Spreadsheets under pressure: Sarbanes-Oxley is testing the reporting capabilities of this widely used business management software

Internal Auditor, June, 2005 by Tim J. Leech

COMPLYING WITH THE U.S. Sarbanes-Oxley Act of 2002 is expected to be a major expense for public companies in the coming years. To date, companies have spent billions of dollars to formally document and test the support for internal control assertions required by Sections 302 and 404 of the act, and maintaining this documentation will continue to be costly beyond the first round of documentation.

An important concern for public companies is finding a cost-effective method of documenting, storing, and analyzing Sarbanes-Oxley control assessment work. Management is also looking to meet all the technical requirements spelled out in the law and by the U.S. Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board (PCAOB). In the first year, many companies elected to use spreadsheets to tackle Sarbanes-Oxley documentation because they are a familiar and inexpensive tool. Moreover, some companies prefer to use spreadsheets because Sarbanes-Oxley requirements are still evolving.

However, spreadsheets can have significant limitations that could increase compliance risks. In addition, depending on spreadsheets for Sarbanes-Oxley documentation may prevent companies from improving their compliance process and risk management capabilities.

LIMITATIONS FOR COMPLIANCE

In the first year of Sarbanes-Oxley reporting, many external auditors and project consultants have advised clients to use their existing spreadsheet software to document compliance efforts. Yet, these traditional tools may not be sufficient to document all relevant accounts, account assertions, risks, controls, and deficiencies.

SECURITY AND RELIABILITY The PCAOB's Audit Standard No. 2 requires public companies to complete an information technology (IT) general controls assessment on all applications used to assess and monitor controls--including spreadsheet applications. Yet, many companies are not assessing these IT general controls, according to control deficiency reports filed with the SEC in 2004. Although many of these companies have opted to use spreadsheets as a temporary measure, only 11 percent of 245 chief financial officers (CFOs) responding to a March 2003 CFO magazine survey considered spreadsheet-based control reporting to be accurate enough to make senior executives confident about certifying their companies' financial statement data for Sarbanes-Oxley. Some software products can improve the IT general controls over spreadsheets, but they have difficulty demonstrating security over unauthorized changes and appropriate version control.

OBJECTIVE, RISK, AND CONTROL LINKS Control users and those who oversee them must be able to see the links among disclosure accounts, risks that threaten their reliability, and the controls that are in place. Without this ability, they may evaluate control design incorrectly, and their testing of effectiveness could be misdirected. Spreadsheets are not well equipped to show and continuously track the one-to-many relationships between risks and controls.

BIG PICTURE According to a new study by the Financial Executives International (FEI) Research Foundation, the research arm of the U.S. association for senior financial executives, many companies in the first round of Sarbanes-Oxley compliance have not paid sufficient attention to an SEC/PCAOB requirement that they analyze the entire universe of accounting control deficiencies to identify patterns that may warrant escalating some nonreportable deficiencies to significant deficiency or material weakness status, which must be reported. Of the more than 900 deficiencies public companies reported to the SEC in 2004, FEI found that none explicitly indicated that an aggregation of control deficiencies resulted in a failing grade on one or more control categories established in The Committee of Sponsoring Organizations of the Treadway Commission's Internal Control--Integrated Framework. The ability for auditors and management to see such patterns is limited when Sarbanes-Oxley assessment work is contained in hundreds of spreadsheets.

INTEGRATION OF TESTING Sarbanes-Oxley requires public companies to test whether key controls are resulting in an acceptable error/exception rate. This testing should be conducted in a way that allows chief executive officers (CEOs) and CFOs to see how much work has been done to support the representations they are personally making to the SEC in 10-K and 10-Q filings. Spreadsheets do not allow the control testing performed by management, internal auditors, and external auditors to be integrated efficiently or stored securely.

SUPPORT FOR MANAGEMENT OVERSIGHT Many companies are just starting to address Section 302, which requires management to report any significant deficiencies and material weaknesses that are detected during the year to the audit committee and external auditor on a quarterly basis. Companies must also implement a process that allows the CEO and CFO to identify and report any positive or negative material changes in the control environment in their quarterly filings to the SEC. Spreadsheets are not suited for quarterly monitoring of control status and demonstrating that senior executives are actively overseeing the process that supports the representations they sign.