CRC values of the database schema can only tell you whether the schema has been changed. Unless you have an authentication, authorization set up that holds water and there is an audit trail that is tamper proof you might not pass a SOX-relevant or another audit by regulators or consultants that audit your company on their behalf.
Usually auditors want to see:
- How are users authenticated. If they are not strongly authenticated, what are the password rules and how often do users need to change their password and how all this is enforced.
- An authorization concept:
- How does the system give access to the users with business rights ( via the application ) and how these privileges are granted and revoked.
- How does the system give access to users with plattform rights ( which are usually required to do support or perform dba tasks )
- Direct access to the database with a tool with which you can query/change the database by circumventing the application business logic - for example with something like Toad or Squirrel.
- Direct access on the operating system
- Possibly segregation of duty - developers are only allowed to access production systems for incident and problem management and may not hold permanent access rights. How is such a process set up - what are the escalation procedures.
- An audit trail that can not be tampered with and which provides information on who did what when and probably why.
That are some of the question when the "information system" I am responsible for was audited the last time. You can bet your a** they the auditors will come up with something new the next time they show up.
But it does not make sense to be afraid of auditors. Usually when they audit something technical it is to provide sufficient evidence to their colleagues who are auditing the business processes so that the facts and figures that are process by the supporting information systems are correct so that for example a financial statement produced by an IT system is correct. I never looked at them as my enemies and tried to have an open conversation with them. If you approach an audit this way it might be a win win situation. They will get the evidence they need and you might learn something about threats to your application you might not have thought of.
Heavy Regards, RealHeavyDude.