Sarbanes-Oxley

I spent three years as a Certified Information Systems Auditor doing Sarbanes-Oxley auditing. Everyone in IT has their own opinion of SOX, so here is mine: Every single thing required by SOX was already required by some other regulation or law. As I audited companies, I kept notes and put together what I think is the most concise list of SOX control objectives and activities I've seen. If you agree or disagree, I'd like to hear why.

SOX Control Objectives

SOX Control Activities

~~~~~

 Here are some of my favorite auditing stories:

The $1.4 million dollar DBA

How not to audit in Saudi Arabia

It all ends at the loading dock

~~~~~