About two months ago I started a series on Sarbanes-Oxley compliance with Team Foundation Server. After publishing Part 2, I learned that Microsoft was in the process of putting together their own take on the subject, and I thought I would hold off until the release.
That paper has now been released. You can get it here.
All in all, I feel there are several SOX 404 issues that are not discussed or discussed only briefly which are relevant to a regulated organization. One of these topics is separation of duties. However, I further realize that I was approaching Sarbanes-Oxley compliance from a very narrow perspective.
I used to work for a financial services software company. In that environment, every line of code that went into the software was governed by Sarbanes-Oxley (and others), and therefore had to comply with all aspects of SOX. This is not the more general approach taken by the Microsoft paper.
But overall I feel Microsoft did a good job putting it together. What do you think? Did it cover all your issues?