Managing Spreadsheet Risk & Governance in SOX – An Optimal Approach
It may seem odd for many that the issue of Sarbanes-Oxley (SOX) reporting is resurfacing so many years after the original legislation was passed in 2002, and after billions of dollars have been invested in the systems, processes and technology business have implemented to comply. Nonetheless, there has been a steady uptick in the effort, resource and cost in SOX compliance in recent years owing to a renewed focus on spreadsheets in the SOX process, as management, auditors and the Public Company Accounting Oversight Board (PCAOB) fully grasp the scale and significance of the way that spreadsheet remain pervasive in key business applications and processes.
While spreadsheet risk might be a new area of focus of SOX, its key principles remain unchanged. The quarterly and annuals results reported by US-listed companies must be a fair reflection of the underlying business, and senior management, typically the CEO and CFO, must be willing to attest to that.
This means that the same level of management control, transparency, and auditability needs to be applied to the newly significant spreadsheet environment, as are applied to the corporate IT environment that underpins the rest of the SOX environment.
Businesses are typically keen to retain the use of spreadsheets, as their power and flexibility helps drive their flexibility and dynamism. Many increasingly recognize that SOX means they need to bring the same governance and control as the rest of their IT estate.
Given the challenges of managing spreadsheet risk under SOX, and the significance of the results, institutions need to think carefully about how best to leverage the power of spreadsheets, while also mitigating the risks associated with them. They need to assure the data governance that management, auditors and regulators expect.
A Best Practice Approach to Spreadsheet Risk Management in SOX Compliance
Based on the experience of helping a wide range of businesses address spreadsheet risk management under a range of compliance regimes, this is a best practice approach managing spreadsheet risk in SOX.
1. Identify the SOX Spreadsheets
Effective SOX reporting depends on having proper foundations, and identifying all the key SOX spreadsheets is vital. These spreadsheets may cover a range of business areas and functions: revenue management processes, cost management models, amortisation models, revenue recognition models, contract records, or order management for example. Spreadsheets also feature significantly in consolidation models and final mile reporting. These, combined, with data from a range of corporate systems, deliver the final SOX results that need to be attested to.
These spreadsheets will be located in different departments, business units and even countries. There may be different versions, formats and definitions used throughout the same business unit, a situation amplified across multiple business units. This provides ample scope for the emergence of spreadsheet risk further down the implantation and reporting path.
2. Risk Assess your SOX Spreadsheets
In a SOX framework that utilizes spreadsheets, the spreadsheets will be of varying significance. Identifying these key spreadsheets is not straightforward, The significance of a spreadsheet may, for example, depend on how many other spreadsheets are linked to it, how many formulas and worksheets it contains and the complexity of its formulas and macros. While a useful yardstick, other, much simpler spreadsheets, may be equally critical to SOX reporting.
Having a systematic risk assessment model for SOX compliance allows people across the business to agree objectively which are the spreadsheets that require the closest scrutiny. This can form the basis of an effective SOX spreadsheet management project implementation model, as well as serving to develop the risk management, audit and governance framework that institutions require.
It also ensures that the risk management focus is targeted at the right areas, rather than having the effort dissipated through assessing too many of the wrong spreadsheets.
3. Monitor and Audit your SOX Spreadsheets
The final stage is to closely monitor your key SOX spreadsheets, to identify changes to them and their potential impact to the SOX results and the wider business. It is important that changes to the spreadsheets – to formulas, data sources, individual worksheets and macros for example – can be easily identified, as they can have a material impact on the final SOX results.
These changes need to easily identifiable, auditable and reportable, so that the risk management and governance framework central to complying with SOX is fully supported.
However an institution approaches this challenge, it is important that the risk and governance management model is considered as a per-requisite of a SOX spreadsheet management implementation model, alongside data management, as well as systems integration and design. As well as assuring accuracy of the final results, this approach ensures that the final SOX results, drawn from spreadsheet-based processes are fully aligned with the audit and data governance requirements of SOX.
Delivering these capabilities using manual processes is challenging to say the least. There is scope to implement these capabilities, leveraging automation, efficiently and effectively, using ClusterSeven capabilities.