With most of the regulatory focus up to this point on larger public companies, financial institutions and healthcare providers, it wasn't until the last half of 2005 that we started to see a concerted effort on the part of technology vendors to scale down compliance-related systems and tools for small- and medium-sized businesses (SMBs).

It was only a matter of time; the SMB market is huge, hot and underserved, especially when it comes to compliance. Vendors focused first on the low hanging fruit, the publicly traded companies with higher market capitalization that faced the most aggressive deadlines for complying with Sarbanes-Oxley. The SEC recently extended the deadline for smaller public companies (those with a market cap under $75 million) to 2007 for reporting their internal control processes for.

That means SOX section 404 reporting will be an across-the-board activity by the later half of 2006. But that doesn't begin to account for all the smaller and much smaller private companies that have also felt the long arm of SOX. They may not be required to attest to their own controls, but chances are they do business with companies that are. And more and more, we're seeing governance activities extended to suppliers and partners.

What a burden it must be for a little mom-and-pop shop to go back and layer in control processes, especially when all the tools are designed for enterprise-level companies. The Small Business Administration found that small businesses spend 46 percent more per employee complying with federal regulations than their counterparts in larger businesses.

But that's starting to change. As with other areas of IT for SMBs, vendors are scaling down enterprise-class technology and services and making them more affordable for smaller companies. We can expect product and service introductions to step up in 2006 as vendors target companies facing the delayed deadlines.

One area where SMBs will come up short is in their ability to throw people at the problem. How many hats can they wear?