"Just because it is now possible to automate some of your controls, does not mean you can do it right across all systems and all projects," said Menzies.
"You have to be careful which set of controls you select for automation. Sarbanes-Oxley is still a general business project. You have to have humans involved. Anything you automate, you have to make sure it does not take off and have a life of its own."
However, software tools can help the IT department demonstrate that compliance is not simply an IT issue, said Butler Group research director Tim Jennings.
"Too much of the onus is still put on the IT director to take responsibility for compliance. It is a nigh on impossible job. If it does not work, the IT director will be blamed. If it is successful, no one is going to give you any praise."