Sarbanes-Oxley Compliance & Enterprise Spreadsheet Risk Management Solutions

Pioneering Market Leader in providing a complete range of Spreadsheet Control and Compliance solutions.
ComplianceHome: SOX Products & Services

Top 10 Compliance Spreadsheet Risks and How to Avoid Them – PART 1

One of the biggest threats to compliance isnâ??t your employees or hackers, but a trusted tool: the spreadsheet. It is unstructured, untracked, and unsecured.  Learn to recognize top spreadsheet risks and what you can do to reduce them.

Compliance experts estimate that 80 percent of enterprises use spreadsheets to support critical business functions. For example, in one Deloitte survey of 800 financial professionals, 88 percent said their firms “use spreadsheets of material importance in financial reporting.” At the same time, however, research suggests the typical spreadsheet has a 2 to 5 percent error rate.

As a result, spreadsheets are one of the biggest compliance risks facing regulated companies. Indeed, despite their prevalent use, the life of the average spreadsheet is unstructured, untracked, insecure, and potentially just inaccurate. Learn how to pre-emptively control challenges that can run afoul of Sarbanes-Oxley (SOX), Basel II, or numerous other laws which regulate the integrity of financial processes.

Bet on auditors wanting to see all spreadsheets relating to your companyâ??s financial reporting practices. Will your rows and columns pass compliance muster? To help mitigate the regulatory risks posed by spreadsheets, consider these 10 tips.

1: Acknowledge Spreadsheetsâ?? Programming Power

One issue with spreadsheets is theyâ??re simply so powerful.  The spreadsheet problem is largely due to the fact that weâ??ve given a programming language to a non-IT user without any development environment-type oversight or safeguards.  Theyâ??ve become the programmer, tester and the user – so youâ??ve just lost all objectivity. Whoâ??s going to detect the errors in that spreadsheet?

2: Expect Errors

The average spreadsheet contains a substantial number of errors Human error research indicates that for things about as complex as creating a spreadsheet formula, the error rate floor is about 2 percent to 5 percent. The reason: people tend to take shortcuts when doing math, and these shortcuts often produce errors. Regarding automation, please see tip number eight. On a related note, spreadsheet novices are three times as likely as experts to make mistakes.

Few companies, however, test for spreadsheet errors or outright fraud, preferring instead to eyeball resultsâ??often with predictable consequences. For example, one software developer may use two 15,000-cell Excel spreadsheets to project the market for its products, with figures rounded to whole numbers. Yet another user may inadvertently round the modifier for inflation down say from 1.06 to 1, consequently resulting in a market undervaluation. Such an error would obviously qualify as a material weakness.

3: Manage Spreadsheet Changes

One solution: donâ??t prohibit spreadsheet use, but rather identify which spreadsheets handle critical business functions, and then implement controls to ensure their integrity and accuracy, and especially to prevent fraud. For starters, apply change management controls to spreadsheets, including sign-offs, a record of all changes and the rationale for every change, plus rollback capabilities. Each spreadsheetâ??s business logic must also be thoroughly vetted, as with any application which handles complex business functions.

4: Beware the Orphans

When auditing spreadsheets, pay particular attention to the orphans: spreadsheets of unknown provenance which today still drive critical business processes. As Arthur C. Clarke wrote, “any sufficiently advanced technology is indistinguishable from magic,” and as anyone whoâ??s ever inherited a spreadsheet knows, some operate if not by magic, then at least through unintuitive logic that might take a lifetime to unravel.

Certainly, the average business user canâ??t be expected to accurately keep a 50-tab Excel workbook current.

5: Consider Versioning Software

The poster child of the spreadsheet world is Microsoft Excel. Until recently, however, software to manage Excel in regulated environments was scant. Beginning with Excel 2007, though, Microsoft itself began offering businesses a way to enforce change management, audit controls, and versioning for Excel spreadsheets. Together with SharePoint Server 2007, companies can even manage spreadsheets centrally and offer role-based access to HTML versions of spreadsheets.

Spreadsheet Risk Management and Compliance

The increasing focus on continuous process improvement, risk management and compliance within financial control functions as a result of the introduction of Sarbanes Oxley and other legislation has identified a potentially critical weakness for many corporates.

The reliance on Spreadsheets for critical financial reporting processes, consolidation, reconciliations, commission calculations, revenue recognition and other finance processes leading up to the release of financial statements is a major risk for many major corporates.

The lack of risk management processes around these Spreadsheets is another major audit and compliance risk.

Recently, a clutch of software companies have launched technological solutions to help organizations tackle the risk involved in the utilization of Spreasheets in critical financial reporting processes. Some have extended the reach of control to include Access Databases too.

What we have seen is a range of solutions, some basic – some very elaborate, that feature a range of activities including federated search, inventory, risk assessment, remediation, secure storage, access control, version control, change management, link migration management, cell by cell auditing and dashboard reporting features.

The leading provider right now is Prodiance Inc. www.prodiance.com a partner of Trintech Inc. www.trintech.com a leading provider of reconciliation, compliance and risk management technologies. Competition comes from Cluster Seven, Finsbury and a clutch of others that have tried and failed to match Prodiance’s lead in the market place.

For more information on Spreadsheet Controls and Risk Management, don’t hesitate to contact me at ted.sparrey@supaworld.com.

Is This the End for Spreadsheet Based Reconciliation Certification, Tracking, Control and Compliance?

Since the well publicised events surrounding the collapse of Barings Bank, Enron, WorldCom, and other high-profile financial disasters – both in the US and internationally – an increasing array of legislation has been put in place to try to mitigate the future risk of a repeat of these catastrophic (in the business context) events.

In the US, the Sarbanes Oxley Act of 2002 demanded a much greater level of accountability for Directors and in the UK, similar demands of business stakeholders were made through the Combined Code on Corporate Governance originally published in 1998 (revised 2003) and in the revised Companies Act 2006.

The result has been a significant increase in corporate cost, both in terms of in-house operational and management costs as well as external Audit, Consultancy and other specialist fees to achieve and maintain compliance. A substantial portion of this cost has been as a result of defining and implementing additional, time-consuming (and often manual), control processes, review structures, and certification processes all geared toward the provision of documentary evidence of control around the processes organisations already had in place. Having achieved compliance first time round, the number of organisations electing to replace these manual control processes with technological, best of breed, process automation and improvement tools has increased significantly. Few more so than in the area of GL account control, reconciliation and certification.

Today, the vast majority of organisations world-wide still rely heavily on (Excel) Spreadsheets to manage this critical process. Spreadsheets are used to accept a download of accounts from the GL; to track responsibility for ownership of the reconciliation and review; to track the completion of the reconciliation, review, and sometimes Approval, of each reconciliation; to track queries (open reconciling items); and to attempt to aggregate the value and categorisation of those open reconciling items for the purposes of assessing materiality.

Specialist (Web-based) tools for the automation of the GL account certification process have been developed (resulting in the elimination of Spreadsheets from the process). These tools are comprehensive, encompassing reconciliation preparation, review/approval, quality assurance testing (Audit), aggregation of open reconciling items, reporting and improved program management. The solutions are starting to make major inroads in helping organisations with thousands (to hundreds of thousands) of GL accounts to finally take complete control of the process – whilst driving real monetary benefit through efficiency and time-saving at the same time as ensuring compliance.

Organisations with a distributed National or International infrastructure are particularly well suited to this type of Web-based technology that provides for global visibility into the status of the reconciliation program.

For more information contact Ted Sparrey.