Thanks to Section 404, the relationship between the CFO, who must attest to a company's financials and internal controls, and the CIO, who oversees many of those controls but doesn't necessarily report to the CFO, is a bit strained, to put it mildly. Says Tim Leech, chief methodology officer at Paisley Consulting Inc., "If there is a problem with a company's numbers or internal controls, the CFO can no longer say, 'That was a technology problem, and I had no way of knowing about it.' They are expected–indeed, they're legally obligated–to know."

But while both finance and technology departments have been feeling the heat in Year One of compliance, some experts warn that the biggest challenges may still lie ahead. Ironically, the fear is based on the fact that Round One went too easily, particularly when it came to IT controls. "I think what will happen is that after the audit firms get their heads above water again, they'll bring on qualified IT-savvy auditors, and a whole lot more of these IT compliance problems will start to come out," predicts Paisley's Leech.

In a white paper for the professional association Financial Executives International due to be released in May, Leech reveals that a review of nearly 1,000 reported control deficiencies in 2004 found that only 3% involved IT system or application problems. Leech declares that rate to be "incredibly low by anyone's standards"–so low in fact, that it has to be considered incorrect and a case of underreporting.

Leech suggests that the process was too rushed and there was a shortage of audit resources and people who were competent to handle the IT aspect of audits. "People focused on areas that the staff assigned to an audit team could cope with," he says. In other words, either the IT controls that have been put in place in the new automated business process systems are working flawlessly or there was no one on the audit team really equipped to uncover the problems that could be out there. "Just consider the problem of spreadsheets," he says. "Even really big companies use spreadsheets for some pretty important things, and general controls over spreadsheets almost certainly didn't get audited, which is preposterous."

Other IT specialists agree. Charles LeGrande, an independent auditor specializing in IT issues and former head of IT issues for the Institute of Internal Auditors, also blames the lack of thorough attention to IT controls on a shortage of IT audit experts–both internally at companies and at audit firms. "Especially at midsize companies, where you have small IT departments, things like security and separation of duties are going to become big issues," LeGrande notes.

A LITTLE TOO ACCESSIBLE

One area that experts almost unanimously cite as potentially problematic is the question of access to data and systems. Jack Danahy, CEO of Ounce Labs Inc., an IT software provider, says that many of the internal control problems facing companies today are the result of a contradiction between what business process applications were trying to do for years and what Sarbanes-Oxley is now forcing companies to do. "Originally, automation was all about enabling access. The technology was about sharing information," he says. "Now, the problem is making sure that only the people who need access get access." The emphasis under Sarbanes-Oxley is regulating and being able to audit the trail of data. At most companies, Danahy suspects that there are people being given access to data who shouldn't have it–at least not in the new climate. "Initially, I think a lot of people took a first quick pass at implementing the controls, but now they're going to have to go back to look at them again," Danahy says. "Clearly people are getting access who shouldn't be."

Just ask Nate Kalowski, executive vice president of marketing at Guardium Inc., a database security software provider, if you want to get an anecdotal sense of how large the problem could be. Guardium's main product establishes a kind of security wall around company databases, and then monitors, audits and controls access to those databases. "When we set up our system at a company," says Kalowski, "the first thing people frequently say is, 'Oh my, I didn't realize how many users are accessing our data, or that people were accessing our data at times that the company was supposedly shut down.'"

Besides the question of access, IT experts also predict that companies are going to find themselves compelled to spend much more money to turn on automatic controls for various legacy systems–controls that oftentimes were rejected during implementation of systems by cost-conscious CFOs in an effort to keep costs down. "There is a lot of finger-pointing going on right now," says Virsa Systems' Feldman. "When CFOs saw what it was costing to install systems, the things they said to cut were controls and training. Now, with SOX, they're demanding controls, and the CIOs are saying, 'Wait a minute, you're the one who cut that from the budget.' Now, CIOs feel like they are shouldering the burden" and being asked by the same CFO to sign off on a system's security and reliability. "It's costly and it's a reporting nightmare," says Feldman.

This scenario is particularly true for pricey ERP systems. In most companies today, there are multiple legacy systems, each requiring its own set of controls. The one hope for making the process more manageable over time, Feldman says, is work being done by SAP and IBM to construct controls that can operate across systems.

But it's not all name-calling. In fact, many IT experts say they see more relationships evolving similar to the one Kuhn and Tam seem to have developed. "We're starting to see more of a collaboration than before," says Feldman. "After the experience of the first year of Sarbanes-Oxley, when there was often a kind of church-state separation between finance and IT, most companies have realized that they need those departments to work together"–that is, if they want to emerge from the next year of Sarbanes-Oxley audits as relatively unscathed as most companies seem to have so far this year.