For several years now, SOX has pushed IT to work with financial and operational auditors to ensure that technical implementations of security and privacy controls actually do what's intended. With this assurance in hand, officers of public companies can sign attestations to SOX compliance without nightmares of Enron-style federal vacation packages.
Most public companies have found their way to SOX compliance in one way or another, with the result that we're unlikely to see another massive corrupt meltdown of a public company in the near future. But the ends do not provide a solid defence for confused and incomprehensible means, nor a justification for auditors and consultants drawing out the process for their own gain.
If one looks back a few years, Boeing seemed to understand the compliance process, and had it sufficiently under control to talk about process improvement in the same breath. Boeing's Controller, Harry McGee said: "Beyond the strict regulatory requirements, by reviewing and testing our internal financial controls we are planting seeds for continuous process improvement and helping change the way Boeing does business in the future."
Why then is Boeing now being held up in the press for ridicule? Had they gone the route of most companies - choosing a single audit firm to work with financial and IT control owners - they might have gotten consistent audit results. Wildly subjective results, if experience serves as any reasonable sample, but consistent from year to year and solid-looking.
But Boeing engaged several audit teams and consultants, and the inconsistent results warranted more investigation than most organisations subject themselves to. By being more diligent, Boeing discovered things about itself that most public organisations gloss over.
The intent behind SOX is to prevent or expose corrupt practices, with the sections applying to information systems commonly interpreted as flexible enough to deal with the pace of technology.
Dennis Brewer from SearchSecurity.com says: "The Sarbanes-Oxley Act's call for 'adequate internal controls over financial reporting' is vague, and for good reason. By withholding prescriptive details, the regulators created a moving target that allows compliance requirements to increase with advances in technology."
Nice theory, but it doesn't work out in practice. From the standpoint of preventing corrupt practices, SOX is a moderate success. However, what if one examines consulting dollars and the functional disarray that many SOX audits leave in their wake? When one year's financial and IT control audit process begins to blend into the next (and the next) - requiring a level of record-keeping and analysis effort that exceeds core business practices - the reality is sobering.
In that light, SOX begins to look more like a quagmire for the incompetent, and a contrivance for highly lucrative audit and consulting business. In retrospect, McGee's seeds of continuous process improvement look hopelessly optimistic and naive.