How hard is it to comply with the Sarbanes-Oxley Act's Section 404? Just ask Neal Barnard, CFO of Dana Commercial Credit Corp. and head of the Section 404 compliance project at his Toledo-based auto parts-maker parent Dana Corp. Section 404 requires a company's top management and its auditors to attest to the reliability of the organization's internal controls on financial data gathering and reporting. That involves extensive documentation on what controls exist and how they work, and so far at Dana, five people have been working full-time on the project for six months."That's roughly 10,000 people hours just from the five of us," Barnard says.

Another 300 finance employees attended two-day training sessions that $9.5-billion Dana held four times: twice in North America, once in South America and once in Europe. Barnard estimates that 1,000 employees will be involved in the effort to document internal controls and says Dana has translated its web-based self-assessment tool into five different languages. "It will be a significant investment to be compliant," Barnard says. "Not because I think we have weaknesses, but the process has to be documented in a fashion that has to be auditable so that if the SEC comes in, you can lay it all out in front of them. There's just a lot of work involved in documenting the controls."

Companies selling financial software know that and have been trying to seize upon the new law as a marketing opportunity, developing new solutions for Sarbanes-Oxley reporting and repackaging older products to promote their potential application. Beyond 404 compliance, vendors are also offering up technology to meet the law's tighter deadlines for filing 10-Ks and 10-Qs with the SEC and reassure CEOs and CFOs about the accuracy of the data that they now have to personally sign off on. So far, though, Sarbanes-Oxley has not turned out to be the next Y2K for technology sales.