Maybe the "if it is expensive then it must be good" factor is at play here. Main problem with that attitude is that oversight is ussually an area where employees follow the leaders, so if you never ask, you'll only hear good news.
SOX is not likely to touch larger SAP installations management because there should be a paper-trail at more than one level about solving incidents, so higher-level management is covered.
Biting the hand that feeds IT
