I get asked frequently if Salesforce.com is "Sarbanes-Oxley Compliant".
If you read the text of SarbOx, you'll see that there really is no such thing. SarbOx is about processes, not technology per se. So a better question would be:
"Does salesforce.com provide the capability to implement controls dictated by my processes?".
The answer is "yes, it sure does". This comes up often enough to a point where I've written a white paper on this issue.
