Thanks again, Enron and other fraudsters for goading Congress into "helping" businesses manage themselves. Our complaints about the onerous new requirements have been drowned out by the cheers of consultants waving SOX regulations at corporate purchasing agents.

First the good news. Sumit Pal, Executive Vice President of WithumSmith + Brown Global Assurance, says "smaller companies -- even public ones, i.e. non-accelerated filers -- have not been subject to SOX yet." In fact, the deadline for compliance just got extended from July to December, according to SEC Extends SOX deadlines for smaller companies. (Read it straight from the SEC here.)

Smaller is relative in the SOX-world. Small here means public companies with less than $75 million in public stock outstanding. But even if you are nowhere near that large, following some of the current SOX compliance guidelines will improve your business.

I asked Pal what types of problems crop up during SOX audits. One problem is "lack of identifying key spreadsheets and creating adequate controls,” he says. “Small businesses rely heavily on spreadsheets for the financial reporting processes, so it is critical from the compliance perspective to protect these spreadsheets from possible unauthorized changes. Simple controls can range from restricted access, password controls and protection for formulas."

Spreadsheets controlled by one person escape normal checks and balances. Everyone needs someone watching their work, at least now and then. If not, bad things happen, either by accident or on purpose. SOX comes into the equation when speaking about ensuring audited spreadsheets don't change after being certified. Spreadsheets don't have auditing controls and lockable reports. Many low-end business accounting packages don't, either.

If your accountant or auditor says critical financial information kept in spreadsheets doesn't raise eyebrows, you might need a new accountant or auditor. If you manage departments tracking money through spreadsheets rather than "real" accounting programs, keep your eyes open and your paranoia engaged.

Another SOX issue Pal cites concerns how poorly smaller companies keep jobs separated. Small IT groups work together on projects. While typical, this doesn't leave anyone in the IT department able to objectively examine a finished project and audit it properly. If you have eight people in two teams, one team can "check the work" of the other team. If you only have four people and they all work on the project, there's no one left to check afterwards. This allows mistakes to go uncaught, and will cause your SOX auditor to frown and grumble.

James Gaskin writes books (16 so far), articles and jokes about technology and real life from his home office in the Dallas area.