Section 404 of the SOX Act requires companies to certify to the effectiveness of their internal control over financial reporting. After investigating this context considering the scope of Database Security (DB), it was verified that the related works explore in detail the strategic vision of the internal controls, but neglect their operational and practical aspects. Aiming to give a contribution to this problem, this work proposes a guide of operational and technical controls to evaluate the security of the DB according to the SOX Act. As a proof-of-concept, the guide is used to the development of the tool SOXSecurity4DB, which was used in a case involving a multinational company of the retail industry.