So in the spirit of "you-are-not-alone," here is a list of issues and challenges large and small companies are facing–a snapshot well ahead of the final deadline–when there is still time to change the course of your company's compliance efforts.

1. TOO MUCH WORK, TOO FEW RESOURCES

Perhaps the most common stress point involves managing the flow of work between process documenting, testing and remediation–including finding and keeping the right people. Even companies that feel they are on track are a bit nervous that an unexpected finding could throw months of planning out of whack. "We're trying to front-load as much as we can," says Dawn Albery, controller and head of compliance efforts at LeapFrog Enterprises Inc., a $680 million maker of toys and learning products. The company set June 30 as the date to have all its initial documentation and some of its management testing complete. It is now phasing in the review by its external auditors. "We think we're fine but we don't want to slip," says Albery. "If you slip past your deadline, you run the risk in the marketplace of external resources not being available."

Part of the problem: The number of staff hours required is turning out to be two and three times what companies had expected. "One of the things I've seen at almost every client is that they have grossly underestimated the work," says Anne Swaller, practice director at Parson Consulting. "Not everybody can sit down and flow chart a process, and most individuals are not knowledgeable about financial controls." Hence, the demand for experienced audit professionals is considerable, and companies of all sizes worry they could lose part of their auditing brain trust to rivals.

2. LEAVE NO GRAY AREAS IN YOUR TESTING

External auditors are the next group on the tarmac to test the work by their internal counterparts, and with the Public Company Accounting Oversight Board (PCAOB) putting a magnifying glass to the auditing process like never before, the pressure is on. Some predict considerable friction between companies and their external auditors on whether a problem area in controls rises to the level of a "material weakness," triggering a failure. "The major issue facing companies between now and the end of the year is not documenting and testing. It will be the opinion of the external auditor on the work you've already done and how they [plan to] classify that," says David Richards, former head of the audit department at First Energy Corp. and president of the Institute of Internal Auditors.

One important way to prevent clashes: Don't approve controls that could come close to the line of failing. "In terms of whether something is a material weakness, there will be subjectivity," says Deloitte's Dittmar. Smart companies are also bringing in their auditors as soon as possible, even for preliminary walkthroughs and testing.

3. TOOLS NEED TO SOLVE PROBLEMS, NOT CREATE THEM

Companies face a tough choice when it comes to upgrading financial reporting systems and software: either stick with existing products, including spreadsheet programs, which may be problematic in a high-control environment, or take a chance with a new, and possibly costly, replacement technology. There is no one-size-fits-all solution. For diehards looking to make spreadsheet controls more airtight, the answer may involve building a set of "gates" or controls that limit access when it comes to making changes or approving changes to certain spreadsheet documents. Says Robert Hirth, managing director and head of internal audit services at risk consultants Protiviti Inc.: "In a perfect world, a company would have very clear policies on spreadsheets," including "how spreadsheets should be developed, [how] people [should be] trained in Excel, how the cells are stored and protected and who has access [to them]. There's a little bit of protocol, formality and some controls that need to be put in around them."

Hirth adds that for some companies, especially those for which spreadsheets may be less critical to the reporting process, the right decision may be to have systems people rewrite spreadsheet-like functions to their existing ERP systems. Such a move would put those functions in a more stringent control environment, an obvious plus, but could also expose the company to last minute, but hopefully minor, operational or control deficiencies that will need to be ironed out with auditors.

At this point, if you have not committed to replacement technology, many experts feel it may be too late to bring in anything substantial for this round of testing. However, they caution that companies should already be evaluating new systems for the next round.

4. GETTING SYSTEMS UNDER CONTROL

Although many companies have held back from committing to new systems this year, the trend in technology spending has been in favor of achieving more standardization across an organization. Companies are finding unexpected difficulties when dozens of transactional and computer controls feed into a single process. "The more variability you have in processes that are in play, the more difficult, complex and time consuming it has been to document, assess and test your controls," says Deloitte's Dittmar. "If you've got five A/P processes on four different systems at three different locations, you've got a lot more work to do as opposed to if you had standardized that." This is especially true for companies that have grown through mergers and acquisitions and failed to consolidate legacy systems.

5. KEEPING TABS ON OUTSOURCE VENDORS

If you are having trouble nailing down your own controls, how much assurance can you have about those of your vendors? Yet, under 404, companies that have outsourced a function that could affect their financial reporting are responsible for the efficacy of vendor controls.

For large outsourcing vendors, providing a Statement on Auditing Standards (SAS) 70 (type II) is not that difficult, but some smaller vendors are saying "no" when an SAS 70 is requested. The question is when does a company absolutely need to obtain one? Some companies are not taking any chances: As a prerequisite for continued business, they are making all their vendors provide SAS 70s. "There are a number of clients who are now electing to move to other vendors because they cannot get SAS 70," says Swaller. "If it's immaterial now they don't want to take the chance going forward."

6. DOCUMENT, DOCUMENT, DOCUMENT

Outside auditors need paper, or some other kind of physical evidence, that management tests have been performed and controls are in place and working. For instance, at United Technologies Corp., the $30.8 billion aerospace conglomerate, little physical documentation–"other than perhaps meeting minutes"–existed for quarterly and yearend reviews, according to Jay Haberland, vice president of business controls at UT. "So we've actually gone ahead and are devising check lists and other things that hopefully won't be too overwhelming, but will give the auditors something to look at to understand that these things actually occurred." New requirements for documentation and more formalized testing environment apply to corporate headquarters as well as UT's dozens of business units, Haberland notes. Other companies are also looking for ways to replace a heavy reliance on e-mail for approvals and other key processes with more centralized electronic technologies that are easier to trace and produce for documentation purposes.

7. TIGHTENING ANTI-FRAUD POLICIES

Companies must demonstrate to auditors that they have enough controls in place to detect fraud. Until recently, many companies, especially those in less regulated industries, have lacked formalized documentation and procedures for identifying fraud, such as whistleblower hotlines. Inconsistency is also an issue: Companies tend to have strict procedures in certain areas of the business, such as cash applications, but few in others, such as inventory oversight.

SAS 99, the fraud audit standard, gives an indication of what auditors will be looking for, but Protiviti's Hirth also recommends that companies build a "fraud risk assessment," which identifies potential areas in which fraud could be perpetrated and is most likely and which programs should be in place to prevent fraud. "Then companies have to determine if those programs are working effectively," he adds.

8. START THINKING ABOUT NEXT YEAR NOW

Everybody knows that Section 404 compliance is not a one-time event, but with so much pressure riding on the results of this year, it's hard for many to look very far into the future. Moreover, companies in many cases still do not have one manager or group within the organization who "owns" the corporate function of quarterly compliance oversight. Without this designation, there is a risk that the body of knowledge built up this year will be lost and effort will be needlessly expended to try to replicate it.

A quarterly mindset is crucial. Following their initial annual 404 compliance deadline, company officials will have to assert at the end of each quarter on any deficiencies in controls and "significant changes in internal controls that could have a negative impact" under Section 302 of Sarbanes-Oxley. Having a flexible, up-to-date compliance program will be key. "The biggest challenge [companies] will face next year will be how do they create a process that is able to identify that a change is going to occur or has occurred and its degree of significance to the company's internal control over financial reporting," says Protiviti's Hirth.