Executives who oversaw the first round of compliance with the Sarbanes-Oxley Act for their companies say they would have done things a bit differently in hindsight, including educating more workers about steps they needed to take, assigning dedicated staffers to assess and monitor critical controls, and automating a greater portion of repairs to IT controls deemed deficient.

"You want to start the process early, to educate as many people as possible," said Neil Frieser, vice president of internal controls at Viacom Inc. Frieser, a speaker at The Sarbanes-Oxley Conference & Exhibition, held in Baltimore Tuesday, said Viacom conducted a staggering 19,600 tests on 1,560 business controls and 540 IT controls last year to meet Section 404 of the law. The work covered 116 business processes and 75 IT applications throughout the media company, whose divisions include CBS, MTV and Nickelodeon.

One of the best decisions Viacom executives made was to identify and test internal controls centrally rather than handing the work off to each of a dozen business unit leaders, he said. "We developed a lot of guidance centrally instead of having a lot of guesswork in each of the business units. We weren"t perfect in 2004, but we got more right than we got wrong."

He wasn"t alone. Michael Hultberg, executive director at Time Warner Inc., said officials at the media giant discovered during the first round of Section 404 compliance efforts that "many of the key controls we"d identified actually weren"t that key." Time Warner, which spent a mind-numbing 350,000 man-hours identifying, evaluating and testing its financial and IT controls, ended up with a higher proportion of IT control deficiencies, such as security and change management issues, said Hultberg.

Looking back on Time Warner"s first-year compliance efforts, Hultberg recommended that companies assign dedicated staffers to handle the work. "It"s a heck of a lot cheaper than hiring [a third party]," he said.

Unlike Viacom and Time Warner, whose businesses are highly decentralized, The Dow Chemical Co. has a centralized business model to support 165 manufacturing sites in 37 countries. As a result, when the Midland, Mich.-based chemical manufacturer conducted 30,000 internal control tests last year to meet its Section 404 requirements, all self-assessments were reviewed by each of the work process owners, followed by the company"s internal audit department, said Ron Edmonds, global accounting director for the company.

Going forward, said Edmonds, "we have to figure out how to make it [Section 404 controls verification] more efficient. We don"t want to see any deficiencies, but with a company our size, we"re going to have them." Dow Chemical had US$40 billion in revenues last year.

One of the biggest challenges companies faced last year was trying to test thousands of internal controls with manual testing procedures instead of automated IT tools, said Harald Will, president and CEO of ACL Services Ltd., a Vancouver, British Columbia-based vendor of software for financial executives. As a result, many internal audit teams "didn"t get to everything they should have because they"re spending so much time on manual controls," said Will.

Because Section 404-related work consumed so much time and resources, many companies ended up placing a number of strategic IT/business projects on the back burner to meet the Dec. 31, 2004, deadline. And while some strategic projects are still being deferred, many companies have been channeling their IT spending into areas such as business intelligence in order to provide senior management with greater visibility into organizational performance and operations, said John Hagerty, an analyst at Boston-based AMR Research Inc.

Said Hagerty, "That"s where the battle is being fought right now."