(FORTUNE Magazine) – Eugene Munson's life just got a lot smaller. As a financial manager in Procter & Gamble's fabric and home-care business, he used to track sales and analyze coupon effectiveness for the likes of Downy and Tide. Then, in March, the consumer goods giant tapped him to make sure the company was compliant with section 404 of the Sarbanes-Oxley Act--a tiny, 163-word nugget of the year-old corporate-watchdog law. And while Munson's job just became global in scope, he's now immersed in minutiae.

Working with P&G managers worldwide, Munson spends his days studying their internal controls--the thousands of checks and balances used to track and monitor every financial transaction at the company. He and his team provide the framework for making sure every part of P&G is defining their controls, documenting them, and ensuring that every dollar that comes or goes is properly tagged. His process needs to work as well for the CFO as it does for Betty in accounts receivable. When problems arise, P&G's system must document what happened, explain how it was resolved, and provide a plan to prevent it in the future. Munson needs the system to work worldwide, work perfectly, and be in place by mid-March. There is no precedent and no room for error. Sometimes he calls his 404 counterpart at General Electric or General Motors to gain perspective or, frequently, just to ask for help. "This isn't an area of competitive advantage," he says. "We're all in the same boat."

Compliance officers' cries have found eager ears. Software and hardware suppliers, ailing from three years' worth of flat or, in some cases, falling sales, are seeing a chance at growth thanks to Sarbanes-Oxley. The 66-page act encompasses 11 parts and 66 sections chock full of obscure and sometimes overlapping rules. It is chaotic and demanding--just the kind of environment that sends panicky executives into the arms of tech companies that promise simpler, digital solutions. Even better, Sarbanes-Oxley has stiff penalties, tight deadlines, and no end. "This is not Y2K," says Michael Duffy, CEO of software compliance firm OpenPages, referring to the millennium-end fear of computer failure that forced companies to invest heavily in new or improved IT. "This is not a one-time thing. Companies will have to comply in perpetuity. We intend to ride that wave."

The water's going to be crowded. Since the act passed in July 2002, at least 50 software companies have declared that they have a possible Sarbanes-Oxley salve. Terry Hickman oversees the technical aspects of P&G's Sarbanes-Oxley work. In April he started mapping out P&G's software needs--over a dozen companies appeared to meet his demands. (He went with enterprise software maker Movaris's Certainty product, which launched in early September.) This year alone, companies will spend $2.5 billion on Sarbanes-Oxley compliance projects, according to technology advisory firm AMR Research. The early winners in this bonanza are auditors, consultants, and financial employees, all of whom have just gained a huge measure of job security. But the role of software and hardware is expected to keep growing. In a survey of companies with more than $1 billion in annual sales, research firm Forrester found that almost two-thirds planned to raise their spending on financial applications by an average of 20% over the next two years. That's a huge jump in a period when CIOs are practically begging for spare change outside the CFO's office.

Sarbanes-Oxley may become the software industry's full-employment act, but it was intended to do much more. The most sweeping securities legislation since the 1930s, the law aims to restore investor confidence by giving government more power to punish corporate malfeasance. It established a watchdog--the Public Company Accounting Oversight Board, which has the power to sanction accounting firms--and prescribes tough penalties for wrongdoing: up to 20 years in prison, for example, for destroying, falsifying, or altering records in federal investigations. Even more details are being worked out by the Securities and Exchange Commission. With some deadlines for compliance still to come, and with parts of the law sure to be tested in court, years will pass before corporations realize the full impact of the act.

In the meantime, companies are dealing with the sections one by one. Make that 302, by 404, by 409. Last year corporate nightmares centered on section 302, which forces both the CEO and the CFO to sign off on the veracity of the company's financial statements. Today's headaches involve section 404. Although every medium-to mammoth-sized company has financial controls, some may be written in stone while others reside in the heads or on the PCs of people who perform them. Now companies are required to document those controls in excruciating detail and create a system that monitors whether the controls are being met--one that management and auditors can both sign off on annually. Considering how many financial transactions may occur in any given day at a typical multinational corporation, affirming that controls have been done properly is a Herculean challenge. "We never had to prove to any non-P&G group that our internal controls were in place," says Munson. "Though a lot of this isn't new, it was scattered."

Unearthing the necessary information is the corporate equivalent of coal mining: a job that involves heavy digging and little fun and one that is incredibly labor-intensive. At Commerzbank's main U.S. branch in New York, the German company has six people working full-time documenting controls. Insurance giant MetLife is budgeting 45,000 man-hours for its 2003 Sarbanes-Oxley compliance project. Tesoro Petroleum expects to devote somewhere between 50,000 and 60,000 man-hours to compliance this year. The company is lucky to have that much time. The original rules required companies to be 404ed by their first fiscal year ending on or after Sept. 15, 2003. At the end of May, the SEC granted companies a reprieve, extending the deadline to the first fiscal year ending on or after June 15, 2004. "That was a major turning point from an unrealistic goal to one that we were comfortable that we could do," says Tesoro CIO Mark Evans.

