4
Spreadsheet Blues: Few Controls Yield Many Weaknesses By Matt Kelly — August 23, 2005 Hussain Hasan, managing director of technology risk management services at the Chicago accounting firm RSM McGladrey, does not mince words when discussing how poorly spreadsheets satisfy the requirements of The Sarbanes-Oxley Act of 2002. “They don’t at all,” Hasan says. “Most public companies should not use spreadsheets as their main financial tool.” Such criticism from Hasan might sound harsh for one of corporate America’s most ubiquitous business tools, but experts say the lack of enterprise-strength security controls means spreadsheets must remain in the crosshairs of executives and auditors worried about financial reporting. In fact, a review of recent internal control disclosures indeed shows that numerous companies have already cited deficiencies and weaknesses related to spreadsheets. In May 2005, for example, $90.6 million Sonic Solutions disclosed that it “did not maintain adequate controls over spreadsheets used in our financial reporting process.” The same was the case at $185.2 million Modtech Holdings, which in June noted that it “did not have adequate controls over spreadsheets used in our financial reporting process.” Titanium producer RTI International Metals also acknowledged in May that it did not maintain effective controls over certain spreadsheets. Specifically, “the company's controls over the completeness, accuracy, validity, and restricted access and the review of certain spreadsheets … were either not designed appropriately or did not operate as designed.” In May, $425.7 million Shurgard Storage Centers noted that its consolidation process “is performed primarily on standard spreadsheet software that is not specifically designed or customized for this purpose.” The problem constituted a material weakness that “resulted in our inability to prevent or detect the reporting of inaccurate or incomplete information and limits our ability to ensure our financial reporting processes are completed timely.” At Crown Media Holdings, internal control deficiencies included the company’s controls to assess and review spreadsheet formulas. And at Audible Inc., problems included “ineffective review of spreadsheet calculations used in the financial statement preparation process.” But spreadsheets aren’t just a source of headaches when it comes to controls and oversight processes— they’re also a source of errors. In July, cleaning and personal care specialist CPAC—which operates The Fuller Brush Company and Stanley Home Products—disclosed misstatements that were caused by “a computational error in valuation of a component of inventory and related reliance on a spreadsheet for completion of such valuation.” $1.3 billion Foamex also noted that an ineffective control did not prevent or detect an improper formula in a spreadsheet, “resulting in a misstatement of work in process and finished goods inventories...” At Edge Petroleum, management discovered an error in a spreadsheet application that was designed to eliminate intercompany balances. “As a result of the error, amounts accumulated in the property account for one subsidiary were also included as an accrued capital expenditure by another subsidiary and inadvertently not eliminated in consolidation,” said the company in a regulatory filing. “This caused property balances to be overstated.” 1 © 2005 Financial Media Holdings Group, Inc. All Rights Reserved.

Spreadsheet Blues

  • Upload
    kjheiin

  • View
    215

  • Download
    2

Embed Size (px)

DESCRIPTION

s

Citation preview

  • Spreadsheet Blues: Few Controls Yield Many Weaknesses By Matt Kelly August 23, 2005

    Hussain Hasan, managing director of technology risk management services at the Chicago accounting firm RSM McGladrey, does not mince words when discussing how poorly spreadsheets satisfy the requirements of The Sarbanes-Oxley Act of 2002.

    They dont at all, Hasan says. Most public companies should not use spreadsheets as their main financial tool.

    Such criticism from Hasan might sound harsh for one of corporate Americas most ubiquitous business tools, but experts say the lack of enterprise-strength security controls means spreadsheets must remain in the crosshairs of executives and auditors worried about financial reporting.

    In fact, a review of recent internal control disclosures indeed shows that numerous companies have already cited deficiencies and weaknesses related to spreadsheets. In May 2005, for example, $90.6 million Sonic Solutions disclosed that it did not maintain adequate controls over spreadsheets used in our financial reporting process. The same was the case at $185.2 million Modtech Holdings, which in June noted that it did not have adequate controls over spreadsheets used in our financial reporting process.

    Titanium producer RTI International Metals also acknowledged in May that it did not maintain effective controls over certain spreadsheets. Specifically, the company's controls over the completeness, accuracy, validity, and restricted access and the review of certain spreadsheets were either not designed appropriately or did not operate as designed.

    In May, $425.7 million Shurgard Storage Centers noted that its consolidation process is performed primarily on standard spreadsheet software that is not specifically designed or customized for this purpose. The problem constituted a material weakness that resulted in our inability to prevent or detect the reporting of inaccurate or incomplete information and limits our ability to ensure our financial reporting processes are completed timely.

