Absolutely AccountableAbsolutely Accountable

That last statement has caused the most angst, because the SEC won't provide guidance on what constitutes effective internal-reporting controls beyond what's contained in the regulations. The uncertainty has helped to create a market for so-called Sarbanes-Oxley compliance software, consisting largely of business-process-management applications such as HandySoft's SOXA Accelerator, Movaris' Certainty, Nth Orbit's Certus, and OpenPages' Sarbanes-Oxley Express. These applications are based on a standard framework that the Committee of Sponsoring Organizations, a group of public-accounting firms, developed to provide the processes needed to monitor, evaluate, and report on internal-reporting controls, including the policies and procedures that ensure that management directives are carried out.

Regis is installing Movaris' Certainty to document and test the hair-salon operator's internal controls and procedures. With Certainty, each department within the company can handle its own testing. "Movaris will enable us to comply with Sarbanes-Oxley without adding head count," Didier says.

Regis' compliance effort involves two phases: documentation and testing. During the documentation phase, which is now under way, the company identifies key internal controls and develops narratives and flowcharts to describe each control. During the testing phase, scheduled to begin early next year, Regis will test and certify the effectiveness of its internal controls in advance of the final audit by its auditing firm, PricewaterhouseCoopers LLP.

Not to be outdone by the niche software developers, major enterprise-resource-planning vendors, including Oracle, PeopleSoft, and SAP, have added modules to their financial-management software that let companies document and certify the effectiveness of their internal controls and procedures with respect to financial reporting.

Facing budget squeezes, some companies are tempted to cut corners by purchasing low-cost software products, enabling them to comply with the letter, if not the spirit, of the law. "Some want to buy the cheapest software just so they'll be able to tell the SEC they're compliant," Gartner analyst Lane Leskela says.

But in today's business climate, just barely complying might not be enough when it comes to corporate governance. Investors and customers want more assurances than in the past that the companies they're working with are up-front and honest in their financial dealings. Compliance with Sarbanes-Oxley isn't just good business, it can be good for business, too.