For the large percentage of companies with fiscal years ending in December, a significant amount of work and IT investment likely lie ahead this year to meet compliance requirements of the Sarbanes-Oxley Act. According to some involved in the process, companies may have to spend as much as $1 million on compliance efforts for every $1 billion in revenue.

Congress passed the Sarbanes-Oxley Act to force more-stringent financial-reporting and auditing guidelines on public companies to prevent scandals similar to those that rocked Enron and WorldCom. The deadline for compliance is based on when a company's fiscal 2004 year ends. For those with a calendar reporting period, the deadline will be Dec. 31, 2004.

Some companies have had their heads in the sand and aren't ready to complete the compliance effort, says Bill Vass, VP of corporate software services at Sun Microsystems. "Sarbanes-Oxley compliance could be the Y2K of the future, based on what I'm seeing," Vass says.

Among the items required for compliance is the hiring of a new auditor that the company hasn't used previously to analyze business tools as well as process checks and balances and to look at code control in software.

Sun is approaching the process similarly to its Y2K effort, Vass says. The company created a Sarbanes-Oxley compliance team of about 20 people from various business units and an additional 30 people from its IT department. They're studying the company's more than 600 systems that may require changes.

Sun aims to have the review and compliance process completed around August, Vass says. "If there are large system-integrity issues we don't know about now, it could take longer."

Scot Klimke, CIO at Network Appliance Inc., a manufacturer of file servers and data-storage systems, notes that almost all compliance requirements fall into one of two themes: data confidentiality and document or information retention. "Most forward-looking companies are examining technologies that address those common themes," Klimke says.

Network Appliance, for example, is defining the software requirements it will need for Sarbanes-Oxley compliance. Klimke says the company, which already runs a lot of Oracle software, will probably implement Oracle's internal control applications sometime in the spring.

Illustration by Michael Morgenstern