You may enjoy this exchange with a customer from a few years back. I’ve changed the names to protect the guilty:

Dear Joe,

I reviewed your Sarbanes Oxley compliance document and noticed a few things that are worthy of mention:

1. The security section requires that sensitive information be encrypted in transit but most users do not have encryption tools available.

2. The security section mentioned that a user is not allowed to disable his virus scanner, yet this is permitted on most or all workstations.

3. The security section requires that if possible a session must time out after 30 minutes, but none of the windows workstations times out. This is something that could be centrally controlled.

Yours Truly,

AP

And the response:

Thanks for your feedback. I’ll forward your email to Sue and Francine and add it to my file.

Joe