As someone mired in the opening stages of a comprehensive SarbOx-compliance audit,* I suspect that “plain English” is anathema to the whole concept of the thing. It was supposedly designed as a response to the crappy auditing that allowed Enron & Pals to get away with financial murder, but in reality it turns out to be a sop to those same auditing firms to let them charge ever more outrageous fees for longer and longer audits that bear less and less reality to the day-to-day requirements of running a business. </grouchy>
Anyway, the issue you mention, “surreptitious modification of data by authorized users,” is one of our biggest headaches right now. We’ve been pushing back really hard on the auditors, under the philosophy of, “Hey, at some point in the chain of authority somebody has to be trusted to hold the master keyring,” but we’re not getting a lot of traction. So I feel for you.
*And won’t it be fun a hundred years from now when people on the SDMB Mark 42 are asking, “What’s the etymology of this word ‘sarbox’ that means 'getting raked over the coals by relative know-nothings?”