SAS 70 and software policies

["James Strassburg" <JStrassburg () directs com>]

My organization is currently preparing for a SAS 70 audit.  We started
writing web application security standards a while ago.  That got
extended to a software engineering security policy and that got extended
to a full software engineering policy covering our entire SDLC.  My
question is not about web app sec, however, but rather user developed
macros.  Should user (and by user I mean non-software developer)
developed macros be subject to the same software lifecycle that our
production apps would?  If not what about if the macros hit production
databases or other production network resources?

This is the best channel I can think of for this question so I apologize
if it is inappropriate.  If anyone knows of a better channel please let
me know.  thanks.

James A. Strassburg Jr.
Software Security Architect
Direct Supply, Inc.