While I see benefits in security and controls inspired by SOX, it doesn't stop fraud instigated by upper management. All that is needed is a little collusion and its done.

I also dread the auditor visits and the long drawn out discussions of why a particular system has requirements that don't fall into their cookie cutter world. We just had this conversation last year. Didn't you take notes or document anything? Let me help, I'll forward you the email I sent last year (and probably the year before) explaining this.

I've got no problem with the additional work, separation of duties analysis for new processes, etc. I just dread those six words... "The auditors are coming next week." 😛

M