|
|
|
Features
< Back
Sarbanes Oxley : Finance : Internal Controls
Compliance: What about the Spreadsheets?
By
Garth Landers
|
|
Garth Landers
Director, Strategic Solutions
Mobius
|
If you use spreadsheets to make critical business decisions and produce financial reports you?re probably in trouble ? and don?t even know it. But you?re not alone.
Every day, spreadsheet users are producing, revising, sharing and aggregating critical financial data in decentralized networks all over the world. Even with vast armies of staff diligently checking and rechecking spreadsheets to catch elusive errors, it?s a virtual certainty that some will be missed. Studies have found that the probability of serious errors in complex spreadsheets approaches 100%. And the reality is that most enterprises don?t have vast armies to review spreadsheets. In fact, in a recipe for disaster, most spreadsheets are reviewed by the same people that created them.
The stakes are high. Sarbanes-Oxley legislation and the risks of non-compliance are powerful motivators for executives to take the time to educate themselves about the far-reaching consequences of spreadsheet errors and to learn about best practices in spreadsheet management and control. An error resulting in a material weakness and a restatement of earnings can lead to stiff penalties, lawsuits, tumbling share value, loss of investor confidence, damaged reputations, adverse press coverage, and ruined careers.
What Are the Implications of Sarbanes-Oxley?
Simply keeping up with (and absorbing the costs of) ever-increasing compliance requirements has confounded even the most sophisticated organizations. But even with the complexity of multiple laws, policies and regulations, one straightforward principle can go a long way to ensuring smooth sailing through rough compliance waters: Just make certain everything is right. Large, centralized systems, such as general accounting systems, contain internal checks and balances and are subject to rigorous security and auditing controls under IT?s jurisdiction. But the ubiquitous spreadsheet, used by as many as 95% of U.S. companies for financial reporting, receives no such attention.
The Sarbanes-Oxley Act has forced companies to examine the role spreadsheets play in their financial reporting processes as well as the financial decisions based on the use of spreadsheets, such as forecasting. Section 404: Management of Internal Controls has the most impact on the day-to-day lives of CFO?s and CIO?s. Section 404 requires management to establish and maintain adequate internal controls and procedures for financial reporting and to assess the effectiveness of those controls.
It sounds simple. But the internal controls for the spreadsheets that collect and consolidate data for planning, budgeting and reporting are weak at best. Spreadsheets are, by definition, handled manually and prone to human error. Regardless of how well-defined and well-documented the rules that produce and input the data, once it is imported into a spreadsheet, control is lost and, with it, the ability to ensure accuracy. Without policies and procedures to audit the changes that occur over the life of the spreadsheet, your company is at risk. Left unchecked, the resulting errors can cause major damage.
?A spreadsheet error at a major financial institution was deemed a significant factor in a $1 billion financial statement error in the classification of securities. The error resulted from a flawed change control process ? an unapproved change to a formula within the spreadsheet??
?A utilities company took a $24 million charge to earnings after a spreadsheet error ? a simple mistake in cutting and pasting ? resulted in an erroneous bid??
PricewaterhouseCoopers, ?The Use of Spreadsheets:
Considerations for Section 404 of the Sarbanes-Oxley Act,? July 2004
How Are Spreadsheets Managed?
Whatever their potential for serious and frequent errors, spreadsheets are here to stay. Eliminating their use is seldom a viable option. Since their introduction in the 1980?s, spreadsheet usage has exploded ? Microsoft estimates that there are 400 million users of its Office suite, which includes the now-dominant Excel spreadsheet program ? and their utilization in the organization has become more entrenched and mission-critical. So with spreadsheets as one of the most likely points of failure in Sarbanes-Oxley compliance how can the organization ensure their accuracy?
Some do it the old-fashioned way ? by deploying a small army of people to check and re-check spreadsheets and to find the one cell among thousands that holds the potential for disaster. This approach is a short-term ? and expensive ? fix at best, considering the costs of additional labor and the time and effort involved. The manual effort and the risks multiply exponentially when spreadsheet roll-ups are considered. Take the example of a company whose annual planning process required rolling up data from 1,200 Excel spreadsheets?one for each cost center. On average, it was a six-to-eight-week process each year just to get all the errors worked out. Manual detection and correction may produce accurate data but it?s an expensive, time-consuming way to get the job done.
Clearly, spreadsheets are an enterprise resource. But are they managed as one? Do they get the same level of dedicated resources and controls as other mission-critical applications and infrastructure? Not even close. From an IT perspective, spreadsheets are easy to manage. They are easy to install, reliable and require little administration. But IT is not responsible for bad data entered into or flowing out of spreadsheets into other systems. How about authoring? Security? Auditing? The bottom line is that most organizations have few management controls around spreadsheet usage and those that do are expending enormous time and resources on manual processes. Uncertainty and risk are the byproducts of the lack of spreadsheet controls.
Automating Spreadsheet Management
The solution is to automate the management of spreadsheets throughout their lifecycles. A robust spreadsheet management solution will provide automated capabilities for version control, security, change management and a collaborative review-and-approval process. An effective automated solution will dramatically reduce the costs of eliminating errors and restore confidence in financial reporting by ensuring that spreadsheets are properly controlled, accessed and manipulated.
In evaluating spreadsheet management systems, there are several key capabilities to look for:
• Make the process easy for preparers and reviewers: Financial professionals are comfortable with spreadsheets. Don?t try to change their working environment. Look for a solution in which the user continues to work almost entirely in Excel, with tracking and management functions taking place in the background.
• Make the practice of creating and authoring spreadsheets systematic and repeatable: Many spreadsheet users work with the same spreadsheet, month after month, quarter after quarter, sometimes year after year. Key data is often overwritten or zeroed out with no audit trail. An ideal solution will use templates that enable either automatic or manual deletion of variable data and retain fixed or static fields.
• Ensure secure user access: Users should have access to mission-critical spreadsheets based on their permissions and editing privileges. In addition to system and document-level security, you need password-protected selective cell locking so key fields, such as formulas, cannot be changed.
• Provide change and version control: In a regulated environment, it is critical to be able to track changes from version to version ? who made the change, when, the precise nature of the change, and the reason. Your system should automatically log the date and time of each edit, prevent users from disabling the tracking feature and make the log easily searchable so you can quickly identify changes in cells or formulas.
• Automate the review-and-approval process: An effective spreadsheet management system should eliminate the error-prone e-mail review process used in many organizations by providing a secure repository and a process in which multiple people can review a spreadsheet but only a single person can approve or reject a particular version. All reviews, approvals and comments should be tracked in the audit log and further changes should be prevented once a version is approved.
• Store essential spreadsheets as business records: When final, you must be able to provide retention management for spreadsheets that have to be retained as critical business records, ensuring their availability and protection from tampering.
Many of these capabilities have manual counterparts. But manual controls undermine the enterprise?s primary business activities, require too much additional labor and are not feasible in the long term. Effectively automating spreadsheet management will enhance reporting accuracy, enable a sustainable compliance process, improve the productivity of the reporting cycle and reduce the costs of auditing and certification.
Garth Landers
Director, Strategic Solutions
Mobius
Garth Landers is Director, Strategic Solutions at Mobius Management Systems, Inc.
Garth Landers joined Mobius in 2003 after five years as a research analyst at Gartner, Inc. His responsibilities at Mobius include driving market strategy for enterprise archiving, records management and compliance solutions.
|
|
|
|
|
