At the request of subscribers, Compliance Week has launched a Remediation Center, in which readers can submit questions—anonymously—to securities and accounting experts. Compliance Week's editors will review all questions and then submit them—confidentially, of course—to specialists who can address the issues. The questions and responses will then be reprinted in a future edition of Compliance Week. Below is one of the Q&As; ask your own questions by clicking here.
THE QUESTION
Anonymous —
Is there guidance on how to audit the use of spreadsheets for SOX 404 purposes other than the PwC-sponsored white paper? This white paper is very general and does not answer most of our specific questions regarding which spreadsheets should be considered in-scope for SOX 404 purposes.
ANSWER
Robert Kugel, Ventana Research —
The PwC-sponsored white paper (see box at right) lays out an excellent framework for assessing which among the thousands of spreadsheets typically used by an accelerated filers' finance organization should be considered “in scope.” It also describes some of the necessary controls for these spreadsheets.
While any spreadsheet used to consolidate financial results or which calculates material accruals is clearly in scope, large companies may have hundreds that are in a grey area—which explains your frustration. There are many difficulties in being more prescriptive about what is in scope. For example, the same auditor may look at two similar spreadsheets used in similar processes and conclude that one is in scope but the other is not because there are adequate compensating controls for the latter. Add different auditors with some combination of different experience levels or familiarity with your business (or even different audit firms) and the variation in assessments will widen.
That noted, the most likely in-scope candidates are all those spreadsheets that have a direct impact on your financial statements, footnotes and disclosures, or those that play a role in key controls. This includes not just the primary spreadsheet file, but also all other subsidiary files whether there are electronic links or not. This may not be the final word but it is a reasonable place to start.
You might want to apply a process of starting with each number in the financial statements, footnotes and disclosures and asking, “Where did that number come from?” When the answer involves a spreadsheet, it should be considered in scope. But don't stop there. Where did the numbers on that spreadsheet come from? If the answer is another spreadsheet, it too should be considered in scope. You should continue the process until you can account for all of the spreadsheets that directly touch external reports. Just as the experience of having to answer a four year old's successive levels of “why?” can be illuminating, you may be surprised/shocked by the answers to the ongoing process of creating this “evidence chain.”
How to audit a spreadsheet can be a very long discussion. The basic requirements for the spreadsheet are being able to perform data validation checks and explicitly reviewing all formulas. If data in the spreadsheet come from other spreadsheets, linked or not, they should be audited as well. You can make auditing spreadsheets easier if you adopt consistent standards for structure and formatting (e.g., all inputs on a tab labeled “Inputs,” all cells that link to external spreadsheets have a light green fill, etc.). You should require every in-scope spreadsheet to have documentation about its use and structure. It also helps if you require anyone making changes to note the who-what-why-when-where aspects of those changes.
Managing spreadsheets that are in scope is a time-consuming and potentially costly process, so their number should be minimized. By this, I don't mean putting everything onto one or several massive spreadsheets (this is likely to make the problem even worse). You should minimize the number of numbers in the “evidence chain” that exist on a spreadsheet. While it is possible to compensate for spreadsheets' shortcomings (and there are a substantial number of internal spreadsheet features and third-party add-ons that aim to do this), using these techniques may not be the most practical solution and often enough they are not fail-safe. (Anyone that tries to “idiot-proof” a spreadsheet usually underestimates how clever and resourceful idiots can be.) As the AICPA notes on their website with respect to spreadsheets: “While there are ways to ferret out and correct most errors, CPAs should be aware that no foolproof solutions exist. At best, errors can be minimized, so the prudent user should stay alert to the danger and use all the available tools to find them.”
So far, when I have used the word “spreadsheet” I have been referring to the kind that runs on an individual's computer such as Microsoft's Excel or (if you still have it) Lotus 1-2-3. In recent years, an alternative to this standalone spreadsheet has emerged in the form of database-linked spreadsheet packages. (My firm, Ventana Research, refers to these as “enterprise spreadsheets.”) From a user's standpoint, these look and behave exactly like their familiar spreadsheet package (e.g., Excel), but since data and formulas are stored and managed in a central database they are far more controllable, far less error prone and therefore much easier to audit. Note that this is not the same as storing your spreadsheets on a central file server and managing access to them (although this is a core requirement for controlling standalone spreadsheets). Several software companies (although not yet Microsoft) offer spreadsheet software linked to a database server. They can reduce the workload required for auditing and maintaining in-scope spreadsheets—sometimes significantly.
Often enough, the easiest and most effective way of dealing with the question of whether a spreadsheet is “in scope” is to eliminate the spreadsheet entirely. Before SOX, controls were far less formal and did not have to be documented. The impact of errors in spreadsheets usually was not material (and might even go undetected). Companies could and did rely on their employees' basic honesty. Under SOX, this is no longer the case. This is why the true cost of using spreadsheets today may be quite higher than other approaches.
How do you eliminate the number of numbers in the spreadsheet evidence chain? For example, it is often possible to program existing systems to calculate and post accruals or pass data directly from one system to another. Probably more possible and cost effective than you and others in your organization imagine. At first glance, this may seem more complicated, difficult and expensive—which it was in a time of less formal control structures. However, over the long run, processes that run on inherently more controllable IT systems rather than with standalone spreadsheets can save your organization considerable time and money both in the audit process as well as in executing day-to-day business.
Note: Compliance Week's Remediation Center is an information service only. Answers to questions should not be construed to be legal guidance. Consult with your auditors, internal counsel, and external counsel on all critical compliance and governance matters.
Click here to submit an anonymous question in Compliance Week's Remediation Center.
No comments yet