With all of the protections against fraud created by Sarbanes-Oxley, the law is vague on the details of how companies should comply. One of the murkier areas is within the information-technology departments of smaller companies, according to Robert Mosely, a director at The Hackett Group, because employees there may do several jobs whose roles conflict.

Under Sarbanes-Oxley, for example, the person who develops code should not be the same person who submits it to production, even if that person is both a developer and an administrator of an information-technology system and can do both jobs. The law requires segregation of duties—the person who submits a bill can't be the same person who writes the company check to cover it, and so on.

Blackboard, a developer of online education software, monitors the roles of its employees with software from Tripwire called Tripwire Enterprise. The Web-based software captures a baseline of server and desktop file systems, database structures, directory servers and network device configurations, and compares changes against that baseline. It can work remotely or through agents that customers install locally on devices they want monitored. Prices vary. Competitors are numerous and include IBM, Hewlett-Packard, BMC Software and open-source vendors, according to the company and developers.

John Lambeth, Blackboard's senior vice president of information technology, says that when the business side wants code, employees submit an electronic request, which must be approved by the business owner, to Tripwire. The request triggers an alert, which creates a ticket in Blackboard's ticketing system describing the order. Auditors must be able to reconcile that ticket with a second ticket, which is created when a technician sends the code into production. It functions as a Sarbanes-Oxley control, showing that the change was requested and was not carried out by the requestor. Any changes to the database are handled in the same way.

Blackboard also has to comply with Payment Card Industry regulations, since the company processes transactions for students who buy merchandise with student IDs; Tripwire helps with that as well. PCI secures and restricts access to credit card data, so Blackboard's development staff is only allowed access to places where Tripwire can monitor what they're doing.

"We've locked down our environment," Lambeth says. "We've made it very difficult for a network or development engineer to change a system or router or firewall setting without triggering an alert that they'd have responsibility to close."

Another trick in complying with Sarbanes-Oxley is to figure out which controls are relevant to the law and your business (Hint: They are not always the same). Blackboard is one of a few companies that uses COBIT, the controls framework published by the IT Governance Institute, to figure this out. Fewer than half of the companies surveyed by Gartner use COBIT.

An example of a control that is not relevant to Sarbanes-Oxley is a corporate online travel service, Lambeth says. It may generate expenses and get reflected in the company's results, but it does not play a direct role in the creation of the company's financial statements. So, why bother to test a control for it?

Next page: Making Compliance Part of the Business