    At Crown Media Holdings, internal control deficiencies included the companys controls to assess and review spreadsheet formulas. And at Audible Inc., problems included ineffective review of spreadsheet calculations used in the financial statement preparation process.

    But spreadsheets arent just a source of headaches when it comes to controls and oversight processestheyre also a source of errors.

    In July, cleaning and personal care specialist CPACwhich operates The Fuller Brush Company and Stanley Home Productsdisclosed misstatements that were caused by a computational error in valuation of a component of inventory and related reliance on a spreadsheet for completion of such valuation.

    $1.3 billion Foamex also noted that an ineffective control did not prevent or detect an improper formula in a spreadsheet, resulting in a misstatement of work in process and finished goods inventories...

    At Edge Petroleum, management discovered an error in a spreadsheet application that was designed to eliminate intercompany balances. As a result of the error, amounts accumulated in the property account for one subsidiary were also included as an accrued capital expenditure by another subsidiary and inadvertently not eliminated in consolidation, said the company in a regulatory filing. This caused property balances to be overstated.

    1 2005 Financial Media Holdings Group, Inc. All Rights Reserved.

  • The same was the case at video retailer Rentrak, which noted in June that its auditor discovered a data error in a program supplier spreadsheet that resulted in an overstatement of our cost of sales for this fiscal period.

    Hand Washing

    It isnt an inherent control weakness to use spreadsheets; its how people use them, says Joseph Prudente, director of internal audit for New York-based accounting firm Rothstein Kass.

    According to Prudente, most companies utilize spreadsheets out-of-the-box, without applying the diligence and controls inherent in the rest of their financial systems. At worst, [spreadsheets] are computer applications that are run, managed, developed and supported outside the normal system-development lifecycle.

    EVALUATING SPREADSHEET CONTROLS According to a white paper written by PricewaterhouseCoopers in July 2004, "implementing a process to ensure appropriate controls over spreadsheets is a critical element of compliance with Sarbanes-Oxley Section 404." According to PwC, there are five high-level steps to implementing such a process:

    1. Inventory Spreadsheets"This step is critical to ensuring that the population of spreadsheets in use within the organization is defined and subjected to evaluation."

    2. Evaluate Their Use, Complexity"This involves determining a spreadsheets category of uses (operational, analytical and financial) and then assigning and documenting a level of complexity (low, moderate or high)..."

    3. Determine Necessary Level Of ControlsCould include change control, version control, access control, input control, security, data integrity, and more. "The level of controls implemented should be considered relative to the spreadsheets use, complexity and required reliability of the information."

    4. Evaluate Existing Controls"Any gaps between existing and 'necessary' controls should be identified as remediation items as well as any gaps in operating effectiveness."

    5. Develop Remediating PlanCould include assigning responsibility, establishing remediation dates, and prioritizing efforts. Action plans "should increase the controls over the spreadsheet to the necessary controls based upon the use and complexity of the spreadsheet."

    Source: "The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act" (PricewaterhouseCoopers)

    Thats partially because of their ease of use. Typically, for example, the development of financial applications requires a segregation of duties to ensure the development is conducted appropriately. To those ends, the person who requires the application should not necessarily be the person who designs it or deploys it throughout the corporate environment. But spreadsheets, due to their simplicity, can sabotage those controls during developmentits easy for an employee to say, Ill just whip up a spreadsheet to handle that task, without considering the controls or implications. Multiply that phenomenon by hundreds of financial staffers across a global enterprise, and it becomes more clear why spreadsheets can be problematic. Ninety percent of the [spreadsheet] developers are the ones who implement into production, because they dont look at spreadsheets as a software change, adds Prudente.

    To be fair, most spreadsheet applicationsincluding the most common ones like Microsoft Excel and Lotus 1,2,3do have rudimentary security controls. But those controls, which enable a user to password-protect a worksheet or certain cells, tend to be user-specificthey are tactics aimed a helping a single user protect his or her data.

    At the corporate level, where a chief financial officer might oversee thousands of spreadsheets, much stronger controls are required. Thats especially the case now that CFOs must report quarterly changes in the companys internal control over financial reporting as per Section 302 of The Sarbanes-Oxley Act.

