RiskTech Forum

ClusterSeven: Uncontrolled Spreadsheets, Documents, and Emails, Oh My!

Posted: 20 March 2017  |  Author: Michael Rasmussen, GRC Economist & Pundit

Business is complex. Exponential change in regulations, globalization, distributed operations, processes, competitive velocity, business relationships, and legal matters encumbers organizations of all sizes across industries. Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and document-centric internal control management approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered silos of documents become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, when the business environment requires greater agility.

Use of end user computing applications (EUC) such as spreadsheets, emails, and other document types has revolutionized how technology creates value for organizations. However, this brings a significant challenge to govern and control information and technology in a distributed and dynamic environment. Organizations are facing increased pressures from regulators and auditors to ensure that they have adequate controls over EUC applications, particularly spreadsheets used in accounting and finance processes. This specifically has caught the attention of the Public Company Accounting Oversight Board (PCAOB) and external auditors. This scrutiny is leading to new SOX failings for companies that previously had no such failings. Enhanced audits are exposing the role of spreadsheets in context of Internal Control over Financial Reporting (ICFR) and the fact that spreadsheets are often open to manual manipulation.

The reasons spreadsheets fail without controls are:

Organizations need to address the limitations in documents spreadsheets by implementing EUC controls that provide for audit trails, consistency, and integrated reporting. Organizations need solutions for EUC controls that are useable at all levels of the organization, in addition to supporting the needs of audit, risk, and compliance professionals. Solutions that bring efficiency (both human and financial capital efficiency), effectiveness (accurate and auditable reporting), and agility (timely and relevant information when it is needed) are necessary.

Risk, compliance and audit roles have often been in reactive mode to an onslaught of regulations and risks and have failed to develop a sufficient strategy to govern how EUC is used across the organization. This is true in case of internal control over financial reporting, such as SOX. But this also applies to the broader business as well. There has been significant exposure in business operations and processes from uncontrolled spreadsheets in context of privacy, integrity in models and data, access to proprietary information, and more. It is the responsibility of an internal control team to work in tandem across risk, compliance and audit functions to ensure that a cohesive and workable strategy to address EUC risks and controls is in place in the organization.