Tried and tested controls are proving inadequate
Today however, many of the previously accepted tried and tested business controls are failing. The Sarbanes Oxley Act of 2002 (SOX) is a case in point.
The Public Company Accounting Oversight Board (PCAOB) is focused on ensuring that spreadsheet controls in accounting and finance processes are followed to eliminate errors and fraud. The PCAOB’s auditing standard 2 expressly demands that controls must include all types of IT used in financial reporting; and auditors are taking it seriously. The latest survey of 109 organizations by research house GRC 20/20 reveals that 78% of respondents note that external auditors are applying hardier standards to ensure compliance with the much tougher PCAOB control requirements. So, while previously, minimal, typically manual, spreadsheet controls weren’t viewed as a SOX failing, today they are.
In addition to having to review and improve existing controls, due to the nature of corporate activity, carefully selected, proven and maintained enterprise systems for operational processes are proving inadequate. This is due to their inflexibility to instantly add new processes or amend existing ones in rapid response to the business needs of users. To overcome the limitations of enterprise systems, there is a large parallel universe of unmonitored and uncontrolled spreadsheets created by users for varied strategic business processes. Spreadsheets are flexible and offer good capabilities for advanced analytics and financial modelling. At the same time, they also pose a huge risk as finance departments have little control on these applications and their dependence on other data sources.
According to the latest research conducted by the FSN Modern Finance Forum amongst 49,000 members globally, the financial reporting process is keeping 97 percent of CFOs awake at night, with 62 percent of finance teams concerned that they will not meet their reporting deadlines. Consequently, CFOs are struggling to offer watertight guarantees that they are completely in the know of the spreadsheet and other data sources used and the level of data aggregation and manipulation that has been undertaken by their finance teams to arrive at the figures they submit to financial and regulatory authorities.
The GRC 20/20 survey mentioned above shows that nearly half of the respondents do not have a grasp on spreadsheet risks and controls, which might impact financial reporting. More worryingly, 53% stated that they hadn’t identified and built an inventory of spreadsheets and other end user computing applications that could potentially lead to material misstatements from their use. In fact, they don’t have the controls to address spreadsheet risks; and where they do, the mechanisms are manual, which are error prone, ineffective and lack the agility needed to enforce in such a dynamic and distributed environment.
For genuine business confidence, CFOs must know the data sources that feed into their financial reports; and their providence. The reality however, is that many finance departments don’t have visibility of data flows across their spreadsheet and end user computing (EUC) landscape. The data links between the different spreadsheets across departments, regions and models are routinely undocumented and therefore impossible to view and accurately decipher. This is supported by the FSN research revealing that 40 percent of CFOs are unable to agree that their data is always trustworthy; and 46 percent of CFOs worry about an unexpected spreadsheet error being identified. Additionally, 55 percent of CFOs worry that controls are not operating as they should.
Aligning spreadsheet models with enterprise systems must become a focus for CFOs
Data is a critical asset and the lifeblood of any business. CFOs must align and integrate spreadsheet models with enterprise systems to achieve end-to-end transparency of business-critical processes. This includes everything from the creation of a spreadsheet application by a user, visibility of data lineage between files through to their retirement in the corporate system. This will ensure decision-making based on outputs derived from accurate business data.
To achieve the above, new processes are needed. In an IT-led environment, manual processes for change management and control of spreadsheets across the lifecycle of every single, business critical application, are doomed to fail. Not only is it impossible to monitor and control spreadsheets in a timely manner, the whole exercise is supremely inefficient and costly, potentially to the tune of hundreds of thousands of dollars. Additionally, due to the way in which spreadsheets are used, if say 50 spreadsheets are decommissioned, it is highly likely that another 50 new ones are created by users in the same timeframe to satisfy a new business requirement.
Automation based on best practice processes for spreadsheet management is a reliable and safe approach. It mitigates risk by continuously monitoring and eliminating errors in business-critical processes based on well-defined controls to ensure data accuracy across the spreadsheet landscape. This is pertinent for regulatory compliances that CFOs are responsible for. Technology-driven control over the spreadsheet landscape enables enforcement of policies and rules as a matter of routine, without impacting the benefits of flexibility and agility for data manipulation that users so treasure these applications for. Historical evidence shows that inadvertent misrepresentation of information and acute metrics such as revenue, profitability and sales figures have led to financial and non-compliance penalties, drop in share price, and reputational risk– situations that probably keep CFOs awake at night.
About the author
Henry Umney is Director at ClusterSeven and is responsible for the commercial operations of ClusterSeven, overseeing globally all Sales and Client activity as well as Partner engagements. Henry brings over 20 years of experience in sales and account management in financial services. Prior to ClusterSeven, he held the position of sales director in Microgen, London and various sales management positions in AFA Systems and DART, both in the UK and Asia.