This time, the venerable agency granted so-called "accelerated filers" a decelerated 45 extra days to report on internal controls over their financial reporting. The extension is meant to give these companies a little more breathing room to write the report—not to complete the actual audit (that deadline passed on Nov. 15)—explains META Group Inc. Vice President Stan Lepeak. "It's a recognition that proving compliance is very difficult, and that the regulators have been very vague in how to show that," he says.

But for those who think this indicates a material weakness on the part of the SEC to enforce SOX, think again: The commission has launched its first formal SOX prosecution case against HealthSouth Corp. founder Richard Scrushy. Scrushy is already under indictment for 85 criminal counts, ranging from fraud to money laundering (including overstating his company's earnings by $2.7 billion), and, if convicted, he could receive a sentence of life in prison and $36 million in fines. Furthermore, Scrushy's challenge that Sarbanes-Oxley is unconstitutionally vague was rejected by a federal judge on Dec. 3—a good indication that more indictments are likely.

Scrushy's case, however, is comparable in its complexity to those of executives at Enron and Tyco, and should not be considered typical of the SEC's early efforts to enforce Sarbanes-Oxley. But Lepeak warns companies that the SEC isn't just going after the big fish, and that it will pursue compliance through a variety of methods.

Lepeak adds that SEC scrutiny isn't the only consequence companies should be worried about with regard to SOX. Some companies are requiring their vendors to be SOX- compliant before they sign agreements, and states such as California are mulling legislation that would bar noncompliant companies from supplying goods and services to the state government. Over time, he warns, companies will acquire reputations based on their track record on SOX compliance, and that could affect their ability to conduct business.

test