I think SOX has had a negative effect on business in the US, mostly because it has become a scape goat or excuse in many instances.

IT empires with a 1960's mainframe mentality have been built in the name of SOX.

It has been used as an excuse to take away users' ability to create and execute custom queries and against a reporting database on the fly.

The most bizarre extension I've seen of this came when a DBA told me that "We need to take Excel away from all the users because they can manipulate data in it and that violates SOX."

I've researched SOX quite a bit and to me it's concept is very similar to ISO. (1) Do you have set procedures in place to run your organization? (2) Do you follow those procedures?

I don't remember any SOX requirement that ensures that it will be easy to identify violations when the procedures are violated.

In short, it's resulted in a lot of extra work in our organization with no value to the stockholders or public.