Comment Fixing SOX404 (Score 1) 368
I don't know how many of the people posting about Sarbanes in this thread have actually had to do implementation work in their companies because of it, but I can tell you as someone who has done extensive work on it that it's a way over the top for businesses without huge amounts of resources; that doesn't mean we should scrap it altogether. I've had to do work on change management, privilege separation, accounting, and data reconciliation to support S-O; it's extremely painful. The requirements are probably fine for companies with many hundreds to thousands of employees, but for ones that are 200, 100, or less, it should be seriously scaled down. There should be several levels. Something like:
S-O Max (5000+ employees)
S-O Large (1000-4999 employees)
S-O Medium (500-999 employees)
S-O Small (100-499 employees)
S-O Mini (99 or less)
Each one would have progressively more requirements. For example, at S-O Mini and Small, you'd have much more lax privilege separation requirements (sometimes the DBA is also the Systems Admin) but at S-O Large and Medium, you'd have to have a separate DBA, Assistant DBA, DB Backup operator, Systems Admin, and System Accounting people. The idea of S-O is good, and it seems fairly well thought out if you've read the documentation surrounding it and some of the checklists; the current blanket approach, however, is far too onerous.