Lot\u2019s going on in the Sarbanes-Oxley thread from a last week (well, a lot for this blog at least). So let\u2019s keep the momentum going. \n\n\n\nAdding in my own biases, there are two messages that emerge. The first is that complying with Sarbox is not a one-time event but and ongoing process. Sure, you need to be compliant this year and you will have an audit to determine if you are. But you also have to be compliant again next year, and the year after that, and so on. If you are dependent on a team of consultants to validate controls this year and you don\u2019t change anything, you will be dependent on a team of consultants again next year. And if you haven\u2019t been able to work on the projects that you really want to be doing (as opposed to the Sarbox related projects you probably are working on) then that is what you will be doing again next year. Hence, figuring out a way to simplify the audit process for next year should be your first priority. \n\n\n\nThe second message is that companies should stop thinking about the process as Sarbox compliance, but more generally as compliance. The point here is that in the big picture Sarbox is juts one of several regulations that your company will need to comply with, be it OSHA, HIPAA, or something that hasn\u2019t even been thought of yet. I don\u2019t think that matters too much in and of itself, but it adds weight to the argument I\u2019m about to present. \n\n\n\nOne reason that companies have been slow turn to IT for solving Sarbox is that while they have to comply, there is no real incentive for doing so other than avoiding the fines\/jail\/embarrassment of not complying \u2013 the law sets minimum control levels but doesn\u2019t reward companies that exceed these. So there is no ROI for automating a manual process that is compliant. Unless you think outside the Sarbox, so to speak (sorry, it\u2019s terrible, but I couldn\u2019t resist). The processes that you automate to increase the level of control will presumably make the business more efficient, by replacing a more time consuming or more expensive manual process. This is where the ROI comes in, with the secondary argument that the improved controls make complying with future regulation easier. \n\n\n\nSo in answer to the timeline question that someone posted, I would guess that 2005 will be the year that CIOs concentrate on simplifying the audit as much as possible, and that 2006 and 2007 will be the years when everyone automates processes. Does that sound about right to all of you?