Worth repeating!
You should go into the SOX compliance business. Maybe you could inject a bit of sanity into the whole mess.
The secret lies in the magic words. They render the SOX auditor totally helpless and quivering. They are the words of power. They are so powerful that their use is possibly in contravention of the Geneva Convention. Yes, they are that good. If I tell you these words, you must promise to only use this power for good.
The words are: "Not in scope."
SOX auditors do not know how to deal with this, and they will run from you screaming like schoolgirls.
Used in a sentence, it would be something like: "Management has determined that this application is not in scope."
Then [poof] the SOX people shrivel away like the wicked witch of the west.
Companies forget that *they* have the ability to decide what parts of their own systems are "in scope" or "out of scope" with regard to SOX compliance. Many companies are so cowed by the process they let many systems fall into scope that really, seriously, could be easily defined as "out of scope".
This is all spelled out in the original "scoping document". We managed to define our scope *very* narrowly, and this saved us untold grief by giving us the ability to tell the auditors that such-and-such application was "out of scope" and therefore was not subject to SOX.
Most companies, I think, don't realize how much they can narrow the scope of SOX compliance. Just because a system is "important" to the operation of a bidness, doesn't mean it is relevant to the data integrity of *financial statements* which is really the core scope of SOX.