Just gotta rant for a second. (I know it's hard to believe.) There are only a few approved SOX auditing companies out there currently. The law is so broad in scope, yet undefined, that auditing companies really have no idea what they are auditing for. We have internal auditors talking to D&T; and one of the biggest problems we face is the vagueness of responses received back. None of the auditors really agree with each other on what needs to be done. Passing and/or failing an audit will not be determined by the security of the companies data. It will be determined by your auditors interpretation of their auditing companies interpretation of a law the courts haven't yet interpreted.
That should give anyone truly concerned about productive process and data security a really bad headache!
Long live stupid laws......job security for IT people that couldn't keep a real job.
Why do all these SOX auditing companies have IT consulting divisions???? HMMMMMMMMM