Does the use of the IDENTITY property (as a sort of surrogate "primary key")
automatically cause a database to fail a SOX audit?

Please note that I am NOT asking about the merits of using IDENTITY in this
controversial way NOR am I confusing IDENTITY with a "real" (natural) key.

I am specifically inquiring about the SOX audit perspective on this possible
use of IDENTITY.

Thanks!

As each item can be uniquely identified once created, I see no reason
RowGuids or IDENTITY columns should fail SOX compliance. It simply means the
system created the key, not that the data can be altered, incorrectly
reported, etc.

Show quoteHide quote

SOX is open to interpretation by your auditing firm.  There is no rule
regarding identity or any other technical approach.

In fact, you will not find a specific reference to anything related to
computers or systems other than a statement that your auditors can not also
be responsible for creating and/or maintaining your systems.  Checks and
balances are required to insure your financial data is accurate, but there
are no specific technical requirements.  You just have to prove that you are
able to guarantee (within reason) that your data is accurate.

You can pick up a copy of the SOX act and read it over.  It's a bit long,
but doesn't actually have much to say.  Virtually all of the "rules"
regarding compliance are made up by the auditing firms.  The more
complicated the rules, the longer they spend auditing, and they charge by
the hour.

Good luck with your audits.


Show quoteHide quote

Ever growing transaction log, using simple recovery?
The pains of XML programming
Simple trigger question
BEGIN WHILE EOF
EncryptByCert problem