As 2003′s halfway point approaches, finance departments are beginning to tackle the next big hurdle in the Sarbanes-Oxley obstacle course: the infamous Section 404, which requires managements to document annually the adequacy of their companies' internal controls and then have auditors attest to their reports. To a large extent, companies are flying blind because neither the Securities and Exchange Commission nor the Public Company Accounting Oversight Board has issued final regulations for the section. But executives can't afford to wait either, since 404 compels companies with fiscal years ending after Sept. 15, 2003 to be in compliance by the time they file their 2003 annual reports next year. "If there are companies out there who have decided they are going to wait for final rules before they start to understand the specific controls they rely on for their financial reporting and to document them, they are potentially putting themselves in a very difficult position," says Miles Everson, a New York-based partner at PricewaterhouseCoopers who works on operational and enterprise risk.

Consultants say documentation is the biggest challenge for companies. Even those with sophisticated controls have paid little attention in the past to how they might actually prove that their controls are thorough and effective. But without hard evidence, it will be almost impossible for an auditor to feel confident enough to sign off on them. "The auditor attestation brings a whole different level of rigor to the process," says Nicholas Grabar, a partner at Cleary Gottlieb Steen & Hamilton in New York. Auditors will need "documentation of controls and documentation of the testing of controls–that's stuff that companies hitherto have not had to have," he says.

As they prepare for 404, many companies are referring to the proposed SEC rules that came out last fall but have yet to be approved. Those regulations referred frequently to 1992 guidelines for establishing comprehensive internal controls issued by an independent group sponsored by accounting organizations called the Committee of Sponsoring Organizations (COSO). But Grabar says the disparity between the COSO guidelines and the SEC regs is causing some concern. Despite the SEC regs' references to COSO, the lawyer notes that the SEC's use of the term "internal controls and procedures for financial reporting" is narrower than COSO's definition of internal controls. For example, while COSO's framework includes controls to ensure that company personnel comply with the law, "it's not part of what the SEC defined internal controls to be," Grabar says. "It's hard for companies to know what they're getting ready for."