If common sense doesn't dictate a fresh commitment, then the law itself does. "There's an additional requirement that hits companies in year two that they didn't have in year one," says Robert Lipstein, KPMG LLP's national partner in charge of Sarbanes-Oxley 404 services. "They have to report on a quarterly basis any material changes in their internal controls. Major systems upgrades and changes in key personnel would be matters to consider for disclosure." That will require not only the right judgments, but also getting key information in a more timely way, something Lipstein likes to call picking up the "data velocity."

2. CLARIFY COMPLIANCE ROLES

Many companies have treated the people behind compliance as an afterthought. Start by finding ways to clarify employees' 404 responsibilities and find out what needs to be done so those duties don't overlap or interfere with their other main duties. Making those duties clear from the outset and having the right incentives in place is vital. "We have recommended to clients that they heighten business ownership, adding it to job descriptions, the ownership and responsibility for internal control, and then building responsibility and effectiveness of internal controls into performance evaluations," says Jennifer Meiselman, a director at BridgeMark, the risk consulting division of BDO Seidman LLP. Especially at large, decentralized companies, many of the most important and effective safeguards must be carried out at the business process level, when and where a transaction takes place, rather than long afterwards at headquarters. "We're going down to line managers," says Meiselman. "You'd be amazed at how much 'this isn't mine' is out there."

Macro-level responsibility is equally important. These are the people whose job it is to keep the process moving throughout the year. "An organization should establish a governance office that owns that," says Parson's Marchetti. "You're looking at who owns governance in the organization day to day, quarter to quarter, throughout ongoing compliance." Included in those functions are reporting on the status of ongoing monitoring and maintenance of 404 and 302 requirements; facilitating and overseeing the testing process; and addressing problems when they arise. For instance, if a company's internal audit staff are involved in the testing process, they generally shouldn't be involved in remediation efforts, to avoid an obvious independence issue or conflict an external examiner could come down on. But someone has to be taking the view from 30,000 feet to avoid such potential problems, and Marchetti argues that for large and many midsize companies, that should be the job of a dedicated staff.

3. LET YOUR RISK ASSESSMENT BE YOUR GUIDE

A good way to avoid overkill–and probably save a few bucks–is to get a firm grip on which controls are really key to your company's financial reporting. They will vary greatly from industry to industry and may be different for companies in the same industry, but the best way to know where the risks lie is to map them out and keep updating the effort for external changes as well as those within the organization. "If you don't do a risk assessment, it's sort of like not taking aim at the target," says Steve Wagner, co-chair of the Sarbanes-Oxley steering committee at Deloitte & Touche LLP. "Just because a control exists doesn't mean it's a vital control in your documentation and assessment."

Steve Goepfert, senior director of internal audit at Houston-based Continental Airlines Inc., recalls how his staff at first identified some 1,200 controls to be tested in early 404 preparations, although only a subset of those were important for financial reporting purposes. "There's no question the 404 effort in the first year was very intense, but year two will be more streamlined," says Goepfert, who oversees a team of 23 internal auditors. "I think everyone has learned from the process to focus on what are the controls that are key to the financial statement."

4. HAVE A GAME PLAN FOR FIXING SIGNIFICANT DEFICIENCIES

Many companies that don't have material weaknesses cited by their outside auditors still face at least some "significant deficiencies," which, unlike material weaknesses, are not required to be made public. The hitch: Unresolved significant deficiencies in year one can quickly grow into material weaknesses in year two. The answer is to address those less severe problems now rather than waiting until later in the cycle, when other issues will no doubt arise, since they really are material weaknesses in the making.

But that doesn't mean foregoing a careful approach just to save time on remediation. Jennifer Meiselman of BridgeMark recommends that clients stand back a bit before addressing a series of significant deficiencies. "You should see how they interact and relate to each other," she says. "The real challenge is not to pick them off one by one but to change how the process is performed." In some cases, companies that rushed in to correct one deficiency found they had created a problem in another area. Did a deficiency arise from a control mistake, or was there a lack of training or overworked staff that led to the condition? The right answer could save serious time in remediation down the road. "Look at the root cause, rather than the obvious error," advises Meiselman.

Some companies have gone beyond the requirements and made their significant deficiencies public to investors. Analysts are split over whether this makes sense in the current environment. In the long run, since greater financial transparency is the goal, such an act may not seem that outrageous when companies are more comfortable with the law.

5. AUTOMATE MANUAL PROCESSES WHEREVER POSSIBLE

The right people in the right jobs are key, but the right technology can be even better. Since many of the financial and other tools designed around Sarbanes-Oxley didn't exist 12 months ago, automation and its benefits will no doubt play a bigger role in future compliance efforts. That means using computerized systems to help standardize documentation but also relying on automation to take some of the pain out of testing. "There could be IT controls that take the place of several manual processes," says Continental's Goepfert. "It can streamline the process." He points to the fact that almost every big company automates "vacation liabilities" owed to its employees, the process of tying into payroll systems the calculations of what employees have accrued. But Goepfert says many companies he knows chose to test these systems manually through a series of steps that almost recreate the process, rather than simply testing that the underlying IT software program was working right.

As for the new tools themselves, the emphasis of the latest crop is less on document storage and more on giving employees who need to use a document on-demand access and automated testing and approval functions. "Where we are seeing a lot of difficulty is with financial reporting where financial statements are put together manually," says Deloitte's Wagner, who sees much room for improvement in the ways companies use technology to cut back on redundant processes.

What can be tricky is finding the right time to overhaul a process with a new technology, since outside audit must test and validate any new system central to financial reporting. At one company Wagner cited, management decided to make the switch late in its audit cycle from having 70 different ERP systems to having just a few, despite the fact that there wasn't time to test by yearend. So the company took a material weakness hit, in a bet it would be farther ahead in the long run. And now that we have made it past the year- one deadline, the long run is what it is all about.