Ingersoll-Rand started to work on compliance in March 2003, a full two months before the Securities and Exchange Commission made the rule official. Ingersoll-Rand began by creating a Sarbanes-Oxley management task force comprised of 15 people including high-level executives, managers and representatives from PricewaterhouseCoopers, its independent auditor.

Making sure the company's books are in order is something Fletcher and the rest of the accounting and auditing departments are used to managing with meticulous precision. But alleged fraud committed by executives at Enron, Adelphia and WorldCom prompted sec regulators to force about 300 companies with market capitalizations of more than $75 million, including Ingersoll-Rand, to document the internal controls used to create financial reports. Companies must have this additional report filed with their 2004 annual report.

The internal-control report assesses the control structure and procedures used at each step of the financial reporting process. The idea is that an independent auditor can now drill down from any piece of information in a financial report, such as sales, profits and expenses, and track each individual component all the way back to the original transaction, payment and employee who contributed to the final totals. In the end, the outside auditor will issue separate statements attesting to both the company's general ledger and its control processes.

The sec believes this report will restore investor confidence not only in the numbers but the process by which the numbers are generated, largely eliminating the opportunity for one person or a small group of people to doctor financial reports.

Failure to comply with this requirement won't result in any fines or criminal penalties—at least not yet. But a qualified opinion, essentially a no-confidence vote from the auditor, could be reason enough for investors to sell their shares or not purchase shares in the future.

More threatening, Ingersoll-Rand's CEO, Herbert Henkel, like any ceo, could be fined up to $5 million and sentenced to as many as 20 years in prison if he signed off on a financial report that was accidentally or deliberately misleading or incorrect.

Identifying the different processes used within a company that reported sales of $9.9 billion last year is no small undertaking, and one that couldn't be accomplished by simply installing another piece of software.

Fletcher says "almost everyone" at Ingersoll-Rand played some role in the compliance process. The biggest difficulties were the simple things such as identifying who was responsible for the sales reports from specific units and regions. Also, the challenge of organizing the compliance project required the attention of everyone in the organization, from the ceo to the field sales representatives.

While 175 employees were appointed as Sarbanes-Oxley coordinators, those workers required assistance from the people working below them to gather and disseminate information.

As if that weren't enough, Ingersoll-Rand had to simultaneously collect this detailed financial snapshot to the satisfaction of its independent auditor while managing its day-to-day business operations and ongoing information-technology projects.

And it's expensive.

According to Financial Executives International, a professional association of controllers, cfos and treasurers based in Florham Park, N.J., public companies with annual sales of more than $2.5 billion will spend more than $3 million to comply with the regulation.

AMR Research analyst John Hagerty estimates companies will spend roughly $1 million for every $1 billion in sales to be Sarbanes-Oxley-compliant. If Hagerty is right, this would cost Ingersoll-Rand nearly $10 million.

Gartner analyst Lane Leskela says companies affected by the new requirement, roughly the top 270 of the Fortune 500, are taking different approaches to comply. "There's no blueprint for this, so everyone's just feeling it out as they go along," he says.

A Gartner study found that two-thirds of the Fortune 500 companies have or will invest in software to help them meet the requirement. Most of the companies surveyed said they'd spend the money on document management, financial reporting and transaction software. "Much of this data and these processes come out of critical systems such as erp (enterprise resource planning) or financials," Leskela says. "So we're seeing a lot of companies go through a phase of rush or panic to find point solutions."

Fletcher declined to say exactly how much the Sarbanes-Oxley compliance project has cost Ingersoll-Rand so far, saying only that "it's a lot of money, especially if you add up all the time that everyone in this company has spent" on it.

Ingersoll-Rand began its feeling-out process with two objectives: identify the best route to meet the sec requirement, and do it in a way that would also create some sort of ancillary value.

"It's something you have to do and it takes a lot of time, so you want to try to get something else out of it," Fletcher says. "We don't have any metrics to prove it. But we are learning our processes better."

With the management team assembled, the audit services department laid out the groundwork for this corporate process-mapping project by creating what it called a control activity form. These forms, about 100 for the entire company, were distributed throughout the organization in the U.S. and abroad.

