The Hidden Risks in Financial Reporting
By Dr. Soheil Saadat, President and CEO, Prodiance Corporation
With over 200 million users worldwide, the Microsoft Excel spreadsheet is perhaps the most ubiquitous analysis and reporting tool on the planet. Business users with little or no programming experience can create powerful and incredibly complex analyses models in Excel. A Google search on the keywords “financial analysis spreadsheet” returns hundreds of results, including free templates for capital budgeting, risk valuation, cash flow, financial projections, option pricing, and break even analysis models. In fact, spreadsheets are being used everyday in businesses across the globe to drive critical business decisions. Yet, with this power and ubiquity comes an inherent risk for a variety of reasons, including.
- Complex spreadsheets inherently contain errors, including possible errors in bottom line financial results
- Many of these critical spreadsheets affect key financial statement accounts, with materiality affecting the financial ledger, regulatory reporting, P&L reporting, and the overall financial reporting process
- Financial spreadsheets are typically managed in uncontrolled user environments including employee PCs, corporate shared drives, and in email attachments – an environment that is absent in traditional IT controls such as access control, version control, change control, archival and backup, overall analytics, and input control
Being Proactive is Key to Success
The need to address these challenges has gained more attention in recent months due to heightened auditor scrutiny, and in several cases, material weaknesses. Organizations taking a proactive approach to managing spreadsheet risk have set clear goals for good corporate governance, followed auditor guidance, and aggressively adopted technology to automate internal controls. Organizations reacting to spreadsheet risk have found themselves in crisis mode, and are responding to quickly fill compliance gaps.
Follow the Spreadsheet Compliance Lifecycle
Some experts believe that eliminating the use of business critical spreadsheets and replacing them with enterprise IT applications can address these compliance risks. However, with the sheer volume of Excel users worldwide, the advent of Microsoft Office 2007, and business school requirements for mastering Excel, simply adding compliance may be a more cost effective approach to gain back control. In a recent study, an analyst firm indicated that “Given the heavy reliance on spreadsheets by so many businesses, companies are likely to purchase software that helps them deal with the defects of stand-alone spreadsheets rather than replace them.”
Building upon this approach, leading tax and audit firms have recommended that organizations take a lifecycle management approach to automating spreadsheet controls.
Key steps in this lifecycle should include:
- Conducting an inventory and risk assessment of existing spreadsheets
- Documenting and analyzing high risk spreadsheets for errors
- Performing a gap analysis between existing controls and required controls to identify remediation efforts
- Planning appropriate IT projects to implement new spreadsheet controls to fill any compliance gaps identified during the risk assessment and gap analysis
- Managing critical spreadsheets in a controlled environment with versioning, access control, change control, input control, security and data integrity, archival and backup, and overall analytics
- Leverage technology solutions to automate the spreadsheet controls environment, automate spreadsheet review and approval cycles, and provide greater visibility into the spreadsheet compliance process
Leveraging Technology to Automate Spreadsheet Governance
To date, most companies complying with SOX 404 mandates have implemented manual spreadsheet controls to satisfy auditor guidance by documenting the risks and appropriate policies to help mitigate the risks. However, manual controls often require additional work on the part of end users. Examples of manual spreadsheet controls include maintaining a change log in an extra workbook tab to track changes to data, formulas, and macros, or manual verification of inputs, formulas and outputs. Such manual controls are error-prone and not sustainable in the long run.
The good news is that a new breed of technologies has emerged to help organizations automate these manual controls while making the compliance part an inherent part of conducting business as usual. The key technology requirements for automating the spreadsheet controls environment, incorporate the following components:
- Enterprise search to help discover critical spreadsheets that exist on employee desktops, in email attachments, and on corporate shared drives
- Automated inventory reports to help document and categorize the critical spreadsheet population associated with financial reporting
- Diagnostic tools to help validate existing spreadsheets, identify logic errors, and dependencies (or links) to other spreadsheets
- Auditing tools to track changes to spreadsheet data, formulas, and macros down to the cell level
- Migration tools to move uncontrolled spreadsheets into a secure repository while preserving links to dependent spreadsheets
- A secure, web based repository to establish a controlled environment for spreadsheet archival, indexing and search, versioning, and controlling access roles and user privileges
- Automated workflows for electronically routing spreadsheets to the appropriate users for review and approval, and managing change requests.
- Reporting dashboards to provide auditors, managers, and executives with greater visibility into the spreadsheet compliance process by identifying high risk spreadsheets, tracking approval status, managing exceptions, and tracking changes to key financial metrics.
Leveraging these technologies in a phased approach has been successful for many organizations to date. However, a spreadsheet controls initiative should be considered as part of an overall risk- management initiative that also incorporates other types of user-developed applications outside IT control, including Microsoft Access and other custom database applications.
The benefits of automating the spreadsheet controls environment include reducing the risk of errors in the financial reporting process, minimizing company exposure due to restating earnings, driving down the cost of compliance with regulatory mandates (including SOX 404, FDICIA, FSA/MiFID, and the Combined Code), and improving productivity for end users. While the power and ubiquity of spreadsheets cannot always be replaced with IT applications, it must be managed with good corporate governance and appropriate IT controls for those spreadsheets that are business critical.
Resources:
- The Spreadsheet Management Market: Worldwide Demand Forecast 2006-2011, Ventana Research, 2006.
- The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act, PricewaterhouseCoopers, July 2004
Dr. Soheil Saadat is President and Chief Executive Officer of Prodiance Corporation. Soheil formed Prodiance after more than 25 years of developing software for highly-regulated markets, and is a pioneer in content management, workflow and compliance software development. In 1990, Soheil founded Scientific Software, Inc, (SSI) and under his direction, SSI became a world leader in the development, sale and support of compliance software solutions for pharmaceutical market under the FDA’s 21 CFR Part 11 regulation. Later he founded Prodiance with the maturity of SSI’s content management and workflow technologies, and has been leading the company in the delivery of solutions for spreadsheet compliance and workflow for financial applications. For article feedback, contact Soheil at soheil.saadat@prodiance.com
