The New Spreadsheet Risk Management Issues of Sarbanes-Oxley Compliance

A major change has been the US Public Company Accounting Oversight Board (PCAOB) becoming much stricter in how they oversee the US audit community, especially over audit failures and violations of the Board’s quality standards. Faced with potential million plus dollar fines, auditors are redoubling their efforts in reviewing their clients’ internal audit controls, which are central to SOX. Consequently, auditors are extending their audit scope to cover business processes that are extensively underpinned by spreadsheets.

In the past, SOX compliance has encouraged organizations to make use of centralized IT systems, where the SOX compliance controls for business processes are available ‘out-of-the-box’. Auditors have reviewed these controls and outputs as part of their audits. CEOs and CFOs have used these reports and controls to sign-off on shareholder reports that comply with the regulations, and so head off the potentially onerous penalties for non-compliance.

Spreadsheets remain an invaluable resource for businesses, because their ease of use, flexibility and powerful functionality. Spreadsheets help them remain agile, generate new insights, model the development of their business, as well as provide accurate and timely reports.

In terms of SOX compliance, this power and flexibility can be a source of issues, if the key spreadsheet estate is not managed effectively. It works in two ways.

Firstly, the flexibility of spreadsheets means that errors can quickly emerge, which can significantly affect the accuracy of the results. Spreadsheet risk can feature significantly if complex formulas or macros are used, or if a spreadsheet is linked to other spreadsheets, or other applications or data sources.

In the SOX framework, these results can easily create reporting errors that can compromise the quality of financial reports. Many businesses have had to restate their earnings through calculation errors in their quarterly or annual reports. This can cause a range of reputational, regulatory, commercial and legal headaches.

Another issue is that the lack of data governance and risk management controls in Excel estates prevent Corporate Officers from being able to sign-off the results as being an accurate picture of the company’s results. This can potentially expose them to the significant sanctions available under the legislation.

Under SOX, organizations need to ensure that their spreadsheet-based business processes have the level of management control as found in the their highly controlled and maintained enterprise systems – without removing any of the valuable capabilities, flexibility and sheer business value that spreadsheets give to users and the business alike. An enterprise-strength spreadsheet risk management capability can help them square this circle, by retaining this operational flexibility, whilst fully complying with SOX.