Thanks for keeping us honest Ian! I would be pretty blind to claim that overall regulatory compliance can be solved with any IT solution (...or set of ...or service of). But I didn't make that distinction in my previous post. But, is that the basic point you're making? ...that IT compliance is a subset of overall Compliance? Or is there more to it?
I guess what I was thinking is that the service would not only provide controls that put you in compliance and evidence that proves you're compliant but also could tell you which questions you should be answering. ...even with regard to current trends in regulatory and market pressures (which no doubt change over time).
Understanding that big-C Compliance requires much more than IT controls, would it seem more realistic if we said IT-compliance-as-a-service? or IT-Audit-as-a-service?
The main thing I'm wondering is if organizations would get value from an external party taking over the IT audit portion so that the org itself (who might be anticipating regulatory pressure) wouldn't have to figure out which questions to ask, how to ask them, how to build controls to get the right answers, and how to prove that the answers are what they should be.