Even with the extended deadlines, companies are desperate to find ways to get their workers back to their day jobs. And that's where the tech vendors come in. While all promise to ease the regulatory pain, small to medium-sized software companies have been the quickest to declare themselves as Sarbanes-Oxley saviors--no surprise considering that they have been the hardest hit by the downturn in corporate IT buying. Nth Orbit was founded in 2001 as a risk-management software company. In May it launched compliance product Certus; now it expects Sarbanes-Oxley to account for 100% of its revenues. OpenPages, which started in 1996 as a business-process automation firm, also became a convert; its Sarbanes-Oxley Express software should bring in 80% of its sales this year.

For other companies, Sarbanes-Oxley is a chance to dust off long-in-the-tooth applications or to expand the focus of narrowly targeted products. SAS, the largest private software company in the U.S., created SAS Drug Development in 2001 for pharmaceutical companies to track their wares through FDA compliance. Now it's touted as perfect for monitoring Sarbanes-Oxley demands. EMC once sold its Centera storage device as ideal for, say, hospitals that wanted to store X-rays; now the company is declaring that Centera's "compliance edition" can do the same for e-mail and other regulatory accretion. For business-intelligence provider Hyperion, Sarbanes-Oxley offers the chance to drive new sales for its two-year-old Hyperion Financial Management product. "Many customers are on our older product set," says Michael Malwitz, senior manager of product marketing. "We want them to see the value of this product, and [Sarbanes-Oxley] is one of the things to make them look and maybe upgrade."

In perhaps the surest sign that there is a market to be made in regulatory software, the biggest players in enterprise software have all declared war. Oracle has whipped up an addition to its E-Business Suite targeted for Sarbanes-Oxley work. Archcompetitor and acquisition target PeopleSoft is promoting its Investor Portal, which provides a dashboard for CFOs to monitor their controls. IBM has its offerings, and even Microsoft is rumored to be getting in. SAP is set to release a "whistleblower portal"--a website allowing confidential tattling by employees who want to report fraud to the general counsel, for instance. And like the kid who brags he's having pony rides at his party, SAP recently announced that the keynote speaker at its November Sarbanes-Oxley conference will be none other than Congressman Michael Oxley. The tacit hope among all these tech players: that any company signing on for Sarbanes-Oxley will stick around for a full makeover. "The interest isn't so much extra money as it is big deals to overhaul financial systems," says Henry Morris, an analyst at research firm IDC.

With all the products just now reaching the market, one question remains: Is any of this really necessary? Many analysts aren't so sure. "Sarbanes-Oxley is sort of like legislating how to brush your teeth," says Rebecca Wettemann, an analyst with tech advisory firm Nucleus Research. "You should be doing it anyway. If you haven't been doing it, you have a much bigger problem. Anyway, you probably have a toothbrush lying around somewhere. So before investing in a million-dollar toothbrush, take a look in the medicine cabinet and see what you already have."

At Tesoro Petroleum, CIO Evans won't be purchasing Sarbanes-Oxley compliance software this year. Plenty of salespeople came calling, but he decided he didn't need their help. "I did a little kicking of the tires," Evans says. "Nothing jumped out to persuade me that I needed additional tools." Instead he is taking his existing business-process automation software, created by a small software firm named Fuego, and learning to retool the program--for minimal consulting fees--to meet his Sarbanes-Oxley needs.

"If someone comes up to you and tries to tell you that you have to buy this to become compliant, my advice is not to let them in the front door," says Rich Mogull, an analyst at tech research firm Gartner, arguing that the tools need to evolve more to address compliance in general and not just the Sarbanes-Oxley Act. He advises companies to bring in auditors first. As he points out: "Sarbanes-Oxley has no technology requirement."

Sure, says Paul Rosenblum, Movaris's VP of marketing, there's nothing wrong with complying manually: "But if you're using guys with clipboards, you'll need a lot of them to go around making sure people do what they have to do."

Eugene Munson doesn't worry that he purchased Movaris's Certainty product too soon. P&G is one of the companies that didn't gain a single minute when the SEC extended the 404 deadline. Its fiscal year ends in June, so instead of being one of the last companies that must pass 404 muster and learning from those that have gone before, it will be blazing the trail. It can't afford to wait or to pull out the clipboards. "This is a pass/fail kind of thing, and failure is not an option," he says.

FEEDBACK eflorian@fortunemail.com