I was somewhat surprised to hear from a client that one of the biggest issues for his organisation in 2005 is compliance with Sarbanes-Oxley (SOX) corporate governance regulations. I had assumed the issues were fairly well understood and were being addressed. But it seems firms are struggling with the day-to-day problems of implementing SOX as an integral part of their processes.

Affected firms recognise the need to comply with SOX, Basel II finance rules and other corporate governance regulations, and now software vendors are launching products to help them.

Competition and variety in the software market is a good thing, but suppliers and potential customers need to be a bit more cautious. I'm not sure everyone understands what compliance is, particularly as it differs for each business. Compliance is not just a case of ticking a box.

Whatever measures are introduced, they have to satisfy an objective externally mandated set of requirements. In particular, you cannot have a compliance product that has weak security.

Compliance is about verification and authentication. Even software vendors who promote security and accountability as key features in their applications sometimes miss the mark.

Security and accountability have to apply from the system administrator down to the end-user and through all stages of the information lifecycle from the cradle to the grave. If the system administrator is not fully audited how can you ever prove that he or she hasn't altered the data? As an IT manager I would want the comfort of knowing that I am audited, otherwise the finger of blame will always be pointed at me.

Security and accountability also means that there have to be checks on the source and accuracy of the data. Both initially and throughout its life, data has to be secured in your systems, and it has to be securely archived. Encryption and access control is an absolute must.

In this minefield of legislation and regulations we find the Data Protection Act waiting to trap the unwary. Firms will have to take a pragmatic, sensible approach, ranking their compliance requirements by importance to the business and then dealing with them in order of priority. It is also possible that some firms will not be able to afford full compliance.

There are quite a few acquisitions taking place at the moment, as smaller firms are being taken over by larger ones. This raises another issue - the need to verify that the acquiring business gains ownership of the intellectual property rights it wants.

Unfortunately, nothing replaces a proper due diligence exercise. It is costly, but if you don't know what you are buying how can you value the business?

Every acquisition brings with it a complete can of worms. I am in the business of sorting these problems out, but I would prefer it if most of them were prevented or known about in the first place. I don't like surprises, particularly when they are costly. As tedious as it is, you simply have to conduct a proper due diligence process.