Microsoft SQL Server 2016 Audit/Assurance Program 

Bookstore Purchase the Download:  Member US $25 | Non-Member US $50

  Provide feedback on this document
Knowledge Center  Visit the Audit Tools and Techniques Knowledge Center community
Knowledge Center  Visit the Audit Guidelines Knowledge Center community


With GDPR and data privacy initiatives currently the focus of many enterprises, now might be a good time to take a new look at existing opportunities to incorporate features that protect sensitive and confidential data. In the 2016 version of Microsoft SQL, Dynamic Data Masking is an example of one of these opportunities--it is a helpful security feature in customer service arenas where customer service representatives need access to some data, but not to all the data.

Restricted views to data can facilitate compliance with external requirements and also play a role in bolstering customers’ confidence in how their data is handled. In its Microsoft SQL Server2016 Audit/Assurance Program, ISACA has addressed SQL security and included the following audit objectives.

Audit Objectives: The primary purpose of this audit program is to assist IT auditors in their assessments of deployments of Microsoft SQL Server 2016. Accordingly, this audit program takes into consideration assurance that:

  • Access is limited to those who require access to perform position responsibilities using the principle of least privilege.
  • Remote access and emergency access supporting business objectives are monitored.
  • Any risk associated with use of third-party service providers is identified and mitigated.
  • Data confidentiality, integrity and availability are not compromised whether the SQL environment is physical or virtual.

As an IT audit and assurance professional, you are expected to customize this document for your unique assurance process environment. Use it as a review tool or starting point to modify for your purposes, rather than as a checklist or questionnaire. Keep in mind that to use this document for maximum effectiveness, you should hold the Certified Information Systems Auditor (CISA) designation or have the necessary subject matter expertise to conduct your assurance process while under the supervision of a professional who holds the CISA designation.