Manufacturers don't have much time left. Not much time left, that is, to comply with some additional and particularly complex requirements of the Sarbanes-Oxley Act, the 2002 law aimed at changing the way U.S. industry accounts for itself in the wake of the corporate scandals of the first couple years of this decade. Management consultants and software providers, eager to capitalize on new market opportunities, have been sounding alarms for about a year, warning manufacturers and other businesses of imminent compliance deadlines and unprepared corporate staffs and, not surprisingly, offering their assistance. Actually, large publicly traded companies now have until Nov. 15 of this year, not June 15, to begin certifying the adequacy of their internal accounting controls and processes, including IT systems, in their annual reports. Smaller U.S. companies and foreign firms now will have to comply with the so-called Section 404 financial reporting certification beginning June 15, not April 15, of next year. Reason for the delayed deadlines: The Public Company Oversight Board created by the law took longer than anticipated to turn draft compliance rules into final rules. In the meantime, many companies have found prospective compliance to be more involved than they first anticipated. For example, PricewaterhouseCoopers (PwC) says nearly 75% of 54 company Sarbanes-Oxley project leaders attending a compliance conference in late January reported significantly more-than-expected work required to comply with Section 404. No wonder. First, starting at the individual account level, companies have to figure out which of their internal controls over financial reporting must be included in the certification process, explains Los Angeles-based Lynn W. Edelson, PwC's U.S. leader for systems and process assurance. After the first step, companies must successively document all significant transactions, evaluate financial controls over the transactions and test the operating effectiveness of their controls. In effect, companies asserting they have good controls over the ways they handle financial reports must leave a paper or electronic media trail that allows an outsider to easily see that is the case. "Management has always been responsible for internal controls over financial reporting," explains Edelson. "The difference now is that there's a much more stringent requirement for evidence that they have done so," she emphasizes. "They may have had an informal internal control structure and that would have been O.K. But now they've got to prove that to their external auditor and the regulators."