Spreadsheet, Audits and SOX Oh My!

When people talk about Section 404 of the Sarbanes-Oxley Act (SOX or Sarbox depending on what you call it), much discussion centers around the costs of compliance, the level of controls needed, what needs to be tested,and what area make a company most vulnerable. Buried in the discussions, but of great significance, are the use of spreadsheets and the level of controls surrounding their use in an organization. If you think about it for just a moment or two, especially if you have a background as an application developer, it is quite apparent why. Spreadsheets are everywhere and come in many flavours, whether they be Microsoft Excel, Lotus 1-2-3, Quattro Pro or OpenOffice. Everybody uses them and often times you see a big grin from an end-user when they have "figured out a way" to do something "really cool" in a spreadsheet. If you ever take the time to look at what they have done, you may just roll your eyes and say something under your breath.

This is the core of the problem with using spreadsheets, especially if used for operational processes and reporting. In a white paper published by PricewaterhouseCoopers (PwC) entitled "The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act", this is exactly the issue taken up: the inherent lack of controls resulting from the "ease of use" and availability significantly increase the risk of a material misstatement on financial reporting. This paper, while being a great resource for thought and discussion purposes, does have what i consider to be one significant shortcoming which I will discuss later on in this article. At the same time, it makes an eloquent case between the lines that the best tool to manage many spreadsheet controls is Lotus Notes and Domino.

PwC cites a study by Professor Raymond R. Parko at the University of Hawaii found that of 54 spreadsheets audited, 91% of them had errors. The key to reducing these errors and managing risk are to understand how companies use spreadsheets and how complex these spreadsheets are. It is using this understanding that PwC presents their model for "dictating the strength" of the control environment surrounding each spreadsheet. It is a simple model that only compares these two "keys" to understanding.

This is where I feel their model is deficient because nowhere does it measure the size/complexity of an organization or the geographic disparity of organizational units. I feel this is as critical as the measures they use for the simple reason that unless you have a handle on the scope, extent and cost of controls in such an environment, you cannot do and adequate risk and cost analysis required to determine if the costs of the controls exceed the benefit derived.

And this is why the white paper, in this writer's opinion, makes a strong "between the lines" case to use Lotus Notes & Domino to manage controls over spreadsheets for Sarbanes-Oxley Section 404 Compliance. What levels of controls need to be assessed according to PwC?:

• Change Control
• Version Control
• Input Control
• Security and Integrity of Data
• Documentation
• Development Lifecycle
• Back-Ups
• Archiving
• Logic Inspection
• Segregation of Duties/Roles and Procedures
• Overall Analytics