Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Spreadsheet Control Marches Forward

Todd Neff | February 12, 2008

With apologies to Mark Twain, rumors of the spreadsheet’s demise have been greatly exaggerated.

It has been nearly four years since PricewaterhouseCoopers published its wake-up call of a white paper, “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act.” Alas, the paper landed in the inboxes of a Corporate America swept up in a flood of new and apparently more pressing Sarbanes compliance concerns.

The PwC paper also gave a set of recommendations most companies would find impossible: a detailed inventory of what spreadsheets they have (no easy task in itself, given spreadsheets’ ubiquity), and a slew of controls—change, version, access, input, security, data-integrity—that seemed so far-fetched, many started to wonder whether companies might stop using spreadsheets entirely, at least for certain business-critical applications.

That could still happen. But a new generation of spreadsheet management software has also emerged, promising to plug the many compliance holes spreadsheets have. The products claim they can let employees keep crunching their numbers and making projections as always, while quelling auditors’ fears of rampant material weaknesses.

Compliance executives and IT directors have a dizzying array of choices right now. Actuate, Cerity, Cimcon, Compassoft, ClusterSeven, Lyquidity, Mobius, Prodiance, Qtier, Sheetware, and Spreadsheet Advantage are some of the vendors hawking software to help keep spreadsheets compliant. All of them “put a wrapper around the process” rather than replace spreadsheets outright, according to Kathleen Wilhide, a governance and compliance analyst with the IDC research firm.

“I think spreadsheets are here to stay, and that’s the way it is,” she says.

The “wrapper” Wilhide describes can come in varying stripes. But such systems generally include:

  • an ability to track changes to spreadsheets, including ones that cascade and link across several sheets;

  • mechanisms to establish and maintain access and segregation of duties;

  • version control, change control, and audit trails, so you know what spreadsheets are out there and who has used which ones lately.

Other features include workflow management, software-development tools, archiving, and analytical reporting. Their overall goal is to combine the broad flexibility and grassroots use of spreadsheets with the centralized control infrastructure IT departments usually have.

Not every spreadsheet needs such attention, says Eric Perry, head of marketing for Prodiance. For many customers, he says, the trigger is an auditor noting heavy reliance on a few critical, high-risk spreadsheets.

“These are not your fantasy football spreadsheets,” he quips. Rather, auditors focus on spreadsheets used for tasks such as account reconciliation, revenue recognition, financial reporting, and other high-value spreadsheets used to close the books.

A Prodiance customer from a global bank, who requested anonymity, says SOX compliance prompted his firm’s decision to use spreadsheet management software. The bank knew it couldn’t dispose of spreadsheets entirely, so it first tried to impose a system of manual controls where users noted their changes in a database and reviewers documented their sign-offs. That turned out to be cumbersome and error-prone, the banker says. His company then considered Microsoft’s SharePoint software, but decided that SharePoint’s approach of checking files in and out of a central repository wouldn’t win much support from employees. The bank finally settled on Prodiance, which he says is invisible to users.

Beyond Compliance Hassles

Compliance is certainly the primary driver in the market for spreadsheet management software right now, but it may not remain as important in the long run. Perry says auditor pressures are responsible for perhaps a quarter of Prodiance’s new business. Much of the rest is coming from those seeking to mitigate business risk—a change that’s become pronounced in past six months, he says.

EVALUATING SPREADSHEET CONTROLS

According to a white paper written by Pricewaterhouse- Coopers in July 2004, “implementing a process to ensure appropriate controls over spreadsheets is a critical element of compliance with Sarbanes-Oxley Section 404.” According to PwC, there are five high-level steps to implementing such a process:

  1. Inventory Spreadsheets—“This step is critical to ensuring that the population of spreadsheets in use within the organization is defined and
    subjected to evaluation.”

  2. Evaluate Their Use, Complexity—“This involves determining a spreadsheet’s category of uses (operational, analytical and financial) and then assigning and documenting a level of complexity (low, moderate or high)...”

  3. Determine Necessary Level Of Controls—Could include change control, version control, access control, input control, security, data integrity, and more. “The level of controls implemented should be considered relative to the spreadsheet’s use, complexity and required reliability of the information.”

  4. Evaluate Existing Controls—“Any gaps between existing and ‘necessary’ controls should be identified as remediation items as well as any gaps in operating effectiveness.”

  5. Develop Remediating Plan—Could include assigning responsibility, establishing remediation dates, and prioritizing efforts. Action plans “should increase the
    controls over the spreadsheet to the necessary controls based upon the use and complexity of the spreadsheet.”



Source: "The Use of Spreadsheets:
Considerations for Section 404 of the Sarbanes-Oxley Act"
(PwC).



Kugel

Robert Kugel, research director at Ventana Research, says spreadsheet management software’s ability to spot business risks is at least as important as its strengthening of compliance.

“There are all kinds of things that people can do that pose reputation risk,” he says. “All kinds of mistakes can be made in formulas.”

Raymond Panko, a professor of IT management at the University of Hawaii, has pegged the error rate for spreadsheets at 2 to 5 percent of all formula cells. At that frequency, he says, “a bottom-line error is almost a certainty” in spreadsheets of any reasonable size.



Hoye

Spreadsheet management software isn’t the only way to avoid such errors. Mike Hoye, a spreadsheet control specialist and manager with the consulting firm Jefferson Wells, says he has seen clients replace spreadsheets with other software for specific tasks such as general ledger account reconciliation. In others cases, financial-service companies have controlled spreadsheet logic in Visual Basic or other programs, leaving the spreadsheet itself as a simple window for data entry. But the spreadsheet management software provides transparency and visibility into the spreadsheet environment, he notes.

Kugel says companies with more than 5,000 employees should consider such software.

“What you don’t understand is the amount of time people spend trying to find that, or do this, or correct errors,” he says. “There are all kinds of hidden costs to spreadsheets that go completely unrecognized. While there’s a lot of things the software won’t do, it will do a lot of things to help people do higher-value-added work.”

Hoye cautions that spreadsheet management software isn’t a plug-and-play operation. Successful implementation takes up-front effort, particularly in deciding which spreadsheets are critical and tracing the Excel-based webs that often feed into the critical spreadsheets.

Change management is another aspect of spreadsheet controls that can’t be ignored, Hoye adds. Spreadsheet management software forces critical spreadsheets into IT control processes foreign to accountants and financial people used to creating and changing spreadsheets at their whim, he says.

Perry at Prodiance says successful clients tend to establish the system’s goals—whether compliance, risk mitigation, or productivity—and develop policies for managing critical spreadsheets. Given the experience of auditors, consulting companies, and software companies, he says, there should be no need to reinvent the wheel at any point along the way.

It’s an effort that makes sense, Kugel says. “It’s one of those things where it’s just good business practice.”