Companies trying to comply with the Sarbanes-Oxley Act of 2002 are finding that one of the toughest—and yet most essential—areas for establishing controls over internal processes and procedures isn’t even required under the law: spreadsheets.
BNSF Railway recently went through the process. The company, a subsidiary of the $13 billion Burlington Northern Santa Fe Corp., is one of the largest railroad networks in North America, and its financial department—like many in Corporate America—is heavily reliant on spreadsheets. In the latter part of 2004, when the company was racing to comply with Sarbanes-Oxley for the first time, BNSF's accounting firm provided guidance on the need for adequate controls around the scores of spreadsheets the railroad used to support its financial statements.
Until then, BNSF hadn’t focused on developing spreadsheet controls; after all, current regulations and standards don’t specifically require tests for them. However, the company’s auditor urged the tighter controls because of the manual nature of spreadsheets, says Paul Bischler, BNSF’s controller.
“Spreadsheets pose one of the greatest risks, especially when you talk about financial statement accuracy,” Bischler says. “Even large companies today use spreadsheets to generate entries for financial statements.”
The internal control provisions of Sarbanes-Oxley, combined with the rigorous auditing standard that accounting firms must use to verify those controls, brought the issue of spreadsheets into sharp relief. According to a PricewaterhouseCoopers report on the subject issued in 2004, errors in even relatively simple spreadsheets can result in potentially material misstatements in financial results (see box at right).
Still, while companies and their auditors have spent the last two years bemoaning control problems inherent in spreadsheets, the largest application makers have not addressed key issues. For example, says Francis Polisetty, BNSF’s assistant manager for finance technology, Microsoft Excel spreadsheets’ best feature is also their worst: user flexibility. While mainframe programs managed by IT departments can be well-controlled for functions such as documentation of changes, similar features for Excel—easily the most common spreadsheet program in use—can’t be enforced. That means an inexperienced or malevolent user could make erroneous changes that could go unnoticed.
IT experts say companies should allocate a dedicated server for all key spreadsheets, and should restrict access by implementing an enterprise-wide lockdown.
“Sarbanes-Oxley has brought attention to the need to protect information from insiders,” says Phil Neray, vice president of marketing for Guardium, a provider of database security software. “SOX said, ‘We need to look at what private users are doing with critical data.’ This is not necessarily about malicious or suspicious acts that might affect the integrity of the data. It could be accidental changes to the database and structure.”
Functions embedded in spreadsheets, such as macros and formulas, can also affect the performance of the spreadsheets. For example, a calculation error in a spreadsheet that is interlinked with other data can cause problems for a company if those details are intended for financial disclosure, says Ed Hill, a managing director at risk consulting firm Protiviti.
“If you’re going to use spreadsheets, you need to keep them as simple as you can possibly make them,” Hill says. “Spreadsheets are prone to errors and aren’t like other computer applications that are designed with controls in mind.”
Human error in the entry of data on spreadsheets also can cause problems. Duplicate payments or invoices might be recorded, or an incorrect version of a spreadsheet might be distributed by an individual. Kirit Pandit, vice president of software management business Emptoris, says spreadsheets should have controls to identify—and ideally, to block—just such errors.
“Is there a data trail being left? Are they using the right version of the spreadsheet? Are they using an approved template?” Pandit asks. “If those controls are not in place, then you’re leaving open the door for someone to create mischief.”
Getting It Done: BNSF’s Story
Taking his auditor’s advice, Bischler at BNSF assembled his team in late 2004 and spent “a lot of late hours” over a four-month period analyzing spreadsheets, establishing a system of controls, and testing the procedures. He reassigned Polisetty to the new position of assistant manager in finance technology management to help him run the process.
BNSF has about 100 key spreadsheets, Polisetty says, including some with complex, advanced Excel functions. The company spent a significant amount of time in a one-time effort to create a baseline of spreadsheets, including manual validation of all unique formulas.
Bischler’s first step was to take an inventory of BNSF’s spreadsheets and identifying which ones were vital to compiling the company’s financial statements. Such a step is crucial, says Neray at Guardium, because unlike databases—which are enterprise tools that already are part of a network—spreadsheets still are personal tools often saved and distributed from personal computers.
“Spreadsheets have become such a big productivity tool,” Neray contends. “Companies realize that if they want to introduce controls, it has to be done by implementing a server,” he adds. “The whole idea of documenting and time-stamping a spreadsheet is going to be very critical. That is the weakest link today in the whole SOX process.”
After completing the inventory process, Bischler’s team tested each spreadsheet to make sure it worked properly and then established procedures that monitored changes to it. For example, BNSF tries to assure that any new codes have been adequately tested before they’re included in a spreadsheet. And once a new code is included, BNSF checks to make sure the changes, and formulas of the spreadsheet, are properly functioning.
BNSF uses Excel analysis software from Operis to help the company view whenever a spreadsheet has been changed. The analysis tool, Operis Analysis Kit (commonly known as “OAK” software), gives BNSF a visual aid to identify anomalies.
“If you’re using spreadsheets to create a 10-Q or a 10-K, it needs to be managed in a process-based manner,” Neray says. “It can’t just be spreadsheets being emailed, with different versions existing on different machines.”
BNSF’s third step was controlling access. The company restricted access to spreadsheets to a few people for each business process, and only supervisors were given the passwords needed to unlock cells within them, Bischler says. “Human error is the biggest thing you’re trying to capture through all of this,” Bischler explains. “Up front, you need to establish a process that will effectively get you to the end game.”
Demand for products that provide more automated solutions to spreadsheet controls has risen as corporate awareness of the risks has grown. Some companies have implemented integration servers to help them organize their different systems; others use software developed to create spreadsheets for formal processes or teams within their businesses.
“Your corporation runs on this data. This is the data that describes who your organization is,” Neray says. “These processes all make good business sense.”
Related articles, case studies and commentary are available from the box above, right.