There are a variety of products that purport to help automate SOX compliance, largely via a combination of scan data analytics from a vulnerability analysis product, like those made by Qualys Inc. or Sourcefire Inc., and checklists of controls that are part of the standard COBIT framework.
I haven't done a detailed analysis of this space, but I highly suspect there is nothing in these products that can't be done equally well, if not better, by a good project manager, a good security manager and a spreadsheet program. Essentially, what is needed is someone who understands the technology and how it's deployed (a security manager), someone to track objectives and help interface with other groups when necessary (a project manager) and some software to track the goals and objectives (a spreadsheet). Like many things in the IT world, measuring compliance is a pretty basic task, though the actual details can get complicated.
The value of commercial compliance products really comes in if the company doesn't have the resources or time for a project manager or doesn't have a lot of in-house experience when it comes to dealing with audits and auditors. In that case, especially when using a product the auditors are familiar with, software like this may save some time during an audit.
For more information:
This was first published in November 2009