Fast-breeding financial spreadsheets are an expensive and pernicious barrier to meeting the corporate governance demands of the US Sarbanes-Oxley Act, according to a joint study from BASDA and PricewaterhouseCoopers.
The report* assembled by a working party of UK business software developers working with the Big Four accounting firm noted that software houses are often asked if their programs are Sarbanes-Oxley compliant.
"There is no such thing as Sarbanes-Oxley complaint software, only compliant companies," the report warned. "The rules of the game have changed, and both customers and application providers need to adapt accordingly."
The study urges readers to take a positive approach to the Sarbanes-Oxley Act (SOX): "Aiming for mere compliance effectively means much of the investment is wasted ' it should also be used to improve management information, process effectiveness and control to enhance decision making"
SOX is having far-reaching effects on IT systems and not just in the US. Many companies trading with US-based entities are being drawn into the compliance net and the European Union is currently considering similar proposals. "The overriding need to control processes will affect the way business systems are designed and implemented," the report notes.
From an IT standpoint, one of the first steps towards SOX compliance, and enjoying the resulting operational benefits, is to carry out an inventory the systems that may affect financial statements.
Such inventories typically reveal that spreadsheets are being much more widely used for business processes and applications than is expected. One US company cited in the report uncovered the existence of 150,000 such spreadsheets.
The report characterised many of these spreadsheet-based processes as "overly complex, duplicative and fragmented systems" that lead to complex, overlapping control processes - the ultimate nightmare when it comes to meeting SOX internal control criteria. Auditors view spreadsheets as high risk manual processes that have to be audited each time; rather than automated processes that only have to be audited once.
"End-user computing" - aka spreadsheets
Spreadsheets are identified in the report as one of the most common forms of "end-user computing" that poses risks to SOX compliance. Because they exist outside of the company's central control framework, these systems pose risks to the integrity of high-level financial reporting. End-user systems have a higher level of error than automated systems and according to the report cost more than nine times as much to set up, maintain and run.
In the face of these costs and risks, PwC warned, "Management should evaluate whether it is possible to implement adequate controls over significant spreadsheets to mitigate this risk or if these should be mitigated to an application system with a more formalised information technology control environment."
BASDA chief executive Dennis Keeling paints a similar picture: "The move to integrated, with workflow, a single dataset and audit trail, will provide a simplified systems architecture that will be far easier to maintain and control."
But you would expect them to say that
A cynic might point out that the authors of the PwC-BASDA report have a lot to gain by promoting the implementation of more automated systems. While intended to improve corporate governance and bring compromised audit firms to heel, SOX has swelled the coffers of accountancy firms offering compliance services, as well as performance management software houses who claim to provide tools to support these new processes.
But UK managers would be well advised to pay attention to the report's underlying warnings, and wealth of supporting material - even if some of it is couched in less than illuminating compliance industry jargon.
Each section of the 27-page report includes key messages for chief information offices (CIOs) and software application developers. As expected, the section on application architecture, notes the drive towards centralised and consolidated IT systems that automate as many controls as possible. It advises CIOs to ask hard questions about maintaining mixed installations (particularly in multiple countries) of core and legacy applications. But it also urges software developers to be "sensitive to the problems of their customers administering frequent upgrades.
In its appendix, the study includes a useful computer controls checklist - starting from board-level strategy and working down to details such as how IT complies with HR policies. Other useful areas touched on by the study include:
*The full BASDA/PwC white paper 'Implications of Sarbanes Oxley on IT' can be ordered from the BASDA website at a cost of £50 for non-members and £25 to BASDA members
Subscribe to the ExcelZone newswire
To keep up with all spreadsheet developments, click the button below to subscribe to the free fortnightly ExcelZone newswire. The system will take you back to the AccountingWEB home page after it adds your name to the ExcelZone subscription list.