The Sky Financial Group is no stranger to regulation. A $1.04 billion financial holding company headquartered in Bowling Green, Ohio, it operates regional banks, ATMs and insurance agencies throughout the Midwest.

But complying with Sarbanes-Oxley has been different than complying with other mandates, says senior vice president of finance Donald Hileman. The law reaches more deeply into the organization than any other mandate, and it has forced the company to make sure that everybody involved understands how to comply.

Sky Financial's auditors were familiar with Sarbanes-Oxley's idea of internal controls from using a risk management framework created by COSO, a commission sponsored by five U.S. accounting organizations that was formed in 1985 to clean up fraudulent financial reporting. The company was able to use that knowledge to help create controls for the new law, Hileman says. But teaching employees about testing and documenting those controls—creating repeatable, auditable processes so that every loan had the right approval signature, for example—involved extra steps.

For example, one test of a Sarbanes-Oxley control is that a loan has to be signed for by an appropriate supervisor. If auditors pull out a sample of 25 loan transactions and one signature is missing, those signatures can't be used to support the integrity of financial statements.

"Documenting test plans [for controls] was a challenge," Hileman says. "We had to make sure the tests were doing what they were intended to accomplish."

During Sky Financial's first year with Sarbanes-Oxley, auditors worked manually to test business process controls and document test plans. Then the company started automating that work, using management software called SOX Express from OpenPages in Waltham, Mass.

The software, which monitors Sky Financial's test plans and test results, has now been running for two annual financial cycles, Hileman says, and it does help employees document controls to make sure the processes that support compliance don't change from quarter to quarter.

OpenPages is a former content management vendor that repositioned its products for Sarbanes-Oxley in 2002. It is upgrading, renaming and repositioning SOX Express again this month to appeal to companies that need to comply with regulations globally, a spokeswoman says. Its software is built on Java and integrates with other applications through a Web services Application Programming Interface. It manages documents, monitors workflow and issues reports. Prices vary. Competitors include IBM, Stellent and Paisley Consulting, but there are no leaders in the field, according to research firm Gartner. So far, Gartner says, compliance technology "remains very much a work in progress."

Having good communication with auditors has been important in getting the company's processes automated, Hileman says. Such relationships can be hard to develop, because Sarbanes-Oxley requires separation between auditors and their clients to avoid gigantic fraud cases like Enron, where auditors were complicit in the fraud. For example, auditors aren't allowed to design controls, although the Public Company Accounting Oversight Board, which inspects public companies for compliance, decided last year that it was OK for auditors to consult with companies on controls.

To keep its auditors well informed and save time, Sky Financial created a walled-off area of its computer system so they can review controls whenever they wish. The system keeps an audit trail of their activities, Hileman points out, and Sky Financial ends up spending less time explaining things to auditors.

Next page: Keeping Job Functions Separate