Share this content

BASDA and PwC highlight spreadsheet vulnerabilities

27th Sep 2005
Share this content

Fast-breeding financial spreadsheets are an expensive and pernicious barrier to meeting the corporate governance demands of the US Sarbanes-Oxley Act, according to a joint study from BASDA and PricewaterhouseCoopers.

The report* assembled by a working party of UK business software developers working with the Big Four accounting firm noted that software houses are often asked if their programs are Sarbanes-Oxley compliant.

"There is no such thing as Sarbanes-Oxley complaint software, only compliant companies," the report warned. "The rules of the game have changed, and both customers and application providers need to adapt accordingly."

The study urges readers to take a positive approach to the Sarbanes-Oxley Act (SOX): "Aiming for mere compliance effectively means much of the investment is wasted ' it should also be used to improve management information, process effectiveness and control to enhance decision making"

SOX is having far-reaching effects on IT systems and not just in the US. Many companies trading with US-based entities are being drawn into the compliance net and the European Union is currently considering similar proposals. "The overriding need to control processes will affect the way business systems are designed and implemented," the report notes.

From an IT standpoint, one of the first steps towards SOX compliance, and enjoying the resulting operational benefits, is to carry out an inventory the systems that may affect financial statements.

Such inventories typically reveal that spreadsheets are being much more widely used for business processes and applications than is expected. One US company cited in the report uncovered the existence of 150,000 such spreadsheets.

The report characterised many of these spreadsheet-based processes as "overly complex, duplicative and fragmented systems" that lead to complex, overlapping control processes - the ultimate nightmare when it comes to meeting SOX internal control criteria. Auditors view spreadsheets as high risk manual processes that have to be audited each time; rather than automated processes that only have to be audited once.

"End-user computing" - aka spreadsheets
Spreadsheets are identified in the report as one of the most common forms of "end-user computing" that poses risks to SOX compliance. Because they exist outside of the company's central control framework, these systems pose risks to the integrity of high-level financial reporting. End-user systems have a higher level of error than automated systems and according to the report cost more than nine times as much to set up, maintain and run.

In the face of these costs and risks, PwC warned, "Management should evaluate whether it is possible to implement adequate controls over significant spreadsheets to mitigate this risk or if these should be mitigated to an application system with a more formalised information technology control environment."

BASDA chief executive Dennis Keeling paints a similar picture: "The move to integrated, with workflow, a single dataset and audit trail, will provide a simplified systems architecture that will be far easier to maintain and control."

But you would expect them to say that
A cynic might point out that the authors of the PwC-BASDA report have a lot to gain by promoting the implementation of more automated systems. While intended to improve corporate governance and bring compromised audit firms to heel, SOX has swelled the coffers of accountancy firms offering compliance services, as well as performance management software houses who claim to provide tools to support these new processes.

But UK managers would be well advised to pay attention to the report's underlying warnings, and wealth of supporting material - even if some of it is couched in less than illuminating compliance industry jargon.

Each section of the 27-page report includes key messages for chief information offices (CIOs) and software application developers. As expected, the section on application architecture, notes the drive towards centralised and consolidated IT systems that automate as many controls as possible. It advises CIOs to ask hard questions about maintaining mixed installations (particularly in multiple countries) of core and legacy applications. But it also urges software developers to be "sensitive to the problems of their customers administering frequent upgrades.

In its appendix, the study includes a useful computer controls checklist - starting from board-level strategy and working down to details such as how IT complies with HR policies. Other useful areas touched on by the study include:

  • Computer security
  • Business continuity planning
  • Interfacing with outsourcing partners
  • Explanations of relevant sections of the SOX Act: s402, on executive certification of internal controls; s404 (management assessment of internal controls; and s409 (real-time disclosure of material changes).
  • Corporate goverance control frameworks. Three systems are described in detail: COSO, US guidelines from the 1990s that lay out four key internal control concepts; COBIT (Control Objectives for Information and related Technology), a nuts-and-bolts IT governance framework and ISO17799, the international standard for computer security.

    *The full BASDA/PwC white paper 'Implications of Sarbanes Oxley on IT' can be ordered from the BASDA website at a cost of £50 for non-members and £25 to BASDA members

    Related articles

  • Will SOX drive Excel out of management reporting?
  • ExcelZone tackles Excel reporting risks
  • Sarbanes-Oxley stimulates interest in CPM

    Subscribe to the ExcelZone newswire
    To keep up with all spreadsheet developments, click the button below to subscribe to the free fortnightly ExcelZone newswire. The system will take you back to the AccountingWEB home page after it adds your name to the ExcelZone subscription list.

    Subscribe to the ExcelZone Newswire

  • Tags:

    Replies (2)

    Please login or register to join the discussion.

    John Stokdyk, AccountingWEB head of insight
    By John Stokdyk
    27th Sep 2005 17:41

    Comment from Richard Anning, product marketing director
    We approached Richard Anning, product marketing director of SunSystems, for his perspective on the report. Richard was a member of the BASDA working party, but also has applications within his portfolio that pour data directly from the financial ledgers and data tables into Excel or Word. Did he really see SOX as the death knell for Excel-based financial reporting tools?

    "SOX is targeted at listed US corporations, but we're getting feedback from the US that they are pushing it down their supply chains. When large organisations get audited, they go to their suppliers and ask them to fill in questionnaires to show they're good citizens too."

    "With the EU modernisation of accounting directives, this is going to come down to SMEs in the UK. It's only matter of time and it's not going to be a surprise. And companies should be running their books accurately. They shouldn't need SOX to tell them to do their accounts right."

    Anning adds that one of the points PwC made during the working party meetings was that from a SOX perspective, "Spreadsheets are not the nightmare they could be, provided you actually box in the problem. Provided you know where the spreadsheets are and you have adequate controls on data going in and out, you can deal with SOX - which is good news for 90% of accountants who love and use Excel."

    Going forward, however, Anning could see that budgeting and forecasting tools - which have a material affect on managing investor expectations- will tend to migrate away from Excel, even while it remains popular for reporting functions.

    "Many FDs are probably doing budgets with spreadsheets now. As we get new technologies that can automate the process for them and provide one version of the truth in a fully auditable central system that gives them same capabilities as Excel, one can imaging that that's the way the market is going to go."

    "If look at the UK financial software marketplace, you will see that a large number of vendor organisations are struggling and rushing to provide these types of capabilities."

    John Stokdyk
    Technology editor

    Thanks (0)
    By Anonymous
    28th Sep 2005 09:53

    Does QuickBooks comply with SOX ?
    At one time this program was only a 'balancing system' and not a true double entry application - maybe this has changed; but if not what is the position?

    Furthermore (although one could be wrong) it does not seem to have an Audit Trail, which inevitably results in changes simply vanishing and not being recorded for Auditors etc.

    With these 'features' how is it possible to ensure '... adequate controls ...' are in place; ultimately does this leave those running QuickBooks exposed?

    Thanks (0)