Pleasing the auditing gods for SOX compliance

Technically a developer doesn't need access to production (or could be demoted to some "view all, readonly" Profile if he has to see some data). You could be packaging up changesets from your sandbox, sending them upstream and then authorized admin validates & deploys to test, later - to production...

Similarly if you use Metadata API (Eclipse etc) - you could be publishing zipped files for them and they could use Ant (yeah right) or maybe the Workbench to deploy them. If they're very paranoid they could host a local copy of Workbench.

It is pain and you need to ask somebody to click the magic link every time you need a sandbox refresh but well, if that's how they want to have it secured...


Re: change tracking.

You can download audit trails.

You can use version control system (Subversion & Git are best suited for Salesforce in my opinion; Visual Source Safe and IBM ClearCase are worst because they demand explicit checking out the file(s) before changing and most of the time you don't know what will happen when you hit "refresh from server"... Well, you could lock whole project down I guess and annoy your fellow devs).

Bear in mind that class file doesn't say who modified it last. You could use it for change tracking & backups but you still need either the audit trails or periodical querying of tables like ApexPage.

Last but not least there are few tools that make periodic snapshot of metadata and push it to another cloud (Heroku, Amazon Web Services etc) - you could use these or quickly whip something similar with Ant. I've heard some good stuff about "Panaya for Salesforce" (I'm not related to them and I'm not a client). No idea if it's just a searchable backup or can it somehow report on who changed what. I somehow doubt it, I don't think audit trail is exposed in any API so that'd require some screen-scraping.