This summer, CFO.com reported that many companies were falling behind in their preparations for Section 404 of the Sarbanes-Oxley Act. (See “No Vacation from Section 404 Prep Work.”) Section 404 — which will guide how auditors report on companies’ assessments of their internal controls — becomes effective with companies’ first fiscal year ending after November 15.

Less than two weeks before that date, however, many companies are apparently still unprepared. PricewaterhouseCoopers and Ernst & Young recently warned a number of clients that they remain behind schedule and might be required to report control weaknesses at the end of this year, according to The Washington Post.

Neither companies nor auditors want to violate a critical provision of Sarbanes-Oxley, of course — but there’s more at stake for everyone involved.

Auditors also don’t want to run afoul of the Public Company Accounting Oversight Board, which will itself audit all of the major accounting firms each year. Ironically, though that’s led to increased communication between auditors and top executives, the content of these conversations has become much more restricted. (See “Can We Talk?“)

As for companies, there’s also the feeling that investors will punish those businesses that aren’t in full compliance with 404. In a report to clients released this week, Bear Stearns wrote that investors ordinarily should demand a higher risk premium for companies with ineffective or deficient internal controls, which “heighten the probability” that accounting irregularities exist.

Bear Stearns also wrote that it expects companies with deficient internal controls to be subject to heightened regulatory scrutiny. However, it added, “ineffective internal controls would likely not prevent registered stock or debt offerings,” and “there do not appear to be any immediate fines or penalties in connection with ineffective internal controls.”