The Business Controls Caddy

Permalink Spreadsheet, Audits and SOX Oh My!




When people talk about Section 404 of the Sarbanes-Oxley Act (SOX or Sarbox depending on what you call it), much discussion centers around the costs of compliance, the level of controls needed, what needs to be tested,and what area make a company most vulnerable. Buried in the discussions, but of great significance, are the use of spreadsheets and the level of controls surrounding their use in an organization. If you think about it for just a moment or two, especially if you have a background as an application developer, it is quite apparent why. Spreadsheets are everywhere and come in many flavours, whether they be Microsoft Excel, Lotus 1-2-3, Quattro Pro or OpenOffice. Everybody uses them and often times you see a big grin from an end-user when they have "figured out a way" to do something "really cool" in a spreadsheet. If you ever take the time to look at what they have done, you may just roll your eyes and say something under your breath.

This is the core of the problem with using spreadsheets, especially if used for operational processes and reporting. In a white paper published by PricewaterhouseCoopers (PwC) entitled "
The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act", this is exactly the issue taken up: the inherent lack of controls resulting from the "ease of use" and availability significantly increase the risk of a material misstatement on financial reporting. This paper, while being a great resource for thought and discussion purposes, does have what i consider to be one significant shortcoming which I will discuss later on in this article. At the same time, it makes an eloquent case between the lines that the best tool to manage many spreadsheet controls is Lotus Notes and Domino.

PwC cites a study by Professor Raymond R. Parko at the University of Hawaii found that of 54 spreadsheets audited, 91% of them had errors. The key to reducing these errors and managing risk are to understand how companies use spreadsheets and how complex these spreadsheets are. It is using this understanding that PwC presents their model for "dictating the strength" of the control environment surrounding each spreadsheet. It is a simple model that only compares these two "keys" to understanding.

This is where I feel their model is deficient because nowhere does it measure the size/complexity of an organization or the geographic disparity of organizational units. I feel this is as critical as the measures they use for the simple reason that unless you have a handle on the scope, extent and cost of controls in such an environment, you cannot do and adequate risk and cost analysis required to determine if the costs of the controls exceed the benefit derived.


And this is why the white paper, in this writer's opinion, makes a strong "between the lines" case to use Lotus Notes & Domino to manage controls over spreadsheets for Sarbanes-Oxley Section 404 Compliance. What levels of controls need to be assessed according to PwC?:

  • Change Control
  • Version Control
  • Input Control
  • Security and Integrity of Data
  • Documentation
  • Development Lifecycle
  • Back-Ups
  • Archiving
  • Logic Inspection
  • Segregation of Duties/Roles and Procedures
  • Overall Analytics
If you look at this list, the first thing that may jump out at you, much as it did for me, was the out-of-the-box Document Management template. With minor modification, each of these control objectives can easily be handled and accounted for. Given that Lotus Notes & Domino is designed to work very well in a dispersed organization/environment with an exceptionally strong security model, you are then providing a strong control environment for spreadsheets and their use. Notes & Domino Applications do not need to be complex to provide immediate value to an organization and this would be a good example of that in action.

This won't solve other problems such as bad-coding tricks performed by non-developers, but it can free up resources to concentrate on this other important area. I encourage you to download and read this white paper. It is only seven (7) pages of content, but the words used pack a lot of punch.



Search
Google
Sponsored Ads
My Other Blog

Fighting Fud

Fear, Uncertainty and Doubt (FUD) are too often used as marketing tools. And too many mainstream publications are citing reports that have no validity. So if you know anybody who is citing these publications and reports to make business decisions, please point them to one or more of these links. You can also point them to the "Fighting FUD" index of stories and/or add the "Fighting FUD" graphic link to your web site.



flag icon graphic Microsoft Tries To Feed Up More FUD, Again

flag icon graphic Lies, Damn Lies, and Radica...oops I Mean Statistics

flag icon graphic On Forbes, Foolishness and FUD

flag icon graphic When Technical Magazines Fuel FUD


Fighting FUD Blogroll
Tom "Duffbert" Duff
Chris Linfoot
Matt White
Joe Litton
Jeff Crossett
Gerco Wolfswinkel
Chris Whisonant
Gregg Eldred
Richard Schwatrz

Leaderboard By Category

About Me
About the Blog
Accounting Software
Admin2005
Articles
Auditing Standards
Best Practices
Best Practices - Coding
Blogging Risks
Blogging Templates
Blogsphere
Book Downloads
Book Reviews
Bookstore
Business Continuity
Business Continuity/Disa...
Business Controls
Business Process Re-Engi...
Caddyshack
Case Studies
Collaboration Tools
College Football
College Hoops
Commentary
Community News
Compliance
Compliance Tools
Compliance Tools - Lotus...
Conference Presentations
Control Frameworks
Control Self Assessment ...
Copyright, Fair Use and ...
Corporate Governance
Data Protection
Daylight Savings Time
Dimensions of Leadership
Disaster Recovery
E-Commerce
E-Mail Compliance
E-Mail Etiquette
Employee Policies
Ethics
Exposure Drafts
Eye on Sports Media
Fighting FUD
Fraud Prevention
General
Going Green
Golf
Governance Cup
Government Compliance
HIPAA
Humour/Satire
IBM Pensions
IM Controls
Internet Safety
Interviews
Ireland 2007
IS Governance
IS Governance At Home
IT Audit Tools
IT Governance
IT Governance Insight
ITIL
Just for Fun
Licensing
Lotus AdvisorLive
Lotus Notes 8
Lotus Quickr
Lotusphere 2005
Lotusphere 2006
Lotusphere 2007
Lotusphere 2008
Movie Reviews
News Links
Newspaper Columns
Niagara Basketball
None
Notes 8 Beta
Notes/Domino Administrat...
Notes/Domino Development
Notes/Domino Mail
Notes/Domino Security
Observations
Outsourcing
Patent Issues
Presentations
Press Releases
Privacy
Procurement Controls
Product Advocacy
Records Retention
Reflections
Risk Assessment
Sarbanes-Oxley
Sarbanes-Oxley Tools
Secure Messaging
Security Awareness
Security Controls
Site Update
Smoking Kills
Social Engineering
Social Software
Social Software Risks
Software Development Con...
Software Tools
Spreadsheet Controls
Telecommuting Risks
The Disposable Society
Training Series
Travel Tips/Observations
Trivia
TV/Radio Sports
Understanding COBIT
User Education
User Interface
Vocabulary
Way Off Topic
WebSphere
XBRL
XML Feeds