|
Go Back to Sarbanes Oxley Home Page
Part 2- High level
spreadsheet analyses are critical to spreadsheet maintenance
By Adrian Miric*
|
|
|
In the previous column
we discussed the risks spreadsheets pose to organizations in
general and organizations trying to meet Sarbanes-Oxley
legislation of 2002 in the US in particular.
Some pundits suggest that the only way to remove the errors that
spreadsheets often allow to creep into the organisation is to
eradicate the spreadsheets themselves. What they neglect to consider
is the flexibility and value for money that spreadsheets provide.
|
Ridding an organisation of spreadsheets in the interests of
eradicating financial reporting error is similar to unplugging the
network in the interests of security. In theory it’s a great idea; in
practice it’s unworkable.
If the risks associated with spreadsheets are carefully considered,
and the potential solutions to these risks explored, then it becomes
clear that in many cases the financial gain of employing spreadsheets
can readily be satisfied.
In
exploring the potential solutions, it is important to take two factors
into account: the primary question is: “What impact will an error have
on the organisation should it occur?”; and the second is: “What is the
probability that the error will occur?
|
|
|
Impact
Before an organisation can understand the impact of spreadsheets on
the business they will need to know the extent of spreadsheet use
throughout the organisation and what they are being used for.
Identifying and documenting every spreadsheet in the business is
time-consuming and as soon as the report is printed, it is old news. A
high-level spreadsheet analysis resolves this and is
accomplished in part by referring to Y2K and security
projects because they may indicate where spreadsheets are
used and where difficulties lay in the past. The
organization's auditors should also be consulted, including
external, internal and IT auditors, to ascertain which areas
of organisational information are supplied in spreadsheets. The HR department can
pinpoint senior and more qualified employees because these tend to
make greater use of spreadsheets. In terms of legislation,
Sarbanes-Oxley in particular, financial statements should be reviewed
and the source of each piece of information ascertained.
These pieces of information may, for example, include provisions,
contingencies and commitments, which are often spreadsheet dependent.
In addition, for example,
turnover figures may be derived from a formal IT system but then be
adjusted in a spreadsheet prior to being combined with the rest of the
financial results. Forward-looking information, such as pension
liabilities, is particularly at risk as it is often based on
spreadsheet calculations and there is generally very little to check
it against.
|
By
the conclusion of this process, which should not be lengthy, the
organisation will have developed a good idea of where the important
spreadsheets are used and, more importantly, which employees rely on
spreadsheets.
Spreadsheet risks are really people issues so providing employees with
the proper training and tools to more effectively use spreadsheets
alleviates much of the risk.
Completing the high-level spreadsheet analysis also identifies those areas of the
business that are more heavily impacted by spreadsheet use and a plan
to tackle the risks can be employed, beginning where the highest
impact is expected.
Probability of errors
Once businesses ascertain in which areas spreadsheets predominate and
have considered where errors would have the greatest impact on the
business, the probability of errors can be prioritised.
The
likelihood that an error will occur increases with the following
influencing parameters:
-
The original developer no longer works at the company or in the
department;
-
There is little or no spreadsheet documentation;
-
Spreadsheet results cannot be verified against another source,
in the way that a bank reconciliation can be verified with a bank
statement;
-
Changes continue to be made to spreadsheets;
-
Changes are made under time pressure;
-
Little time is spent on up-front planning;
-
Developer skills are in question; and
-
The business issues are not clear to the developers
End
result
At
the end of this you should have a high-level analysis of where your
risks lie.
There will be some departments where the majority of staff use
spreadsheets significantly and regularly. The only way to address
these departments is to ensure that employees have the tools and
training to limit the risks. You should also have a spreadsheet analysis review
group with the skills to assist spreadsheets users, which will be
discussed in greater detail in the third series of this column.
Where a few key spreadsheets are used in a department or division,
attention can be paid to the spreadsheets and not the users. This is
achieved by having the review group test the spreadsheets
comprehensively and then ensure that the correct access controls are
in place. This can be automated through available software that will
also maintain an audit trail of which users access and make changes to
the spreadsheet. Version control can be performed and changes between
versions highlighted.
Inability to address these issues most often results in loss of money,
regulatory compliance issues being raised or a damaged reputation. The
effects range from minor to devastating.
US-based Tweeter Entertainment Group’s auditor said that its
spreadsheet controls were “not sufficient” in the fourth quarter,
reported the Boston Herald.
The
Office of the State Auditor in Utah
in the US uncovered a $2 million overstatement of the direct cost base
in the Division of Wildlife Resources in the Department of Natural
Resources. The error was due to a cell being linked to an incorrect
spreadsheet for direct salaries and benefits. That resulted in the
auditor reporting a breach of standards.
Understanding the risks and knowing where they lie ensures companies
are a step ahead in achieving practical solutions and mitigating risks
to acceptable levels.
* In part 3 we discuss the importance of
establishing a spreadsheet analysis review group.
Go to
part 3 [
Z
Go back to part 1
*
Adrian Miric is MD of Miricle
Solutions.
He is a chartered accountant with IT experience, financing experience
and spent five years auditing and designing spreadsheets with KPMG.
|
Quotable : People who
grow alarmed at what privacy they may be giving up each time they
use the Internet have not fully grasped how much they routinely
reveal each time they...draw a salary, dial the phone, subscribe
to a magazine, join a club, enter a hospital, complete a coupon,
enter a contest, hook up to cable TV, or use their credit cards to
make the most innocent of purchases - even a throwaway novel at
their local independent bookstore. (Richard Powers author)
|
|
|
Visit our
free SOX page where you can learn how to address spreadsheet risks
by using Excel only |
|
