Spreadsheet Blues: Few Controls Yield Many Weaknesses

ABOUT COMPLIANCE WEEK Compliance Week content is normally restricted to paying subscribers only. However, this article was made available to you through a special arrangement with KPMG. For full access to Compliance Week every week, click here to become a subscriber.

ussain Hasan, managing director of technology risk management services at the Chicago accounting firm RSM McGladrey, does not mince words when discussing how poorly spreadsheets satisfy the requirements of The Sarbanes-Oxley Act of 2002.

“They don’t at all,” Hasan says. “Most public companies should not use spreadsheets as their main financial tool.”

Such criticism from Hasan might sound harsh for one of corporate America’s most ubiquitous business tools, but experts say the lack of enterprise-strength security controls means spreadsheets must remain in the crosshairs of executives and auditors worried about financial reporting.

Hasan

In fact, a review of recent internal control disclosures indeed shows that numerous companies have already cited deficiencies and weaknesses related to spreadsheets. In May 2005, for example, $90.6 million Sonic Solutions disclosed that it “did not maintain adequate controls over spreadsheets used in our financial reporting process.” The same was the case at $185.2 million Modtech Holdings, which in June noted that it “did not have adequate controls over spreadsheets used in our financial reporting process.”

Titanium producer RTI International Metals also acknowledged in May that it did not maintain effective controls over certain spreadsheets. Specifically, “the company's controls over the completeness, accuracy, validity, and restricted access and the review of certain spreadsheets … were either not designed appropriately or did not operate as designed.”

RELATED RESOURCES

Related Coverage Email Security Poses IT And Compliance Obstacles (July 2005) Closing The Books & Compliance: Spreadsheets A Problem (April 2005) Related Case Study SCFCU Upgrades Financial Reporting System (April 2005) Financial Reporting System Replaced At Viasys (March 2005) Commentary & Guidance The Use Of Spreadsheets: Considerations Under SOX (PwC) SOX 404: Management's Assessment (KPMG; See Page 12)

In May, $425.7 million Shurgard Storage Centers noted that its consolidation process “is performed primarily on standard spreadsheet software that is not specifically designed or customized for this purpose.” The problem constituted a material weakness that “resulted in our inability to prevent or detect the reporting of inaccurate or incomplete information and limits our ability to ensure our financial reporting processes are completed timely.”

At Crown Media Holdings, internal control deficiencies included the company’s controls to assess and review spreadsheet formulas. And at Audible Inc., problems included “ineffective review of spreadsheet calculations used in the financial statement preparation process.”

But spreadsheets aren’t just a source of headaches when it comes to controls and oversight processes—they’re also a source of errors.

In July, cleaning and personal care specialist CPAC—which operates The Fuller Brush Company and Stanley Home Products—disclosed misstatements that were caused by “a computational error in valuation of a component of inventory and related reliance on a spreadsheet for completion of such valuation.”

$1.3 billion Foamex also noted that an ineffective control did not prevent or detect an improper formula in a spreadsheet, “resulting in a misstatement of work in process and finished goods inventories...”

At Edge Petroleum, management discovered an error in a spreadsheet application that was designed to eliminate intercompany balances. “As a result of the error, amounts accumulated in the property account for one subsidiary were also included as an accrued capital expenditure by another subsidiary and inadvertently not eliminated in consolidation,” said the company in a regulatory filing. “This caused property balances to be overstated.”

The same was the case at video retailer Rentrak, which noted in June that its auditor “discovered a data error in a program supplier spreadsheet that resulted in an overstatement of our cost of sales for this fiscal period.”

Hand Washing

“It isn’t an inherent control weakness to use spreadsheets; it’s how people use them,” says Joseph Prudente, director of internal audit for New York-based accounting firm Rothstein Kass.

According to Prudente, most companies utilize spreadsheets out-of-the-box, without applying the diligence and controls inherent in the rest of their financial systems. “At worst, [spreadsheets] are computer applications that are run, managed, developed and supported outside the normal system-development lifecycle.”

EVALUATING SPREADSHEET CONTROLS

According to a white paper written by PricewaterhouseCoopers in July 2004, "implementing a process to ensure appropriate controls over spreadsheets is a critical element of compliance with Sarbanes-Oxley Section 404." According to PwC, there are five high-level steps to implementing such a process: Inventory Spreadsheets—"This step is critical to ensuring that the population of spreadsheets in use within the organization is defined and subjected to evaluation." Evaluate Their Use, Complexity—"This involves determining a spreadsheet’s category of uses (operational, analytical and financial) and then assigning and documenting a level of complexity (low, moderate or high)..." Determine Necessary Level Of Controls—Could include change control, version control, access control, input control, security, data integrity, and more. "The level of controls implemented should be considered relative to the spreadsheet’s use, complexity and required reliability of the information." Evaluate Existing Controls—"Any gaps between existing and 'necessary' controls should be identified as remediation items as well as any gaps in operating effectiveness." Develop Remediating Plan—Could include assigning responsibility, establishing remediation dates, and prioritizing efforts. Action plans "should increase the controls over the spreadsheet to the necessary controls based upon the use and complexity of the spreadsheet." Source: "The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act" (PricewaterhouseCoopers)

That’s partially because of their ease of use. Typically, for example, the development of financial applications requires a segregation of duties to ensure the development is conducted appropriately. To those ends, the person who requires the application should not necessarily be the person who designs it or deploys it throughout the corporate environment. But spreadsheets, due to their simplicity, can sabotage those controls during development—it’s easy for an employee to say, “I’ll just whip up a spreadsheet to handle that task,” without considering the controls or implications. Multiply that phenomenon by hundreds of financial staffers across a global enterprise, and it becomes more clear why spreadsheets can be problematic. “Ninety percent of the [spreadsheet] developers are the ones who implement into production, because they don’t look at spreadsheets as a software change,” adds Prudente.

