And therein lies the hope–not to mention, the market–for every tech vendor that has recently come out with a bell or whistle designed to make Sarbanes-Oxley a company's friend and not its master. Yes, the providers have been disappointed thus far with sales related to the new corporate governance law. Yet, there is still great promise in the future and that could even begin to be realized as early as the fourth quarter of this year. "A lot of companies jump to technology without thinking through the process and find they've made investments that don't align with where they actually need to be," says Mike Baccala, a partner at PricewaterhouseCoopers. With Section 404, "a lot of companies are deciding to stay where they are through their first attestation and then make a decision for the long term as this market matures."

That could translate into a significant increase in technology investment after companies get past the first deadline. Jennifer Chew, the principal analyst with the CIO Group at Forrester Research Inc., a technology research company in Cambridge, Mass.,projects that spending on software related to Sarbanes-Oxley will peak at $225 million in 2005, up from $140 million in 2004.

But companies that are contemplating acquiring some technology to ease the pain of 404 will find a confusing number of choices. (See chart.) Chew suggests that companies define their biggest challenges and then use that as a guide for choosing software. "If it's a matter of not being able to quickly go back and compile electronic records of past financial performance, then you're talking about improving your content management," she says. If a company has procedures in place, but finds that they're not being followed consistently, it might want to look at a solution with a business process emphasis, she says.

Choose Your Poison

Following Chew's logic, a potential software buyer might attempt to divide SOX offerings according to a vendor's expertise or main line of business. For instance, San Jose, Calif.-based Nth Orbit Inc. and Minnesota-based Paisley Consulting Inc. are risk management software providers and obviously would offer SOX software strong on risk management functionality; Movaris Inc. of Campbell, Calif., and HandySoft Corp. of Vienna, Va., have business process and workflow solution experience; and Documentum Inc. is known for its content management software. Then there are the big systems types, including the ERP vendors, Microsoft and IBM, who point to the tight integration their SOX solutions provide with the rest of their software.

All the Sarbanes-Oxley solutions help companies ensure that their internal controls on financial reporting comply with COSO, shorthand for a comprehensive standard for internal controls developed by the Committee of Sponsoring Organizations (COSO) in the early 1990s, which is what most U.S. companies are expected to use. Some products also incorporate other standards, like Canada's Criteria of Control (COCO), and might be of interest to companies that expect to have to comply with new governance rules in other countries.

AMR's Hagerty advises companies to confirm whether the software they're considering operates in a way consistent with the organizational structure of the company and with its auditor's recommendations vis-a-vis Section 404 compliance. "One of the things we've seen as we talk to people is that your complexity…is a key determinant of how complex the compliance regimen needs to be," Hagerty says.

He also suggests checking whether software can accept inputs from different sources–such as the control documentation companies are assembling to meet the first attestation. "Can I preload stuff that comes from spreadsheets or comes from auditors, maybe a list of key risks?" Hagerty asks. "And now that you've finally put the documentation in place, how do you use it on an ongoing basis? Is your software this brain-dead thing that stores stuff, or does it remind individuals and work groups that there are tasks to be done on an ongoing basis?" Hagerty says these reminders can be made to be very specific with the correct software. For example, the reminder could tell an employee not only that it is to time for a certain task, but it could also outline the correct steps. "In many companies, lot of people might do [a task] each in a slightly different way and that might open the company up to a level of risk that they don't want," Hagerty notes.

The software buying spree may also not be only directed at Sarbanes-Oxley compliance. Analysts suggest and executives confirm that Sarbanes-Oxley is also prompting companies to automate financial processes in general. For instance, Rouse's Edwards notes that the SRC software his company uses for some financial planning has made his compliance workload less onerous. "It's much easier to test an automated process than it is to test a manual process," Edwards says. "My feeling is that one thing that Sarbanes-Oxley will do is it will drive more automation in business."

The same was true for Greenwood Village, Colo.-based Crown Media Holdings Inc., which accelerated an ongoing program of automating its financial processes while it reviewed 404 software.

Companies have been attempting to cut back on the number of different software systems they use as well. "If you've got 10 different systems running, you've got 10 times as many controls to worry about, to document and to test," says Tim Welu, Paisley Consulting's CEO. "I've already talked to a number of companies that say they're definitely going to be looking at reducing the number of systems they're running on. That's going to happen over the next two, three, four years."

The Fewer the Better

Chris Leone, vice president of product strategy at PeopleSoft Inc., says he's seeing customers consolidating the number of different instances of PeopleSoft's software they have, as well as cutting down on the number of systems they have from different vendors. And although all three big ERP vendors have come out with compliance modules, Kraig Haberer, global marketing director at SAP, contends the big play for the ERP companies is the consolidation of platforms, rather than the specialized compliance software. "That's where companies are having the most heartburn, those with multiple heterogeneous systems all over the place," Haberer says. The problem isn't just that such companies have more controls to monitor, he explains, but that moving data from system to system raises the possibility of errors.