Everyone knew that compliance with Section 404 of the Sarbanes-Oxley Act was never meant to be a one-time event. But as hard as it was making it through the first review of internal controls, the painful truth for many companies is that success in year one does not make getting through year two and beyond a slam dunk. In fact, for most companies, it will require embracing technology and a different focus on process and policy.

Many of the ways companies got by in 2004 just won't cut it for the long haul. It was common practice to "borrow" resources (the human kind) from one department to fill holes in companywide compliance efforts, a situation that led to confusing lines of responsibility and uneven workloads. It was also true that some companies, driven by the need to get a passing grade on controls, documented and tested far more processes than was necessary. For others, decisions on whether to buy the latest data collection tools were put off until first-year deadlines were met. So now is the time for a critical reassessment, with the goal of paving the way for a more sustainable program that can reveal where the real efficiencies lie. To help clarify the way toward longer-term compliance efforts, here are some of the most important issues that separate year-two compliance efforts from what came before.

1. 404 IS A PROCESS, NOT A PROJECT