Home About Us Services Info& Events Our Customers

Go For The Gold

By Roger Laux

Obviously, in this year of the Bejing Summer Olympics, gold is the best, the standard  which all strive to reach.  The same is true in the Sarbanes Oxley (SOX) arena. The issue of Auditing Standard No. 5 on July 25, 2007, provided more guidance on the internal control audits of  companies and improved the ability to tailor the audit of the company to the company’s size and specific conditions.

What did not change was the need to validate that the company controls were adequate to provide reasonable assurance that the financials were accurately and fairly stated.  Since the advent of SOX in 2002, the quantity and nature of SOX controls have morphed, but one thing has become more and evident.  You can provide a lot of protection (and eliminate a number of peripheral controls) by the effective enforcement of a set of “golden shields”.

On a number of my SOX engagements, we have successfully de-emphasized a number of potentially key controls by referencing a set of over-riding compensating controls (the golden shields).

The “golden shields” we identify are:

  1. Journal Entry Approval – insist that all (ALL) general journal entries (the wild cards in any accounting system) are reviewed and approved by a competent reviewer who is independent of the person preparing the entry.
  2. Account Reconciliations – insist that all balance sheet account reconciliations are reviewed and approved by a competent reviewer who is independent of the person preparing the entry.
  3. Gross Margin Analysis – Set up parameters for acceptable levels of deviation from anticipated gross margins and fully document and explain deviations (good or bad) outside the acceptable levels.
  4. Flux Analysis – Set up parameters (% and/or dollar level) for accepted levels of fluctuations in material financial accounts and document and explain deviations beyond the acceptable fluctuations.
  5. BVA Analysis – This starts with an effective budgeting process.  Then set parameters for acceptable deviations of actual results versus budgets and document and explain deviations outside the acceptable limits.


The most effective verification of the review of the Gross Margin Analysis, Flux Analysis and BVA Analysis is the inclusion of the results (at some summary level) in the quarterly discussions with the Audit Committee.

It may seem like BASIC Controls 101, but it is surprising how many companies cannot effectively prove the consistent application of the above golden shields.  Therein lies the rub.  If you minimize the requirements for other internal controls and hang your hat on the golden shields as compensating controls, failures in the shields can mean control weaknesses and failures in a number of dependent areas.  So, if you go this route, be sure that it is iron-clad.

One last area, if not golden then highly polished silver, is to employ the “we are all in this together” approach to certification.  Only the CEO and CFO are required to sign the 302/404 and 906 certifications that accompany the SEC filings.  However, in a number of companies we have encouraged that financial certifications are signed by key members of the management and sales teams.  These certifications by the signees state that, to the best of their knowledge the financial information as presented is fairly and completely stated, there are no side sales agreements and there are no contingencies not already disclosed.  These certifications do state “to the best of their knowledge” and do not require the signees to completely verify the financial information, and signing them should not be a bone of contention for team members who are operating as honestly and ethically as you expect them to.  Human nature sometimes makes people balk just because.  The real merit in obtaining these certifications is it impresses upon the rest of the management team the importance of operating openly and honestly.  And, it gives the CEO and CFO a bit of a warm fuzzy that when they sign their certifications they are not alone.

SOX will be around, if not indefinitely, well into the foreseeable future.  Simplifying your approach to compliance and arming yourself with some golden shields is not a bad approach to adopt.






Success Stories

Plan for Success:  IT Governance