ClusterSeven: Uncontrolled Spreadsheets, Documents, and Emails, Oh My!
Posted: 20 March 2017 | Author: Michael Rasmussen, GRC Economist & Pundit
Business is complex. Exponential change in regulations, globalization, distributed operations, processes, competitive velocity, business relationships, and legal matters encumbers organizations of all sizes across industries. Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and document-centric internal control management approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered silos of documents become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, when the business environment requires greater agility.
Use of end user computing applications (EUC) such as spreadsheets, emails, and other document types has revolutionized how technology creates value for organizations. However, this brings a significant challenge to govern and control information and technology in a distributed and dynamic environment. Organizations are facing increased pressures from regulators and auditors to ensure that they have adequate controls over EUC applications, particularly spreadsheets used in accounting and finance processes. This specifically has caught the attention of the Public Company Accounting Oversight Board (PCAOB) and external auditors. This scrutiny is leading to new SOX failings for companies that previously had no such failings. Enhanced audits are exposing the role of spreadsheets in context of Internal Control over Financial Reporting (ICFR) and the fact that spreadsheets are often open to manual manipulation.
The reasons spreadsheets fail without controls are:
- No audit trail. Documents and spreadsheets alone do not have inherent audit trails. There is no access recording of who entered what at a particular time and represent the actual, unaltered, and authenticated data.
- Undetected errors. Spreadsheets can have many errors or omissions that go undetected.
- Broken links leading to outdated data. Spreadsheets and documents often have undetected erroneous and/or broken links in worksheets and workbooks.
- Unprotected cells. Spreadsheets often have functions and formulas within cells that are unprotected and may lead to integrity of data issues due to accidental erasure of data or inadvertent to malicious tampering with formulas and links.
- Unprotected code. Spreadsheets can have changes to macros and other code that can introduce new or additional errors to these spreadsheets.
- Easy to manipulate. Because there is no audit trail or history of changes within documents and spreadsheets, it is a simple task for anybody to go back and manipulate data to paint a rosier picture to paint a brighter picture or get themselves, someone else, or the organization out of hot water.
- No consistency. It is hard to make attestations to the confidence of data in spreadsheets that are not properly controlled.
- Compilation nightmares. As a result of the hundreds to thousands of spreadsheets being used, organizations are struggling with compiling reports. There is a significant amount of time needed to integrate and compile information from a mountain of documents, spreadsheets, and emails.
- Compilation errors. At the end of the day, all this work compiling and integrating documents, spreadsheets, and emails results in inevitable failure. Odds are there is something wrong. That much manual reporting is bound to have serious errors—not malicious, but inadvertent.
Organizations need to address the limitations in documents spreadsheets by implementing EUC controls that provide for audit trails, consistency, and integrated reporting. Organizations need solutions for EUC controls that are useable at all levels of the organization, in addition to supporting the needs of audit, risk, and compliance professionals. Solutions that bring efficiency (both human and financial capital efficiency), effectiveness (accurate and auditable reporting), and agility (timely and relevant information when it is needed) are necessary.
Risk, compliance and audit roles have often been in reactive mode to an onslaught of regulations and risks and have failed to develop a sufficient strategy to govern how EUC is used across the organization. This is true in case of internal control over financial reporting, such as SOX. But this also applies to the broader business as well. There has been significant exposure in business operations and processes from uncontrolled spreadsheets in context of privacy, integrity in models and data, access to proprietary information, and more. It is the responsibility of an internal control team to work in tandem across risk, compliance and audit functions to ensure that a cohesive and workable strategy to address EUC risks and controls is in place in the organization.