Audits in general arouse wild conjectures. This is especially true for personal visits of an auditor, which may be critical to your career. Nobody likes to make mistakes. Everyone tries to avoid scrutiny. But an audit cannot be ignored. Although audits may seem tedious, everyone involved should realize the tremendous benefits that ensue. For example, crucial improvements, previously deferred by the management, may be easily elevated to the “Top 10” project list. Furthermore, the new improvements let you enjoy the benefits of far fewer errors, mistakes, etc. Although it may be hard to believe, there is a return of investment for SOX, ISO, PCI, etc.
What real changes does SOX & Co. represent? To begin with, all fancy policies and regulations are now proactively executed, not just talked about, and will be checked at the end of the year or later. Second, this new, hard reality will significantly objectify and simplify a company’s method of becoming compliant. You no longer need to pay licensing fees for a product your auditor prefers. Instead, you can freely act based on the proven effectiveness of your controls. The rules of the game are quite simple: You can choose either a home-made or vendor solution, provided its effectiveness has been confirmed and is valid in the long run. In the end, the auditor’s primary satisfaction results from the proven effectiveness and real application of all your controls, not by the product name of your software portfolio.