Is logging database transactions a SOX requirement? 620

  • Audit is telling us we need to log all database activity, which includes user access (success and failed) and transactions (select, insert, update and delete).
    I would like to know if this is a SOX requirement and if so, can someone point me to where in the legislation this is stated? I can understand logging access attempts, but complete transactions sounds like overkill.
    Thanks, Dave

  • I’ve heard this once before. SOX does not require that, but apparently your controls do. SOX just requires you to define your controls and stick to them. The only real way that it could be considered a requirement is if your controls specify that you maintain such transactions.

  • It’s good practice to log these sort of things, although it’s only a control if you review the logs.
    The extent of logging will vary from company to company, really each company needs to come up with a standard that works for its own purposes.

  • I can buy the user activity logs, but I don’t see any practical use specific to SOX for logging actual transactions.

  • We don’t have any policy at our company indicating that we maintain such logs. The external auditors are telling us we need this for SOX compliance. From what you all are saying this is not the case.
    I can’t imagine trying to monitor transactions. How can anyone tell if an update statement that affected 100,204 records should have only affected 97,588 records or if we have 10,000 online transactions per day how to monitor all 10,000 transactions to determine if even 1 transaction is incorrect by negligence, programming error or malicious intent.

  • You got it. It’s not practical. There are lots of cases where the auditors are pulling shennanigans like this. There was an AeA/SEC conference this past Tuesday and Wednesday and this came out as a big issue. Our lead auditor was on the AeA panel providing recommendations, and we were not treated all that bad.
    It’s a touchy subject, but I would have to gently push back on this, and ask where the requirement in coming from. They are supposed to be validating the controls you have in place, not imposing onerous controls that are really not practical to meet.
    I would definitely start involving your larger SOX team to deal with the issue with your auditor. I’m guessing this isn’t the only crazy thing they’ve asked you to do?

  • They’ve also asked for blood samples and the first born child of every database administrator and developer, but I find the transactional logging part more disturing.
    Thanks for the feedback, Dave

Log in to reply