The sad thing about SOX (and I railed so much about it in 2006 and 2007) was it often was more as a reason to say no to many innovations - largely because auditors did not understand the proposals or it was outside their comfort zone. In the meantime, investments in SOX related controls and technology were pushed through with little consideration of ROI. So, compliance spend crowded out money that could have gone towards innovation. So, a double whammy...
Over the weekend I had a conversation with Dennis Howlett and Francine McKenna about whether auditors are keeping up newer issues coming up with SaaS and cloud computing - are the SAS 70 audits keeping up with unique multi-tenancy, virtualization, shared across customer asset issues? The initial answer that Francine summarizes here is - not really.
I sure hope we don't end up with a scenario where the auditors end up being the obstacle to adoption of SaaS and cloud computing because they don't understand them well enough. And worse, they come up the next-gen SOX which threatens to crowd out these newer waves of innovations...
That shouldn't be a problem at all - just get a well-defined scope for your SAS-70 audit work.
Of course a shoddy SAS-70 may be as bad as not having one at all - but no one sad it has to BE shoddy.
Push on with the innovations, there'll be SOME way of auditing the controls. :)
Posted by: Krupo | July 12, 2008 at 05:26 PM