Most regulations are crafted to solve an industry-specific problem or to force certain types of companies to take actions they otherwise might not take. Every once in a while, a law comes along that hits companies across industries, size, locations, or types of customers. Hello, Sarbanes-Oxley.

Passed in the wake of last year's corporate accounting scandals, the Sarbanes-Oxley Act requires public companies to disclose more financial information than in the past, and it holds corporate directors and officers more accountable for the accuracy of disclosures than ever before. Sarbanes-Oxley also requires companies' top officers to assess and certify the effectiveness of the internal controls they use for financial reporting.

Software lets Regis obey the law without adding staff, Didier says. Photo of Kyle Didie by Raoul Benavides

The law codifies practices that companies should have been using but may not have been because they "had lost their focus from a corporate-governance perspective," says Kyle Didier, CFO of Regis Corp., which operates 10,000 hair salons across the United States under brand names such as Supercuts, Jean Louis David, and Vidal Sassoon.

So far, public companies have had to certify the accuracy of their annual reports, forcing many businesses to put systems and processes in place to boost confidence in the data they provide in those reports. By June 15, companies will have to comply with section 404 of the law, which requires an internal-control report that certifies the procedures used to ensure effective financial reporting.

According to a survey of 300 CFOs at publicly held companies by Protiviti, an audit and risk consulting firm, a third of respondents cite meeting requirements for executive certification and internal-control reporting as the greatest challenge associated with Sarbanes-Oxley compliance. Another 27% say the top challenge is aligning audit-committee responsibilities with the requirements.

Putting solid corporate-governance policies and procedures in place can have benefits beyond just complying with Sarbanes-Oxley. Businesses that have strong governance policies outperform those with weak ones in terms of shareholder return, according to a study of 1,600 companies by GovernanceMetrics International, a research firm that rates companies based on director independence, board accountability, and integrity of financial reporting and auditing.

As businesses grapple with the challenges Sarbanes-Oxley presents, many look to business technology for tools to meet the requirements and help the various parts of their organizations understand and feel confident in their internal financial controls.

Some of the Sarbanes-Oxley requirements aren't entirely clear, and the Securities and Exchange Commission, which implemented the law, hasn't been all that helpful. In comments on section 404, the SEC ruled that beginning with a company's fiscal year ending on or after June 15, 2004, it must issue four statements: one indicating management's responsibility for maintaining internal controls; one identifying the framework used to evaluate internal controls; one saying the company's auditor attests to management's assessment; and one assessing the effectiveness of internal-reporting controls.