whither SOX?

It's a strange time to be in the Sarbanes-Oxley compliance world. At the same time that trials and scandals are unfolding, governmental agencies are making off-the-record calls to dismantle the legislation.

While it's clear that SOX would assuredly not have prevented WorldCom or Enron, the most direct benefit of Sarbanes compliance is that it minimizes the shameful practice of chief executives dodging accountability.

But more important than mere schadenfreude, SOX presents a great opportunity for corporations to get their internal house in order. It's notoriously difficult to prove the ROI on IT infrastructure projects, and frankly, logical security is just not sexy. A company who takes an opportunistic look at internal controls will realize that the COBIT Framework and other best practices can use the compliance crowbar to significantly increase efficiency and security within their organization. Such a holistic approach, when brought against solid measurement criteria, can make huge strides in customer responsiveness and increased maturity.

One concern, which I haven't seen addressed so far, is the security risk inherent in assembling documentation to provide evidence for auditors, but I'll leave that for a future post.