To be fair, most spreadsheet applications—including the most common ones like Microsoft Excel and Lotus 1,2,3—do have rudimentary security controls. But those controls, which enable a user to password-protect a worksheet or certain cells, tend to be user-specific—they are tactics aimed a helping a single user protect his or her data.

At the corporate level, where a chief financial officer might oversee thousands of spreadsheets, much stronger controls are required. That’s especially the case now that CFOs must report quarterly changes in the company’s internal control over financial reporting as per Section 302 of The Sarbanes-Oxley Act.

But establishing centralized security controls over spreadsheets is not easy. IT managers can place important spreadsheets on secured hard drives to keep unauthorized users from gaining access to the document, but it’s not uncommon for accounting staffers to save “local” versions of the spreadsheet on their hard drives for convenience. Enforcing version control or change management, while considered vital to the satisfaction of SOX Sections 302 and 404, is often impossible unless done manually.

“This is an area that IT organizations have washed their hands of, really,” says Michael Heintz, a principal consultant with the PA Consulting Group.

Common Area

When it comes to handling critical financial data, Heintz, Hasan at RSM McGladrey, and others advocate abandoning spreadsheets wherever possible.

Heintz

That’s not only because of the risks inherent in their usage, but it’s due to the fact that many spreadsheets exist simply because they’re easier than the alternative. “There will always be some need for [spreadsheets],” says Heintz, “but many spreadsheets are there for the convenience of the person using them, because they didn’t want to learn the [more complicated ERP] application that would provide that functionality.”

Instead, experts argue companies should migrate to ERP applications or Web-enabled databases that employ more rigorous controls. The latest versions of most applications, at least those released after Sarbanes-Oxley, include controls that can be centrally managed and tested by auditors. The latter functionality is becoming more critical as companies focus on “sustainability” as it pertains to SOX 404—as they look to automate processes and minimize costs.

Islandia, N.Y.-based Computer Associates, for example, uses ERP software from Germany’s SAP to house all its financial data in one system. Doing so enables the company to employ controls at the network, host and application layers, says Ken Williams, vice president of CA’s technology services division.

That “common area” concept can make it easier to pull together more complete pictures of the control environment. It can also provide better views into that data, sorting information by business process, for example, or by categories detailed in the internal control framework published by the Committee of Sponsoring Organizations of the Treadway Commission.

Spreadsheets, of course, can track that information too, but typically they do so in a much more fractured way. And because spreadsheets lack a sense of “time” or version control, they offer little help with enterprise risk management initiatives, which often hinge on a constant monitoring of—and controlling against—risk.

Williams

But centralizing financial data is not a simple undertaking, and can require considerable analysis—and cost—to determine what sort of application is most appropriate for the company. In addition to process changes, says CA’s Williams, companies need to think about re-engineering their architecture so they “can place that data in a common area which will minimize the overall cost of protecting that data.”

A Pain To Monitor

In fact, since spreadsheets have become so ubiquitous and addictive at public companies, it may be difficult for some companies to extricate themselves from their usage—the cost to unwind systems may offset the long-term benefit. For those companies, auditors recommend several basic steps that can be taken to impose proper security controls around spreadsheets and their usage.

First is to take careful inventory of what spreadsheets a company has, what purposes they serve, and exactly who uses them; many companies have already done this as part of their “Year One” SOX 404 documentation efforts. The companies can then map the spreadsheets to the processes, and can determine which ones qualify as high-priority issues needing extra attention.

What controls are necessary? PricewaterhouseCoopers urges that any spreadsheet have locks in place to freeze data. In a white paper published in July 2004 (see excerpt above, left), the firm also recommended that spreadsheets have access controls, as well as an approval system requiring independent sign-off for any changes to processes like macros. There should also be a reconciliation process to confirm inputs. Key spreadsheets might also warrant documentation and back-up procedures.

Prudente at Rothstein Kass emphasizes change controls as particularly important. “In my opinion, you need to go through a formal change-management process for some of these sophisticated spreadsheets,” says Prudente, “just like the developer would go through for a standard application change.” To those ends, companies would want to understand how changes are made to the spreadsheets, and how they are tested and approved.

Then there’s the matter of testing spreadsheet controls, which can be a major headache; if spreadsheets are created manually by users, most likely they will be tested manually by auditors. “With some of my clients, what I hear from the controller groups is that they never would have made the request to create some of these sheets had they known the pain it would cause them to monitor the controls around them now,” says Heintz at PA Consulting Group.

And according to Computer Associates’ Ken Williams, auditors may pay even closer attention to testing this year, since most of the SOX 404 documentation efforts are in the past. If that’s the case, Williams says, executives may want to “go back and ask how you can automate [processes] and how you can create sustainability.”

A world of more secure spreadsheets—or no spreadsheets at all—may seem daunting at first glace. But, given the proliferation of spreadsheets in the modern corporation and the exhaustive controls mandated by Sarbanes-Oxley, companies might have little choice. “They should be relying on a back-end application,” argues Hasan at RSM McGladrey. “Maybe it doesn’t have to be a full ERP package … but spreadsheets definitely aren’t the right tool.”