Like time-crunched students preparing for a final exam, most insurers approached the first Sarbanes-Oxley compliance audit more intent on making the grade than developing a good understanding of the subject. "In year one, companies really were focused on passing the audit–finding control deficiencies and putting in place new controls, even if they were manual or workarounds," says Sean Kracklauer, who leads the Sarbanes-Oxley research and consulting practice at the Hackett Group, a business process advisory firm and benchmarking group.

It didn't help that some IT departments often were faced with cramming for the exam, once they realized, already into year one, that even though Sarbanes-Oxley was advertised as a law focused on financial controls, it wasn't a finance-only issue. "There are some systems that don't meet the threshold in terms of the overall impact [on financial reports], but there's very little in IT that does not need to be part of the [Sarbanes-Oxley compliance] process," notes John Van Decker, senior vice president and principal research fellow at research firm Robert Frances Group. "IT also represents a significant investment and expenditure for the enterprise, so those IT expenditures also needed to be considered and scrutinized."

However, with the stress of the first exam behind them, companies–unlike college students–are going back to the books. "The second phase [of Sarbanes-Oxley compliance] is to achieve sustainability, and the third phase is using compliance as a lever for change and overall business improvement," says Van Decker. "Companies need to understand how what they've done [for first-year Sarbanes-Oxley compliance] fits into an overall objective. They need to understand what their strategy for IT governance, enterprise governance, and support for compliance will be."