This is interesting. Another case of corporate fraud under the title of "What Sarbanes-Oxley Won't Do". Apparently someone got loans, blah, blah, fraud, blah, blah, etc. You get the idea and I'm tired of having to hear and write about it.
But since S-O affects most IT groups and many of us are dealing with it, it's worth talking about and writing about. S-O has required more documentation, processes, and accountability for how corporations deal with their financial data. It is intended to prevent another Enron or MCI like occurence by making high level executives accountable for the company's actions.
But it doesn't prevent fraud. It doesn't prevent dishonesty, and it certainly doesn't guarentee that your investment is safe in some company. It should make it easier to send people to jail, but even that hasn't been shown to be the case yet.
It does, however, make a lot of work for many companies. I was talking with a professional services company recently and they said that many of their clients, public and private, are trying to adhere to S-O because public companies have to, but private ones are either looking for an IPO or to be bought by a larger company, and S-O compliance is often part of the due diligence they'd need.
If you're an ISO company, you probably can use one set of docs for both certifications, although you'll need to dive deeper in certain areas for each one. That's the good thing since we know how much you IT folks love documenting your processes, procedures, and environments.
I'm just happy to say that SQLServerCentral.com is not complying and I, for one, am thrilled :)