Why is SOX your friend during an assessment? For the same reason as every established set of rules or requirements — it leaves as little space for interpretation as possible and gives an assessor a foundation on which they can rely. Of course, such a strict set of guidelines cuts both ways, just like every checklist. But what it can do for you is change your trouble gathering information into business owner’s trouble providing it.

It simply serves as an excellent excuse for insisting on being provided certain evidence of appropriate security controls being in place. And an evidence in this case really means evidence, meaning an admin going “It’s there man. For real. Got my word for that” is not enough no matter how much you happen to like him and believe his words. It’s official, everybody knows that and there is no place for discussion — either evidence is provided or the SOX gap is reported.

And it is in the best interest of a Business Owner to have as little SOX gaps as possible, obviously.