    But establishing centralized security controls over spreadsheets is not easy. IT managers can place important spreadsheets on secured hard drives to keep unauthorized users from gaining access to the document, but its not uncommon for accounting staffers to save local versions of the spreadsheet on their

    2 2005 Financial Media Holdings Group, Inc. All Rights Reserved.

    http://www.complianceweek.com/s/documents/PwCwpSpreadsheet404Sarbox.pdf

  • hard drives for convenience. Enforcing version control or change management, while considered vital to the satisfaction of SOX Sections 302 and 404, is often impossible unless done manually.

    This is an area that IT organizations have washed their hands of, really, says Michael Heintz, a principal consultant with the PA Consulting Group.

    Common Area

    When it comes to handling critical financial data, Heintz, Hasan at RSM McGladrey, and others advocate abandoning spreadsheets wherever possible.

    Thats not only because of the risks inherent in their usage, but its due to the fact that many spreadsheets exist simply because theyre easier than the alternative. There will always be some need for [spreadsheets], says Heintz, but many spreadsheets are there for the convenience of the person using them, because they didnt want to learn the [more complicated ERP] application that would provide that functionality.

    Instead, experts argue companies should migrate to ERP applications or Web-enabled databases that employ more rigorous controls. The latest versions of most applications, at least those released after Sarbanes-Oxley, include controls that can be centrally managed and tested by auditors. The latter functionality is becoming more critical as companies focus on sustainability as it pertains to SOX 404as they look to automate processes and minimize costs.

    Islandia, N.Y.-based Computer Associates, for example, uses ERP software from Germanys SAP to house all its financial data in one system. Doing so enables the company to employ controls at the network, host and application layers, says Ken Williams, vice president of CAs technology services division.

    That common area concept can make it easier to pull together more complete pictures of the control environment. It can also provide better views into that data, sorting information by business process, for example, or by categories detailed in the internal control framework published by the Committee of Sponsoring Organizations of the Treadway Commission.

    Spreadsheets, of course, can track that information too, but typically they do so in a much more fractured way. And because spreadsheets lack a sense of time or version control, they offer little help with enterprise risk management initiatives, which often hinge on a constant monitoring ofand controlling againstrisk.

    But centralizing financial data is not a simple undertaking, and can require considerable analysisand costto determine what sort of application is most appropriate for the company. In addition to process changes, says CAs Williams, companies need to think about re-engineering their architecture so they can place that data in a common area which will minimize the overall cost of protecting that data.

    A Pain To Monitor

    In fact, since spreadsheets have become so ubiquitous and addictive at public companies, it may be difficult for some companies to extricate themselves from their usagethe cost to unwind systems may offset the long-term benefit. For those companies, auditors recommend several basic steps that can be taken to impose proper security controls around spreadsheets and their usage.

    First is to take careful inventory of what spreadsheets a company has, what purposes they serve, and exactly who uses them; many companies have already done this as part of their Year One SOX 404 documentation efforts. The companies can then map the spreadsheets to the processes, and can determine which ones qualify as high-priority issues needing extra attention.

    What controls are necessary? PricewaterhouseCoopers urges that any spreadsheet have locks in place to freeze data. In a white paper published in July 2004 the firm also recommended that spreadsheets have access controls, as well as an approval system requiring independent sign-off for any changes to processes like macros. There should also be a reconciliation process to confirm inputs. Key spreadsheets might also warrant documentation and back-up procedures.

    3 2005 Financial Media Holdings Group, Inc. All Rights Reserved.

  • Prudente at Rothstein Kass emphasizes change controls as particularly important. In my opinion, you need to go through a formal change-management process for some of these sophisticated spreadsheets, says Prudente, just like the developer would go through for a standard application change. To those ends, companies would want to understand how changes are made to the spreadsheets, and how they are tested and approved.

    Then theres the matter of testing spreadsheet controls, which can be a major headache; if spreadsheets are created manually by users, most likely they will be tested manually by auditors. With some of my clients, what I hear from the controller groups is that they never would have made the request to create some of these sheets had they known the pain it would cause them to monitor the controls around them now, says Heintz at PA Consulting Group.

    And according to Computer Associates Ken Williams, auditors may pay even closer attention to testing this year, since most of the SOX 404 documentation efforts are in the past. If thats the case, Williams says, executives may want to go back and ask how you can automate [processes] and how you can create sustainability.

    A world of more secure spreadsheetsor no spreadsheets at allmay seem daunting at first glace. But, given the proliferation of spreadsheets in the modern corporation and the exhaustive controls mandated by Sarbanes-Oxley, companies might have little choice. They should be relying on a back-end application, argues Hasan at RSM McGladrey. Maybe it doesnt have to be a full ERP package but spreadsheets definitely arent the right tool.

