The best answer to the question about who leads a company's compliance with the 2002 Sarbanes-Oxley Act's reporting requirements is that it depends on the company. For example, an internal audit group has the responsibility at 37% of companies recently surveyed by PricewaterhouseCoopers. The company's CFO or controller has the responsibility at 31%, an existing task force or work group has it at 23% and new or existing risk-management functions have the responsibility at 16%. (The total adds to more than 100% because multiple responses were allowed.)