The New Spreadsheet Risk Management Issues of Sarbanes-Oxley Compliance
Regulators and auditors are looking more closely at spreadsheets that form part of business-critical processes.
The Sarbanes-Oxley Act of 2002 (SOX) has been in place for many years, and US-listed companies are very experienced in complying with it. This reflects the declining cost and effort of SOX compliance in recent years, as it has become ‘business as usual’.
However, in recent years, the cost and effort of SOX compliance has started to increase again. A Protiviti 2017 report entitled ‘Fine-tuning SOX Costs, Hours and Controls’, stated that for two out of three companies, SOX compliance hours have increased by more than 10 percent since 2016.
A major change has been the US Public Company Accounting Oversight Board (PCAOB) becoming much stricter in how they oversee the US audit community, especially over audit failures and violations of the Board’s quality standards. Faced with potential million plus dollar fines, auditors are redoubling their efforts in reviewing their clients’ internal audit controls, which are central to SOX. Consequently, auditors are extending their audit scope to cover business processes that are extensively underpinned by spreadsheets.
In the past, SOX compliance has encouraged organizations to make use of centralized IT systems, where the SOX compliance controls for business processes are available ‘out-of-the-box’. Auditors have reviewed these controls and outputs as part of their audits. CEOs and CFOs have used these reports and controls to sign-off on shareholder reports that comply with the regulations, and so head off the potentially onerous penalties for non-compliance.
The spreadsheet challenges of SOX
Spreadsheets remain an invaluable resource for businesses, because their ease of use, flexibility and powerful functionality. Spreadsheets help them remain agile, generate new insights, model the development of their business, as well as provide accurate and timely reports.
In terms of SOX compliance, this power and flexibility can be a source of issues, if the key spreadsheet estate is not managed effectively. It works in two ways.
Firstly, the flexibility of spreadsheets means that errors can quickly emerge, which can significantly affect the accuracy of the results. Spreadsheet risk can feature significantly if complex formulas or macros are used, or if a spreadsheet is linked to other spreadsheets, or other applications or data sources.
In the SOX framework, these results can easily create reporting errors that can compromise the quality of financial reports. Many businesses have had to restate their earnings through calculation errors in their quarterly or annual reports. This can cause a range of reputational, regulatory, commercial and legal headaches.
Another issue is that the lack of data governance and risk management controls in Excel estates prevent Corporate Officers from being able to sign-off the results as being an accurate picture of the company’s results. This can potentially expose them to the significant sanctions available under the legislation.
Under SOX, organizations need to ensure that their spreadsheet-based business processes have the level of management control as found in the their highly controlled and maintained enterprise systems – without removing any of the valuable capabilities, flexibility and sheer business value that spreadsheets give to users and the business alike. An enterprise-strength spreadsheet risk management capability can help them square this circle, by retaining this operational flexibility, whilst fully complying with SOX.