What were some of the big control gaps that early Sarbanes-Oxley efforts uncovered?

Wagner: We found in many instances that control documentation was way behind or didn't exist. A second issue was the tone at the top: the communication out of the boardroom and the CEO suite that sets the stage for the organization, including how it deals with ethical standards. We found that there was often very little communication across organizations around the importance of maintaining good controls. In some cases, we found duplication of control activities that created inefficiency. We ran into unnecessary complexity in the extreme. In the IT area, there was duplication of systems. One division of a company had 200 financial accounting systems.

Dittmar: And organizations didn't know what their control programs consisted of. They knew they had them, but as one executive told me, it was "kind of tribal." There was no consistency in how they did it. We also found uncontrolled access to systems and challenges around security and change management.

How have Sarbanes-Oxley compliance efforts yielded dividends at some companies?

Wagner: We look at the documentation of systems and policies. In its absence, it's hard to know what's going on and hard for employees to know what their responsibilities are. At many companies, the documentation -- job descriptions, responsibilities -- wasn't up to date, so it was hard to hold people accountable for specific standards of performance. By getting that up to date, companies were able to execute business activities better, because while documentation serves a purpose in control, its primary purpose is as a written guide for people to follow. Without it, people are ad-libbing.