Spreadsheet Blues: Few Controls Yield Many Weaknesses

By Matt Kelly August 23, 2005

Hussain Hasan, managing director of technology risk management services at the Chicago accounting firm
RSM McGladrey, does not mince words when discussing how poorly spreadsheets satisfy the requirements
of The Sarbanes-Oxley Act of 2002.
They dont at all, Hasan says. Most public companies should not use spreadsheets as their main financial
tool.
Such criticism from Hasan might sound harsh for one of corporate Americas most ubiquitous business tools,
but experts say the lack of enterprise-strength security controls means spreadsheets must remain in the
crosshairs of executives and auditors worried about financial reporting.
In fact, a review of recent internal control disclosures indeed shows that numerous companies have already
cited deficiencies and weaknesses related to spreadsheets. In May 2005, for example, $90.6 million Sonic
Solutions disclosed that it did not maintain adequate controls over spreadsheets used in our financial
reporting process. The same was the case at $185.2 million Modtech Holdings, which in June noted that it
did not have adequate controls over spreadsheets used in our financial reporting process.
Titanium producer RTI International Metals also acknowledged in May that it did not maintain effective
controls over certain spreadsheets. Specifically, the company's controls over the completeness, accuracy,
validity, and restricted access and the review of certain spreadsheets were either not designed
appropriately or did not operate as designed.
In May, $425.7 million Shurgard Storage Centers noted that its consolidation process is performed primarily
on standard spreadsheet software that is not specifically designed or customized for this purpose. The
problem constituted a material weakness that resulted in our inability to prevent or detect the reporting of
inaccurate or incomplete information and limits our ability to ensure our financial reporting processes are
completed timely.
At Crown Media Holdings, internal control deficiencies included the companys controls to assess and
review spreadsheet formulas. And at Audible Inc., problems included ineffective review of spreadsheet
calculations used in the financial statement preparation process.
But spreadsheets arent just a source of headaches when it comes to controls and oversight processes
theyre also a source of errors.
In July, cleaning and personal care specialist CPACwhich operates The Fuller Brush Company and
Stanley Home Productsdisclosed misstatements that were caused by a computational error in valuation
of a component of inventory and related reliance on a spreadsheet for completion of such valuation.
$1.3 billion Foamex also noted that an ineffective control did not prevent or detect an improper formula in a
spreadsheet, resulting in a misstatement of work in process and finished goods inventories...
At Edge Petroleum, management discovered an error in a spreadsheet application that was designed to
eliminate intercompany balances. As a result of the error, amounts accumulated in the property account for
one subsidiary were also included as an accrued capital expenditure by another subsidiary and inadvertently
not eliminated in consolidation, said the company in a regulatory filing. This caused property balances to
be overstated.

1
2005 Financial Media Holdings Group, Inc. All Rights Reserved.

The same was the case at video retailer Rentrak, which noted in June that its auditor discovered a data
error in a program supplier spreadsheet that resulted in an overstatement of our cost of sales for this fiscal
period.
Hand Washing
It isnt an inherent control weakness to use spreadsheets; its how people use them, says Joseph
Prudente, director of internal audit for New York-based accounting firm Rothstein Kass.
According to Prudente, most companies utilize spreadsheets out-of-the-box, without applying the diligence
and controls inherent in the rest of their financial systems. At worst, [spreadsheets] are computer
applications that are run, managed, developed and supported outside the normal system-development
lifecycle.
EVALUATING SPREADSHEET CONTROLS

According to a white paper written by PricewaterhouseCoopers in July 2004, "implementing a process to ensure
appropriate controls over spreadsheets is a critical element of compliance with Sarbanes-Oxley Section 404."
According to PwC, there are five high-level steps to implementing such a process:

1.
2.

3.

4.
5.

Inventory Spreadsheets"This step is critical to ensuring that the population of spreadsheets in

use within the organization is defined and subjected to evaluation."
Evaluate Their Use, Complexity"This involves determining a spreadsheets category of uses
(operational, analytical and financial) and then assigning and documenting a level of complexity
(low, moderate or high)..."
Determine Necessary Level Of ControlsCould include change control, version control, access
control, input control, security, data integrity, and more. "The level of controls implemented should
be considered relative to the spreadsheets use, complexity and required reliability of the
information."
Evaluate Existing Controls"Any gaps between existing and 'necessary' controls should be
identified as remediation items as well as any gaps in operating effectiveness."
Develop Remediating PlanCould include assigning responsibility, establishing remediation
dates, and prioritizing efforts. Action plans "should increase the controls over the spreadsheet to
the necessary controls based upon the use and complexity of the spreadsheet."

