Robert Edwards, chief information officer for The Rouse Co., a real estate development and management company, has looked for software that will help Rouse comply with the internal controls monitoring and reporting required by Section 404 of the Sarbanes-Oxley Act. So far, he hasn't found what he's looking for. "There just weren't a lot of companies out there that had the level of control and depth that the law requires," Edwards says.

He wants a single solution that includes a template for the control structure, a repository for documentation and a testing control center. "My firm belief is that 12 months from now, and maybe sooner, we will have many choices of integrated Sarbanes-Oxley packages," Edwards says. "Right now, it's difficult."

That's okay. At this point, there probably isn't enough time to test and implement new software programs anyway. Companies find themselves scrambling to meet the first 404 deadline–even with the Securities and Exchange Commission's decision to push the compliance date out five months to Nov. 15. The initial step in compliance, documenting their controls, has proved to be much more work than companies expected, and many have decided to stick with systems and controls they already have in place rather than attempt major automation or consolidation at the eleventh hour.