Compliance Week: Remediation Center: Auditing The Use Of Spreadsheets Page 1 of 3
Remediation Center: Auditing The Use Of Spreadsheets
By Compliance Week — January 24, 2006
t the request of subscribers, Compliance Week has launched a Remediation Center, in which readers
can submit questions—anonymously—to securities and accounting experts. Compliance Week's editors
will review all questions and then submit them—confidentially, of course—to specialists who can
address the issues. The questions and responses will then be reprinted in a future edition of Compliance
Week. Below is one of the Q&As; ask your own questions by clicking here.
THE QUESTION ABOUT THE EXPERT
Anonymous — Is there guidance on how to audit the use of
spreadsheets for SOX 404 purposes other than the PwC-sponsored white Robert D. Kugel, CFA,
paper? This white paper is very general and does not answer most of our is a vice president and
specific questions regarding which spreadsheets should be considered in- research director at
scope for SOX 404 purposes.
A technology analyst for over 20
ANSWER years, Kugel heads up the Financial
Performance Management practice at
Ventana, focusing on the intersection
Robert Kugel, Ventana Research — The PwC-sponsored white paper of information technology and the
(see box at right) lays out an excellent framework for assessing which finance organization.
among the thousands of spreadsheets typically used by an accelerated
filers’ finance organization should be considered “in scope.” It also Prior to joining Ventana Research, he
describes some of the necessary controls for these spreadsheets. was an equity research analyst at
several firms including First Albany
Corporation, Morgan Stanley, and
While any spreadsheet used to consolidate financial results or which Drexel Burnham.
calculates material accruals is clearly in scope, large companies may have
hundreds that are in a grey area—which explains your frustration. There A veteran of The Wall Street
are many difficulties in being more prescriptive about what is in scope. Journal's "All-Star" list who also was
an Institutional Investor All-American
For example, the same auditor may look at two similar spreadsheets used Team member, Kugel previously
in similar processes and conclude that one is in scope but the other is not served as a consultant with McKinsey
because there are adequate compensating controls for the latter. Add and Company.
different auditors with some combination of different experience levels or
familiarity with your business (or even different audit firms) and the Kugel can be reached via email or at
variation in assessments will widen.
That noted, the most likely in-scope candidates are all those spreadsheets
that have a direct impact on your financial statements, footnotes and
Related White Paper
disclosures, or those that play a role in key controls. This includes not just
the primary spreadsheet file, but also all other subsidiary files whether The Use Of Spreadsheets:
there are electronic links or not. This may not be the final word but it is a Considerations Under SOX (PwC)
reasonable place to start.
Compliance Week: Remediation Center: Auditing The Use Of Spreadsheets Page 2 of 3
You might want to apply a process of starting with each number in the
financial statements, footnotes and disclosures and asking, “Where did
that number come from?” When the answer involves a spreadsheet, it
Click Here To Return To The
should be considered in scope. But don’t stop there. Where did the Remediation Center
numbers on that spreadsheet come from? If the answer is another
spreadsheet, it too should be considered in scope. You should continue Submit A Question To The
the process until you can account for all of the spreadsheets that directly Remediation Center
touch external reports. Just as the experience of having to answer a four
year old’s successive levels of “why?” can be illuminating, you may be surprised/shocked by the answers to the
ongoing process of creating this “evidence chain.”
How to audit a spreadsheet can be a very long discussion. The basic requirements for the spreadsheet are
being able to perform data validation checks and explicitly reviewing all formulas. If data in the spreadsheet
come from other spreadsheets, linked or not, they should be audited as well. You can make auditing
spreadsheets easier if you adopt consistent standards for structure and formatting (e.g., all inputs on a tab
labeled “Inputs,” all cells that link to external spreadsheets have a light green fill, etc.). You should require
every in-scope spreadsheet to have documentation about its use and structure. It also helps if you require
anyone making changes to note the who-what-why-when-where aspects of those changes.
Managing spreadsheets that are in scope is a time-consuming and potentially costly process, so their number
should be minimized. By this, I don’t mean putting everything onto one or several massive spreadsheets (this
is likely to make the problem even worse). You should minimize the number of numbers in the “evidence
chain” that exist on a spreadsheet. While it is possible to compensate for spreadsheets’ shortcomings (and
there are a substantial number of internal spreadsheet features and third-party add-ons that aim to do this),
using these techniques may not be the most practical solution and often enough they are not fail-safe.
(Anyone that tries to “idiot-proof” a spreadsheet usually underestimates how clever and resourceful idiots can
be.) As the AICPA notes on their website with respect to spreadsheets: “While there are ways to ferret out and
correct most errors, CPAs should be aware that no foolproof solutions exist. At best, errors can be minimized,
so the prudent user should stay alert to the danger and use all the available tools to find them.”
So far, when I have used the word “spreadsheet” I have been referring to the kind that runs on an individual’s
computer such as Microsoft’s Excel or (if you still have it) Lotus 1-2-3. In recent years, an alternative to this
standalone spreadsheet has emerged in the form of database-linked spreadsheet packages. (My firm, Ventana
Research, refers to these as “enterprise spreadsheets.”) From a user’s standpoint, these look and behave
exactly like their familiar spreadsheet package (e.g., Excel), but since data and formulas are stored and
managed in a central database they are far more controllable, far less error prone and therefore much easier
to audit. Note that this is not the same as storing your spreadsheets on a central file server and managing
access to them (although this is a core requirement for controlling standalone spreadsheets). Several software
companies (although not yet Microsoft) offer spreadsheet software linked to a database server. They can
reduce the workload required for auditing and maintaining in-scope spreadsheets—sometimes significantly.
Often enough, the easiest and most effective way of dealing with the question of whether a spreadsheet is “in
scope” is to eliminate the spreadsheet entirely. Before SOX, controls were far less formal and did not have to
be documented. The impact of errors in spreadsheets usually was not material (and might even go
undetected). Companies could and did rely on their employees’ basic honesty. Under SOX, this is no longer
the case. This is why the true cost of using spreadsheets today may be quite higher than other approaches.
How do you eliminate the number of numbers in the spreadsheet evidence chain? For example, it is often
possible to program existing systems to calculate and post accruals or pass data directly from one system to
another. Probably more possible and cost effective than you and others in your organization imagine. At first
Compliance Week: Remediation Center: Auditing The Use Of Spreadsheets Page 3 of 3
glance, this may seem more complicated, difficult and expensive—which it was in a time of less formal control
structures. However, over the long run, processes that run on inherently more controllable IT systems rather
than with standalone spreadsheets can save your organization considerable time and money both in the audit
process as well as in executing day-to-day business.
Note: Compliance Week's Remediation Center is an information service only. Answers to questions should not
be construed to be legal guidance. Consult with your auditors, internal counsel, and external counsel on all
critical compliance and governance matters.
Click here to submit an anonymous question in Compliance Week's Remediation Center.