In the early days of SOX implementation, Dresdner Kleinwort (subsequently to become part of the investment banking arm of Commerzbank) focused on ensuring that they met minimum requirements. Although this was successful, it was not without challenge.
Maintaining SOX control documentation and monitoring controls was manual, inefficient and lacked organisation. Data became de-centralised and fragmented in spreadsheets, documents, databases, emails and SharePoint sites, with large amounts of evidence kept in hard copy. This made reporting difficult and analysis near impossible.
In addition, external auditors were starting to identify issues, mainly because control owners had insufficient evidence that the control had been properly performed and signed-off in a timely manner.