Tips from the trenches

•  Expect a scarcity of outside help as deadlines near. "Get all the resources you think you need, add extra to it and secure it today," says Bill Keitel, CFO at Qualcomm. The chipmaker depended on outside help to achieve compliance, particularly with respect to testing controls. "If everybody is underestimating what their needs are, we're going to have a severe shortage of resources in 2005," he says.

•  Don't leave common sense out of the whole equation. Use common sense about what defines an appropriate control, says Kevin Haggerty, senior director of internal audit at QuadraMed. "Intellectually it's not that hard, it's just a lot of blocking and tackling."

•  Document everything. Don't delay documentation, says Cynthia Russo, vice president and corporate controller at Micros Systems. "As you purchase new things, create new processes, and business changes, make sure your documentation is kept up and maintained. Don't wait to do it later."

•  Choose a vendor you can trust. Citrix Systems started looking for Sarbanes-Oxley compliance tools about a year ago, before winding up with tools from SAP - it's primary ERP vendor. Many of the other vendors with compliance wares were in start-up mode, says Kevin Sonsky, project lead for SOX at Citrix. "We know SAP is going to be around next year."

Back to article: "Thinking outside the Sarbox"