Firms need a unified strategy to comply with new corporate governance rules including the US Sarbanes-Oxley (SOX) Act, a key part of which comes into effect today, if they want to ensure efficiency and keep down costs, say experts.

SOX will be followed next year by the Operating and Financial Review (OFR), which obliges listed UK firms to produce an analysis of risks in their annual reports. And the UK's Freedom of Information Act will come into effect in January, forcing local authorities and government departments to carry out data searches in a speedy way.

Firms will have to allocate resources to comply with the new rules, so IT directors should use this as an opportunity to develop best practices and build a framework that can meet a wide range of reporting needs, said Shaun Fothergill, security strategist for software giant Computer Associates.

Eddie Short, head of business intelligence and information management at consultancy Capgemini, said the SOX rules on internal controls would affect many UK firms with close links to US companies, heightening the need for better data management.

"Sarbanes-Oxley is a savage piece of legislation that is designed to crack down on fraud so firms need to ensure they have a single version of the truth in their database and data repositories," said Short. "Most organisations have data cleansing and quality issues, which could make it hard for them to prove they have not acted fraudulently."

Tight integration of legacy apps could help firms to deliver a real-time view of their enterprise for auditing, Short added. "There is also the issue of accurate record-keeping," he emphasised. "It will not be enough to store key data, as firms will have to provide an audit trail to prove that the data is genuine and unchanged."

Craig Olson, vice-president of marketing at IT risk management firm Zantaz, said US-listed firms are worried about the ability of European subsidiaries to comply with the SOX rules. "Many US companies are concerned about unearthing skeletons in their European cupboards," he said.

Meanwhile the European Commission is developing its own equivalent of SOX. It has already submitted four key revisions to the European Union's accounting directives to enhance financial reporting in member states.

Computer Associates' Fothergill said, "Rather than setting up separate committees for each act of compliance, companies should construct a model that gives them a common control environment."

Committees should include input from business, finance and IT staff, said Fothergill. He added that they should refer to best practices such as Itil, BS7799, and the US risk framework Coso, which forms the basis of SOX. "It helps to have a graphical user interface like a console that can demonstrate compliance on a daily basis," he added.