT in doing so, too. Pivotal to the entire procedure was database change management.

Some Lessons Learned from a SOX Audit

In classic project management as well as other disciplines, it’s common to formally reflect on lessons learned following major efforts like a SOX audit. Yes, it’s important that accounts and privileges be properly maintained. Yes, it’s important that there’s clear separation of duties. That’s the letter of the law. But let’s consider this for a minute — doesn’t good governance really mean that there are commonly accepted policies and procedures for accomplishing specific goals within a scope of authority? Further, doesn’t it mean that compliance can be measured objectively?

So, just where does the “real work” lie in complying with SOX? Those developers and managers queue at your door with the same, or increasing, frequency as they did in the past; are you in a better position to serve them now than you were two years ago? Do you strive to continually improve your internal processes to reduce costs and improve productivity? New and better tools help, but these will never comprise the entire answer. Taking cues from programs like Total Quality Management (TQM)2, and Six Sigma3, real and lasting benefits can come from changing the way you do your work and the effort you put into getting the work that you do right the first time.

SOX, in Plain English

SOX presents a powerful set of easy-to-understand guidelines, rules, and advice that can be realized with the process improvement methodology of your choice. These guidelines express principles that ensure rational, reasonable, and repeatable behavior that minimize scrap and rework. And with that all you have to do, don’t you hate it when you have to redo something?

So, after the agony of an audit, here are the SOX requirements for Database Change Management in plain English:

      • Changes to the database are widely communicated, and their impacts are known beforehand.
      • Installation and maintenance procedure documentation for the DBMS is current.
      • Data structures are defined and built as the designer intended them to be.
      • Data structure changes are thoroughly tested.
      • Users are apprised, and trained if necessary, when database changes imply a change in application behavior.
      • The table and column business definitions are current and widely known.
      • The right people are involved throughout the application development and operational cycles.
      • Any in-house tools are maintained and configured in a disciplined way.
      • Application impacts are known prior to the migration of database changes to production.
      • Performance is maintained at predefined and acceptable levels.
      • The database change request and evaluation system is rational.
      • Turn-around time on database changes is predictable.
      • Any change to the database can be reversed.
      • Database structure documentation is maintained.
      • Database system software documentation is maintained.
      • Migration through development, test, and especially, production environments is rational.
      • Security controls for data access is appropriate and maintained.
      • Database reorganizations are planned to minimize business disruption.

When you undergo your annual audit, it is not likely that you’ll be tested on each of these. The items that auditors actually check show that most, if not all, of the above practices are being addressed at some level. But just because you’re not measured at the process level doesn’t mean that your process is just fine, as is. I’ll bet you have opportunities to take costs out of your unit’s operations and produce a higher quality work product as a result. This is your chance.

A word on change management: Don’t try all of these at once. First, assess your operation. Where are the weak points? Which services take too long and cost too much money? These are the high-impact points. Next, ask, “Which of the control guidelines could be implemented with relatively little cost and effort?” Create a matrix of cost versus impact. Your “low-hanging fruit” jumps right out at you; they’re the changes you can make with low cost and high impact. Do these first to show that a small investment has a remarkable return. Everyone will thank you for it. Now you can begin work on items that might require a little more effort, but may have even bigger payoffs. And you’ll have the undying gratitude of your customers and management, too.

The Truth About SOX

So, now you know the real reasons behind SOX. Nobody wanted to micro-manage you. They wanted assurances that your operation can produce reliable and repeatable results. And even if nobody were really watching, wouldn’t you like to make your job easier? Well-established and tested policies and procedures can do that. (Now, if only I could find that Controls Handbook …)


1DM Review Online, “Hyperion Reports Sarbanes-Oxley Compliance Fueling Improvements in Business Performance.” Oct 3, 2005.

2Crosby, Philip B. Quality is Free: The Art of Making Quality Certain. New York: Penguin Putnam, 1980.

3Brue, Greg. Six Sigma for Managers. New York: McGraw Hill, 2002.

See Also

Institute for IT Governance. COBIT® 4.0, November 2005.


James McQuade is Data Architect for a large regional retail merchandiser and would like to thank Chris Foot, John Saunders, and our internal auditors from Deloitte & Touché for contributing to the intellectual capital of this article.

Contributors : James McQuade
Last modified 2006-08-04 01:30 PM
Transaction Management
Reduce downtime and increase repeat sales by improving end-user experience.
Free White Paper
Database Recovery
Feeling the increased demands on data protection and storage requirements?
Download Free Report!

Powered by Plone