Ingersoll-Rand's activity forms were generic templates that allowed managers to first identify and define a process that was to be in control. For example, an accounts-payable manager would identify paying a bill to a materials supplier as a process. The definition would be how the bill was paid. Then, the forms required an assessment of the risks involved with the process. In this case, the main "risk" might have been the person authorizing the payment.

Next, the managers needed to outline how Ingersoll-Rand would mitigate the risk. In this scenario, it would require a supervisor's approval on any payment above $10,000. Another safeguard would be a requirement that the person authorizing the payment could not be the same person requesting payment.

Finally, the form asked for the process to be tested. The accounts-payable clerk and the supervisor would run through the process of creating, validating and approving a payment to a supplier. At the end, the check would be cut.

These forms were distributed electronically in Microsoft Word format to 175 sites throughout the organization. At each site, a Sarbanes-Oxley coordinator, usually a manager for a specific department, unit or region, would complete the form and then electronically file it in the company's Internal Controls Workbench (icw) software.

The icw software, developed by Pricewaterhouse-Coopers, is basically a repository for all Sarbanes-Oxley-related information at Ingersoll-Rand. pwc developed the software years ago for companies to keep close tabs on their internal controls, long before the sec required it.

But this is not a dynamic application. icw is a static collection of forms organized in a way that makes it accessible to both Ingersoll-Rand employees who participated in the compliance process and its independent auditor. This collection of information will be the first stop for the auditor at year-end.

Fletcher says the company set up a corporate intranet solely for the compliance endeavor. At any time, a member of the supervising Sarbanes-Oxley management team, or a coordinator who completed a form, could access the data to review it for accuracy or update it.

New procedures were implemented or refined as a result of the compliance process. For example, large orders of locks or refrigeration units that were delivered in separate shipments are now recorded for the month or quarter in which they're actually shipped, rather than lumping the whole order into one time period. Department heads now upload the pricing file for products to the erp system on a daily or weekly basis.

Every coordinator—be it the sales manager responsible for selling the popular Bobcat excavation vehicles to dealerships, or the accounts-payable manager in the company's Schlage lock division—had six months to complete the activity form.

Finally, the executive management team reviews the compiled forms and tests the processes outlined to make sure they're in control. Once the fiscal year concludes in December, this information will be presented to the independent auditor to sign off on the control report.

Fletcher and his team won't really know if the project has been successful until the independent auditor reviews the internal controls and renders an opinion based on how complete and accurate they are, using generally accepted accounting principals (gaap) as a guide.

On the bright side, Fletcher says that by accurately documenting these processes, the company was able to identify tasks that were being duplicated or performed incorrectly, or not performed at all. He wouldn't comment on specifics, saying it was "basic stuff, the blocking and tackling of the company."

Going through this compliance process also reinforced Ingersoll-Rand's commitment to a major Oracle 11i upgrade for its customer-relationship management and enterprise resource planning software systems. Along with Oracle, the company also has large installations of software from SAP, Baan and Mfg/Pro, thanks to a spate of acquisitions over the past five years.

Complying with Section 404 "provides a powerful incentive to increase the speed of migrating from [old] systems to modern technologies like Oracle that will assist us in growing our business," Fletcher says.

Meanwhile, the new government regulations have resulted in a whole new fertile field of software applications, giving companies more options and confusion to wade through.

Companies such as Open Pages, a Waltham, Mass.-based software developer that acquired pwc's icw software earlier this year, along with Cokato, Minn.-based Paisley Consulting and Axentis of Warrensville Heights, Ohio, have developed automated Sarbanes-Oxley compliance software in the hopes of cashing in on the sec's new rules.

"There are at least 98 vendors out there with some sort of automated solution," says Gartner's Leskela. "Some will just stack right on top of your financial modules or your erp, or even your supply chain software. Vendors in erp, database management and risk management are now developing compliance applications that kind of glom onto their applications."

For now, Fletcher and Ingersoll-Rand can only finish up the last round of tests to the company's internal controls and await the auditor's review, knowing this is only the first of what will soon be many Sarbanes-Oxley-related deadlines.

"The fear, obviously, is that the external auditor doesn't reach the same conclusion you have," Fletcher says. "Right now, [the regulatory guidelines for auditors] are wishy-washy. The bottom line is that if the ceo wants to rip off the company, he can and will no matter how many controls or regulations exist."