Interesting article, but some perspective might help...

Some quick background, I'm a Sarbanes-Oxley IT consultant. Although I have worked in Internal Audit, my specialty is working on the management side (non-audit) to help IT departments prepare for their audits.

This article is interesting, but I think one of the main points about Sarbanes-Oxley needs to be fully understood.

That point is, the Sarbanes-Oxley Act is not intended to either punish or benefit corporations. It is intended to ensure that the owners of a corporation - the investors, large, small and minute - are able to trust the company's own assessment of its value. If the company finds some value in process improvement, that's all well and good. But that's not why the Act was passed. To put it straight, if you wish to sell ownership in your company to hundreds, thousands or millions of other people, you have to accept that those owners have every right to know that you are running their company with a "reasonable" degree of control. Just that- "reasonable". Not perfect, incredibly accurate to the nth degree, above any possibility of error - just accurate enough so that your financial statements cannot be off enough to make a significant difference in the value held by those investors.

One other great point was made - that many Sarbanes projects have too much emphasis on controls and not enough on risk assessments. Every company but one that I've assisted has had little to no risk assessment, and as a direct result, their control structure balloons - pardon the pun - out of control. If there's any single part of a Sarbanes-Oxley initiative that can reduce costs across the board in both the short- and long-term, it's having effective risk assessments from which to begin the process.

Click to read the article this is in response to.