The risk detectors versus the spreadsheet

"A spreadsheet is like having the company chequebook in your desk drawer. There's a difference between being able to spend money and doing it within a proper, controlled environment."

This is the view of David Bishop, leader of PricewaterhouseCoopers' risk assessment services practices in the UK, a man who spends his working life identifying how much trouble spreadsheets are causing to the organisations that use them.

Bishop and his colleague Grant Waterfall recently collaborated with the software trade body BASDA to produce a report exploring the implications of the US Sarbanes-Oxley Act on financial software and reporting practices in the UK. In this interview, they expand on their findings and offer some practical suggestions on how to minimise spreadsheet risks.

The reason BASDA approached PwC for the Sarbanes-Oxley research was because of the firm's well known interest in the area. One of most contentions areas of internal control revolves around spreadsheets, says Bishop: "When you do inventory on them, it's pretty normal to encounter thousands of spreadsheets. We come across them because companies are trying to comply with section 404, but that would be a concern for anyone. A couple of million orphan IDs isn't good whether or not you have to comply with s404."

How the risks arise
As many users will be aware, spreadsheets can cause financial control problems because they lack any in-built structure or controls.

Change control is a basic building block of assurance, and something that Excel lacks. "If a spreadsheet sits on the desktop of someone who has just a little knowledge of how to operate and configure it, that's a dangerous environment if the application it's being used for is business critical," Bishop explains.

"You can very quickly corrupt spreadsheets by altering very little of the content. And that's extremely hard to trace. If you've got no means of verifying them, or no audit process surrounding them, that's a massive risk.

"More often than not, you turn the handle and process it and models are far too complex for people to understand what comes out at the other end."

Where the spreadsheet dangers lurk
Spreadsheet use is so widespread, and the uses to which they are applied are so varied that the PwC risk assessors struggle to pick out particular problem areas. Technology risk specialist Grant Waterfall comments, "Normally you find spreadsheets in the financial reporting arena. Alarm bells go off if you find 20,000 spreads within a centralised financial reporting function. If you find that many, you've got to start asking questions - why are the financial systems not producing the information management needs?"

Bishop warms to the theme. "It starts focusing your mind if you find that people are using spreadsheets for things like billing, which they're not designed to do."

In spite of its limitations, Excel is frequently used for billing or processing invoices. "If you take account of what it's being used for, the amount of manipulation required and the associated risks, I would say a spreadsheet could never take on that amount of processing," says Bishop.

Pricing and revenue recognition models are also classic cases where spreadsheets can introduce risks to the reporting process. "If you see a situation where a customer invoice is generated from a routine ERP environment, but between the invoice being issued and recorded into the ledger and accounts prepared a spreadsheet is used to manipulate and represent the ERP information, that presents a high-risk situation," he warns.

Third wave data extraction systems
In recent years, "middleware" tools have emerged that attempt to manage the flow of data between ERP/accounts systems and spreadsheets. But for Bishop and his colleagues, they pose as many questions as they answer.

"There's nothing wrong with using a data extraction tool to take data off a system and analyse it in one way," says Bishop. "The issue becomes what you then do with that data between extracting it and putting it into management reports or statutory financial statements.

"The first question I would ask is why do you need to put something between a robust and well controlled system and an end reporting situation? What is the necessity to do that?"

If the spreadsheet's purpose is to manipulate - not necessarily in a malevolent sense - the amount or timing of numbers that come out of an accounting system before they go into financial reports, that creates a risk either by omission or comission. "That sets alarm bells ringing," says Bishop.

Data extraction tools are part of the normal life of analysis and some of them can impose a degree of control that would otherwise be missing. The key test for these systems, he says, is whether they can demonstrate they're can be risk-managed within a sound IT and internal control environment. He's willing to accept their use if users can demonstrate that controls exist, and prove them by testing the inputs and outputs of extraction and reporting systems.

Yet some of the same problems can undermine the built-in reporting functions of "robust" accounting and reporting systems from the likes of SAP, Oracle and Hyperion.

"In theory those applications can provide the sorts of controls David refers to," Waterfall explains. "They can also be used in an unstructured way to produce reports. If companies use them in an unstructured way, they're almost as bad as spreadsheets."

Bishop refers to a recent client experience: "We were talking to a company about its treasury and cash management system. "They were working in an SAP environment, but had not elected to turn on some of SAP's treasury module. So they were working with spreadsheets to get cash management and reporting done. So as a result they were working in a poorly controlled environment. Once we explained how SAP could be used and better controlled, the light went on. They hadn't twigged what they could get out of it."

Identifying and minimising the risks
PwC's risk assessment team, who spend their lives analysing financial reporting systems, operate a classification system to sort risks into high, moderate and low categories and then seek to tailor the control environment to cater for the different risk levels. Spreadsheets in themselves do not pose unacceptable dangers, but the risk ratings start climbing if unprotected and undocumented Excel spreadsheets contain key ingredients of the financial or management reports.

Large spreadsheets or large numbers of smaller models pose problems because they represent the development of complex, ad hoc systems.

The Sarbanes-Oxley Act has played a major part in focusing attention on internal controls - resulting in many cases in significant investments in financial process consulting and software - but Bishop emphasises that many of the concerns raised by the BASDA report are not specific to the US legislation. "They are legitimate areas of concern for controls for any IT or financial reporting environment."

To minimise the risks, the PwC/BASDA report suggests the following actions: