Think complying with Sarbanes-Oxley (SOX) will be easy? Think again. A user preparing for a SOX audit (who for...
obvious reasons requested anonymity) reports that complying with the regulation is a time-consuming, thankless task.
"This has been an unbelievably frustrating ride," he says. "We're making everything up as we go along, because there's no template to follow." Auditors are no help. "They tell us, 'We'll know it when we see it.' It's like trying to please the king."
The work itself, providing proof and documentation of compliance, is time-consuming "administrivia." "I'd much rather be running storage infrastructure; it's a lot more fun."
Forget about hiring consultants. Even if you can find one, "the big accounting companies are feeling their way around in the dark just like everyone else. A lot of my colleagues have hired consultants, but they're no further along than us."
What happens if you get it wrong? If the audit uncovers a material weakness, you must print a notice in the annual report--no one wants that. Furthermore, "if you're going to tell your CIO that it's OK to sign off on the IT portion of Sarbanes-Oxley, it'd better be right. If you fail, you pay with your job."