(FORTUNE Magazine) – The Securities and Exchange Commission held a small ceremony in late July to commemorate the one-year anniversary of the enactment of the Sarbanes-Oxley Corporate Responsibility Act. That same day SEC chairman William Donaldson gave a speech before the National Press Club in which he hailed Sarbanes-Oxley as the most significant piece of federal securities legislation since the securities laws were first enacted in the 1930s.

Sarbanes-Oxley has improved financial disclosure, forced executives and boards to be more vigilant, ended self-regulation of audit firms, and helped eliminate conflicts of interest in stock research. That said, it's too soon to call it a success.

First off, major elements of the law are only starting to be felt. The new accounting oversight board is still staffing up. Companies don't have to comply with many of the new law's corporate governance provisions--such as the requirement that companies have a fully independent audit committee--until their first annual meeting in 2004. The deadline for some foreign companies is even later: July 31, 2005. Another major provision, which doesn't go into effect until next June, is Section 404, which requires companies to produce an annual report attesting to the strength of their internal financial controls.

Other sections of the act remain ambiguous and have yet to be tested in court. For instance, is the cashless exercise of stock options an illegal loan under Sarbanes-Oxley? Exerts disagree. John Bostelman, a lawyer at Sullivan & Cromwell who wrote The Sarbanes-Oxley Deskbook (the bible for securities lawyers), says there are plenty of other gray areas. He notes that the law's criminal fraud provisions make a distinction between a CEO who "knowingly" signs off on inaccurate financial statements and one who does so "willfully and knowingly." The first offense is punishable by up to ten years in jail and $1 million in fines, while the second could land you 20 years and a $5 million fine. What's the difference? Who knows? "It's awfully hard to get your head around," Bostelman says.

Bostelman adds that a CEO or CFO who gets incentive pay tied to company performance can be forced to return the cash if the company restates earnings "due to misconduct." But the law doesn't say what misconduct is. A CEO has yet to give back his bonus, notes the Corporate Library's Paul Hodgson.

Perhaps the biggest unknown is whether the law's benefits will ultimately outweigh its hefty compliance costs. The Johnsson Group, a Chicago consulting firm, estimates Sarbanes-Oxley will add $3 million to $8 million in annual compliance costs for FORTUNE 500 companies. And we probably won't know if the new law actually prevents fraud for some time. As David Hardesty, an accountant who has written a manual about the act, explains, it's mostly at the end of long bull runs, when companies are struggling to meet earnings expectations, that frauds tend to take place. --Jeremy Kahn