as management commitment to quality? If the prevailing attitude is to let the users test the system in production, this aspect may not be met.
Risk analysis is nothing new, and it has been applied to software testing for years. Typically the risks centered on financial, operational, and customer impact. After Sarbox, there is a new type of personal risk for the big corporate kahunas. This stems all the way from forfeiture of bonuses, up to and including civil and criminal penalties.
Testing is the ultimate control activity, of course, but the key is to assure that the means of communicating salient information about its status and findings is working. This takes us all the way back to the original problem: how do you get management's attention? It is generally agreed that companies must allow confidential submissions by employees of concerns about matters affecting financial reporting. Some are actually implementing hotlines where informants can bypass managers who are either ineffective or obstructive at raising awareness of critical issues. So, if your best QA efforts are being deliberately disregarded or emasculated by your chain of command, you can now take an anonymous shortcut to the top.
Perhaps the requirement for monitoring the internal controls will also help us break through the ceiling. Hopefully we won't have to wait for the first software-defect lawsuit to be filed before corporate executives realize some facts. Software QA is no longer an optional function primarily designed to protect developers from their mistakes, but is an essential one that protects them from SEC sanctions, civil damages, and an all-expense paid vacation to Club Fed.