With apologies to Mark Twain, rumors of the spreadsheet’s demise have been greatly exaggerated.
It has been nearly four years since PricewaterhouseCoopers published its wake-up call of a white paper, “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act.” Alas, the paper landed in the inboxes of a Corporate America swept up in a flood of new and apparently more pressing Sarbanes compliance concerns.
The PwC paper also gave a set of recommendations most companies would find impossible: a detailed inventory of what spreadsheets they have (no easy task in itself, given spreadsheets’ ubiquity), and a slew of controls—change, version, access, input, security, data-integrity—that seemed so far-fetched, many started to wonder whether companies might stop using spreadsheets entirely, at least for certain business-critical applications.
That could still happen. But a new generation of spreadsheet management software has also emerged, promising to plug the many compliance holes spreadsheets have. The products claim they can let employees keep crunching their numbers and making projections as always, while quelling auditors’ fears of rampant material weaknesses.
Compliance executives and IT directors have a dizzying array of choices right now. Actuate, Cerity, Cimcon, Compassoft, ClusterSeven, Lyquidity, Mobius, Prodiance, Qtier, Sheetware, and Spreadsheet Advantage are some of the vendors hawking software to help keep spreadsheets compliant. All of them “put a wrapper around the process” rather than replace spreadsheets outright, according to Kathleen Wilhide, a governance and compliance analyst with the IDC research firm.
“I think spreadsheets are here to stay, and that’s the way it is,” she says.
The “wrapper” Wilhide describes can come in varying stripes. But such systems generally include:
an ability to track changes to spreadsheets, including ones that cascade and link across several sheets;
mechanisms to establish and maintain access and segregation of duties;
version control, change control, and audit trails, so you know what spreadsheets are out there and who has used which ones lately.
Other features include workflow management, software-development tools, archiving, and analytical reporting. Their overall goal is to combine the broad flexibility and grassroots use of spreadsheets with the centralized control infrastructure IT departments usually have.
Not every spreadsheet needs such attention, says Eric Perry, head of marketing for Prodiance. For many customers, he says, the trigger is an auditor noting heavy reliance on a few critical, high-risk spreadsheets.
“These are not your fantasy football spreadsheets,” he quips. Rather, auditors focus on spreadsheets used for tasks such as account reconciliation, revenue recognition, financial reporting, and other high-value spreadsheets used to close the books.
A Prodiance customer from a global bank, who requested anonymity, says SOX compliance prompted his firm’s decision to use spreadsheet management software. The bank knew it couldn’t dispose of spreadsheets entirely, so it first tried to impose a system of manual controls where users noted their changes in a database and reviewers documented their sign-offs. That turned out to be cumbersome and error-prone, the banker says. His company then considered Microsoft’s SharePoint software, but decided that SharePoint’s approach of checking files in and out of a central repository wouldn’t win much support from employees. The bank finally settled on Prodiance, which he says is invisible to users.
Beyond Compliance Hassles
Compliance is certainly the primary driver in the market for spreadsheet management software right now, but it may not remain as important in the long run. Perry says auditor pressures are responsible for perhaps a quarter of Prodiance’s new business. Much of the rest is coming from those seeking to mitigate business risk—a change that’s become pronounced in past six months, he says.
Robert Kugel, research director at Ventana Research, says spreadsheet management software’s ability to spot business risks is at least as important as its strengthening of compliance.
“There are all kinds of things that people can do that pose reputation risk,” he says. “All kinds of mistakes can be made in formulas.”
Raymond Panko, a professor of IT management at the University of Hawaii, has pegged the error rate for spreadsheets at 2 to 5 percent of all formula cells. At that frequency, he says, “a bottom-line error is almost a certainty” in spreadsheets of any reasonable size.
Spreadsheet management software isn’t the only way to avoid such errors. Mike Hoye, a spreadsheet control specialist and manager with the consulting firm Jefferson Wells, says he has seen clients replace spreadsheets with other software for specific tasks such as general ledger account reconciliation. In others cases, financial-service companies have controlled spreadsheet logic in Visual Basic or other programs, leaving the spreadsheet itself as a simple window for data entry. But the spreadsheet management software provides transparency and visibility into the spreadsheet environment, he notes.
Kugel says companies with more than 5,000 employees should consider such software.
“What you don’t understand is the amount of time people spend trying to find that, or do this, or correct errors,” he says. “There are all kinds of hidden costs to spreadsheets that go completely unrecognized. While there’s a lot of things the software won’t do, it will do a lot of things to help people do higher-value-added work.”
Hoye cautions that spreadsheet management software isn’t a plug-and-play operation. Successful implementation takes up-front effort, particularly in deciding which spreadsheets are critical and tracing the Excel-based webs that often feed into the critical spreadsheets.
Change management is another aspect of spreadsheet controls that can’t be ignored, Hoye adds. Spreadsheet management software forces critical spreadsheets into IT control processes foreign to accountants and financial people used to creating and changing spreadsheets at their whim, he says.
Perry at Prodiance says successful clients tend to establish the system’s goals—whether compliance, risk mitigation, or productivity—and develop policies for managing critical spreadsheets. Given the experience of auditors, consulting companies, and software companies, he says, there should be no need to reinvent the wheel at any point along the way.
It’s an effort that makes sense, Kugel says. “It’s one of those things where it’s just good business practice.”