SarbOx Reaches Far and Wide

Case studies show that compliance with Sarbanes-Oxley will become a way of life.

Three companies working to meet a rapidly approaching Sarbanes-Oxley deadline show the breadth of systems the act affects and the lengths to which IT managers must go to maintain compliance over time.

The Sarbanes-Oxley Act, officially known as the Public Company Accounting Reform and Investor Protection Act of 2002, has corporations subjecting themselves to a gut-wrenching examination of the way they track and report their financial statements. The acts first deadline is June 15, when public companies with market capitalizations of $75 million or more must perform a self-assessment of risks for business processes that affect financial reporting. (See Part 1 of this series in last weeks issue and at

Smaller companies, on the other hand, have a compliance deadline of April 15, 2005. All public companies with a fiscal year ending on or after June 15, 2004, must now include a management report on internal controls in their annual report.

With CEOs and chief financial officers now personally responsible for ensuring the accuracy of processes such as financial reporting, reputations and more are on the line. IT departments are expected to guarantee that their companys information systems can ensure accuracy.

To gauge the progress of compliance, eWEEK Labs spoke with three companies: Regis Corp., Philadelphia Stock Exchange Inc. and Master Lock Co. Their stories make it clear that the acts impact on technology extends everywhere—from user e-mail to supply chain management systems.

It is also clear that Sarbanes-Oxley compliance is no one-shot deal, akin to Y2K remediation. According to Kyle Didier, vice president of finance at Minneapolis-based Regis, the act signals a completely new era in corporate compliance. "This isnt an exercise," he said, "its a way of life."

eWEEK Labs Senior Writer Anne Chen can be reached at