The Business Controls Caddy

Permalink Spreadsheet, Audits and SOX Oh My!




When people talk about Section 404 of the Sarbanes-Oxley Act (SOX or Sarbox depending on what you call it), much discussion centers around the costs of compliance, the level of controls needed, what needs to be tested,and what area make a company most vulnerable. Buried in the discussions, but of great significance, are the use of spreadsheets and the level of controls surrounding their use in an organization. If you think about it for just a moment or two, especially if you have a background as an application developer, it is quite apparent why. Spreadsheets are everywhere and come in many flavours, whether they be Microsoft Excel, Lotus 1-2-3, Quattro Pro or OpenOffice. Everybody uses them and often times you see a big grin from an end-user when they have "figured out a way" to do something "really cool" in a spreadsheet. If you ever take the time to look at what they have done, you may just roll your eyes and say something under your breath.

This is the core of the problem with using spreadsheets, especially if used for operational processes and reporting. In a white paper published by PricewaterhouseCoopers (PwC) entitled "
The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act", this is exactly the issue taken up: the inherent lack of controls resulting from the "ease of use" and availability significantly increase the risk of a material misstatement on financial reporting. This paper, while being a great resource for thought and discussion purposes, does have what i consider to be one significant shortcoming which I will discuss later on in this article. At the same time, it makes an eloquent case between the lines that the best tool to manage many spreadsheet controls is Lotus Notes and Domino.

PwC cites a study by Professor Raymond R. Parko at the University of Hawaii found that of 54 spreadsheets audited, 91% of them had errors. The key to reducing these errors and managing risk are to understand how companies use spreadsheets and how complex these spreadsheets are. It is using this understanding that PwC presents their model for "dictating the strength" of the control environment surrounding each spreadsheet. It is a simple model that only compares these two "keys" to understanding.

This is where I feel their model is deficient because nowhere does it measure the size/complexity of an organization or the geographic disparity of organizational units. I feel this is as critical as the measures they use for the simple reason that unless you have a handle on the scope, extent and cost of controls in such an environment, you cannot do and adequate risk and cost analysis required to determine if the costs of the controls exceed the benefit derived.


And this is why the white paper, in this writer's opinion, makes a strong "between the lines" case to use Lotus Notes & Domino to manage controls over spreadsheets for Sarbanes-Oxley Section 404 Compliance. What levels of controls need to be assessed according to PwC?:

  • Change Control
  • Version Control
  • Input Control
  • Security and Integrity of Data
  • Documentation
  • Development Lifecycle
  • Back-Ups
  • Archiving
  • Logic Inspection
  • Segregation of Duties/Roles and Procedures
  • Overall Analytics
If you look at this list, the first thing that may jump out at you, much as it did for me, was the out-of-the-box Document Management template. With minor modification, each of these control objectives can easily be handled and accounted for. Given that Lotus Notes & Domino is designed to work very well in a dispersed organization/environment with an exceptionally strong security model, you are then providing a strong control environment for spreadsheets and their use. Notes & Domino Applications do not need to be complex to provide immediate value to an organization and this would be a good example of that in action.

This won't solve other problems such as bad-coding tricks performed by non-developers, but it can free up resources to concentrate on this other important area. I encourage you to download and read this white paper. It is only seven (7) pages of content, but the words used pack a lot of punch.



free html hit counter