Source: "The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act"
(PricewaterhouseCoopers)

Thats partially because of their ease of use. Typically, for example, the development of financial
applications requires a segregation of duties to ensure the development is conducted appropriately. To
those ends, the person who requires the application should not necessarily be the person who designs it or
deploys it throughout the corporate environment. But spreadsheets, due to their simplicity, can sabotage
those controls during developmentits easy for an employee to say, Ill just whip up a spreadsheet to
handle that task, without considering the controls or implications. Multiply that phenomenon by hundreds of
financial staffers across a global enterprise, and it becomes more clear why spreadsheets can be
problematic. Ninety percent of the [spreadsheet] developers are the ones who implement into production,
because they dont look at spreadsheets as a software change, adds Prudente.
To be fair, most spreadsheet applicationsincluding the most common ones like Microsoft Excel and Lotus
1,2,3do have rudimentary security controls. But those controls, which enable a user to password-protect a
worksheet or certain cells, tend to be user-specificthey are tactics aimed a helping a single user protect
his or her data.
At the corporate level, where a chief financial officer might oversee thousands of spreadsheets, much
stronger controls are required. Thats especially the case now that CFOs must report quarterly changes in
the companys internal control over financial reporting as per Section 302 of The Sarbanes-Oxley Act.
But establishing centralized security controls over spreadsheets is not easy. IT managers can place
important spreadsheets on secured hard drives to keep unauthorized users from gaining access to the
document, but its not uncommon for accounting staffers to save local versions of the spreadsheet on their

2
2005 Financial Media Holdings Group, Inc. All Rights Reserved.

hard drives for convenience. Enforcing version control or change management, while considered vital to the
satisfaction of SOX Sections 302 and 404, is often impossible unless done manually.
This is an area that IT organizations have washed their hands of, really, says Michael Heintz, a principal
consultant with the PA Consulting Group.
Common Area
When it comes to handling critical financial data, Heintz, Hasan at RSM McGladrey, and others advocate
abandoning spreadsheets wherever possible.
Thats not only because of the risks inherent in their usage, but its due to the fact that many spreadsheets
exist simply because theyre easier than the alternative. There will always be some need for
[spreadsheets], says Heintz, but many spreadsheets are there for the convenience of the person using
them, because they didnt want to learn the [more complicated ERP] application that would provide that
functionality.
Instead, experts argue companies should migrate to ERP applications or Web-enabled databases that
employ more rigorous controls. The latest versions of most applications, at least those released after
Sarbanes-Oxley, include controls that can be centrally managed and tested by auditors. The latter
functionality is becoming more critical as companies focus on sustainability as it pertains to SOX 404as
they look to automate processes and minimize costs.
Islandia, N.Y.-based Computer Associates, for example, uses ERP software from Germanys SAP to house
all its financial data in one system. Doing so enables the company to employ controls at the network, host
and application layers, says Ken Williams, vice president of CAs technology services division.
That common area concept can make it easier to pull together more complete pictures of the control
environment. It can also provide better views into that data, sorting information by business process, for
example, or by categories detailed in the internal control framework published by the Committee of
Sponsoring Organizations of the Treadway Commission.
Spreadsheets, of course, can track that information too, but typically they do so in a much more fractured
way. And because spreadsheets lack a sense of time or version control, they offer little help with enterprise
risk management initiatives, which often hinge on a constant monitoring ofand controlling againstrisk.
But centralizing financial data is not a simple undertaking, and can require considerable analysisand
costto determine what sort of application is most appropriate for the company. In addition to process
changes, says CAs Williams, companies need to think about re-engineering their architecture so they can
place that data in a common area which will minimize the overall cost of protecting that data.
A Pain To Monitor
In fact, since spreadsheets have become so ubiquitous and addictive at public companies, it may be difficult
for some companies to extricate themselves from their usagethe cost to unwind systems may offset the
long-term benefit. For those companies, auditors recommend several basic steps that can be taken to
impose proper security controls around spreadsheets and their usage.
First is to take careful inventory of what spreadsheets a company has, what purposes they serve, and
exactly who uses them; many companies have already done this as part of their Year One SOX 404
documentation efforts. The companies can then map the spreadsheets to the processes, and can determine
which ones qualify as high-priority issues needing extra attention.
What controls are necessary? PricewaterhouseCoopers urges that any spreadsheet have locks in place to
freeze data. In a white paper published in July 2004 the firm also recommended that spreadsheets have
access controls, as well as an approval system requiring independent sign-off for any changes to processes
like macros. There should also be a reconciliation process to confirm inputs. Key spreadsheets might also
warrant documentation and back-up procedures.
3
2005 Financial Media Holdings Group, Inc. All Rights Reserved.

Prudente at Rothstein Kass emphasizes change controls as particularly important. In my opinion, you need
to go through a formal change-management process for some of these sophisticated spreadsheets, says
Prudente, just like the developer would go through for a standard application change. To those ends,
companies would want to understand how changes are made to the spreadsheets, and how they are tested
and approved.
Then theres the matter of testing spreadsheet controls, which can be a major headache; if spreadsheets are
created manually by users, most likely they will be tested manually by auditors. With some of my clients,
what I hear from the controller groups is that they never would have made the request to create some of
these sheets had they known the pain it would cause them to monitor the controls around them now, says
Heintz at PA Consulting Group.
And according to Computer Associates Ken Williams, auditors may pay even closer attention to testing this
year, since most of the SOX 404 documentation efforts are in the past. If thats the case, Williams says,
executives may want to go back and ask how you can automate [processes] and how you can create
sustainability.
A world of more secure spreadsheetsor no spreadsheets at allmay seem daunting at first glace. But,
given the proliferation of spreadsheets in the modern corporation and the exhaustive controls mandated by
Sarbanes-Oxley, companies might have little choice. They should be relying on a back-end application,
argues Hasan at RSM McGladrey. Maybe it doesnt have to be a full ERP package but spreadsheets
definitely arent the right tool.

4
2005 Financial Media Holdings Group, Inc. All Rights Reserved.