Pull your SOX up

Thanks again, Enron and other fraudsters for goading Congress into "helping" businesses manage themselves. Our complaints about the onerous new requirements have been drowned out by the cheers of consultants waving SOX regulations at corporate purchasing agents.

First the good news. Sumit Pal, Executive Vice President of WithumSmith + Brown Global Assurance, says "smaller companies -- even public ones, i.e. non-accelerated filers -- have not been subject to SOX yet." In fact, the deadline for compliance just got extended from July to December, according to SEC Extends SOX deadlines for smaller companies. (Read it straight from the SEC here.)

Smaller is relative in the SOX-world. Small here means public companies with less than $75 million in public stock outstanding. But even if you are nowhere near that large, following some of the current SOX compliance guidelines will improve your business.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Thanks again, Enron and other fraudsters for goading Congress into "helping" businesses manage themselves. Our complaints about the onerous new requirements have been drowned out by the cheers of consultants waving SOX regulations at corporate purchasing agents.

First the good news. Sumit Pal, Executive Vice President of WithumSmith + Brown Global Assurance, says "smaller companies -- even public ones, i.e. non-accelerated filers -- have not been subject to SOX yet." In fact, the deadline for compliance just got extended from July to December, according to SEC Extends SOX deadlines for smaller companies. (Read it straight from the SEC here.)

Smaller is relative in the SOX-world. Small here means public companies with less than $75 million in public stock outstanding. But even if you are nowhere near that large, following some of the current SOX compliance guidelines will improve your business.

I asked Pal what types of problems crop up during SOX audits. One problem is "lack of identifying key spreadsheets and creating adequate controls,” he says. “Small businesses rely heavily on spreadsheets for the financial reporting processes, so it is critical from the compliance perspective to protect these spreadsheets from possible unauthorized changes. Simple controls can range from restricted access, password controls and protection for formulas."

Spreadsheets controlled by one person escape normal checks and balances. Everyone needs someone watching their work, at least now and then. If not, bad things happen, either by accident or on purpose. SOX comes into the equation when speaking about ensuring audited spreadsheets don't change after being certified. Spreadsheets don't have auditing controls and lockable reports. Many low-end business accounting packages don't, either.

If your accountant or auditor says critical financial information kept in spreadsheets doesn't raise eyebrows, you might need a new accountant or auditor. If you manage departments tracking money through spreadsheets rather than "real" accounting programs, keep your eyes open and your paranoia engaged.

Another SOX issue Pal cites concerns how poorly smaller companies keep jobs separated. Small IT groups work together on projects. While typical, this doesn't leave anyone in the IT department able to objectively examine a finished project and audit it properly. If you have eight people in two teams, one team can "check the work" of the other team. If you only have four people and they all work on the project, there's no one left to check afterwards. This allows mistakes to go uncaught, and will cause your SOX auditor to frown and grumble.

Since you can't magically hire another four person team just for SOX, keep excellent records and history files. At least a compliance team can follow a transaction log file, for instance, when a project gets reviewed.

My favorite SOX problem Pal mentioned was about the extra work caused by audits. Smaller companies often don't take the time to examine what SOX requirements they must follow, so they wind up auditing and checking every single application for compliance. Larger groups with more experience focus on the those IT applications supporting the financial reporting processes. This means less documentation during the internal audit phase, and less time spent testing and certifying applications that don’t need to be tracked. When engaged in a bureaucratic waste of time, try to waste as little as possible.