    4 2005 Financial Media Holdings Group, Inc. All Rights Reserved.


Spreadsheet History

Spreadsheet History

Technology
Spreadsheet+ Band+

Spreadsheet+ Band+

Documents
Converter SpreadSheet

Converter SpreadSheet

Documents
Spreadsheet Ver2.0 Eng 1-1 Spreadsheet Application Overview 1 Spreadsheet Application Overview This section describes the configuration of the Spreadsheet application window, and provides

Spreadsheet Ver2.0 Eng 1-1 Spreadsheet Application Overview 1 Spreadsheet Application Overview This section describes the configuration of the Spreadsheet application window, and provides

Documents
Spreadsheet Server for use with Movex - Release …Spreadsheet Server .Net for use with MOVEX Global Software, Inc.'s Spreadsheet Server converts familiar spreadsheet software, such

Spreadsheet Server for use with Movex - Release …Spreadsheet Server .Net for use with MOVEX Global Software, Inc.'s Spreadsheet Server converts familiar spreadsheet software, such

Documents
Sample22 Spreadsheet

Sample22 Spreadsheet

Documents
Spreadsheet Server for use with PeopleSoft - Release V12 ... · Spreadsheet Server .Net for use with PEOPLESOFT Global Software, Inc's Spreadsheet Server converts familiar spreadsheet

Spreadsheet Server for use with PeopleSoft - Release V12 ... · Spreadsheet Server .Net for use with PEOPLESOFT Global Software, Inc's Spreadsheet Server converts familiar spreadsheet

Documents
Metode Spreadsheet

Metode Spreadsheet

Documents
Directory Spreadsheet

Directory Spreadsheet

Documents
DM's Spreadsheet

DM's Spreadsheet

Documents
SPREADSHEET BASICS SPREADSHEET BASICS What are the benefits of using a spreadsheet to solve a problem?

SPREADSHEET BASICS SPREADSHEET BASICS What are the benefits of using a spreadsheet to solve a problem?

Documents
Spreadsheet vs Database When do we use them?. Spreadsheet review Why do we use a spreadsheet?

Spreadsheet vs Database When do we use them?. Spreadsheet review Why do we use a spreadsheet?

Documents
Title Spreadsheet

Title Spreadsheet

Travel
TriPhaseVol2 - Spreadsheet

TriPhaseVol2 - Spreadsheet

Documents
Spreadsheet presentation

Spreadsheet presentation

Documents
Spreadsheet Testing

Spreadsheet Testing

Technology
Blues / Rythm'and Blues / Jazz / Soul / Afro Blues / Funk

Blues / Rythm'and Blues / Jazz / Soul / Afro Blues / Funk

Documents
British Blues Awards @ Newark Blues Festival 2012 British Blues Awards and Newark Blues... · British Blues Awards @ Newark Blues Festival 2012 ... their drummer, Stephen Cutmore,

British Blues Awards @ Newark Blues Festival 2012 British Blues Awards and Newark Blues... · British Blues Awards @ Newark Blues Festival 2012 ... their drummer, Stephen Cutmore,

Documents
Sample4 Spreadsheet

Sample4 Spreadsheet

Documents
Blues - · PDF fileBoogie-woogie · Classic female blues · Country blues · Delta blues · Electric blues · Fife and drum blues · Jump blues · Piano blues Fusion genres

Blues - · PDF fileBoogie-woogie · Classic female blues · Country blues · Delta blues · Electric blues · Fife and drum blues · Jump blues · Piano blues Fusion genres

Documents
Blues Geography - PBS · Delta blues unamplified guitar, ... Chicago blues simple structure, ... The Blues Teacher’s Guide Blues Geography

Blues Geography - PBS · Delta blues unamplified guitar, ... Chicago blues simple structure, ... The Blues Teacher’s Guide Blues Geography

Documents
Coupon Spreadsheet

Coupon Spreadsheet

Documents
OpenOffice Spreadsheet

OpenOffice Spreadsheet

Technology
Blues Story - Fingerstyle Blues

Blues Story - Fingerstyle Blues

Documents
LCC Spreadsheet

LCC Spreadsheet

Documents
Blues Story Fingerstyle Blues

Blues Story Fingerstyle Blues

Documents
Hazan Spreadsheet

Hazan Spreadsheet

Documents
Formulas Spreadsheet

Formulas Spreadsheet

Documents
Final Spreadsheet

Final Spreadsheet

Documents
Php Spreadsheet

Php Spreadsheet

Documents