control, and governance
control, and governance
October 2007
Five Common Spreadsheet Risks and Ways to Control Them
Most internal auditors have used spreadsheet software for common tasks, such as calculating complex revenue adjustments and preparing financial reports. And, while spreadsheets can be excellent tools during an audit review, many internal auditors are still not aware of their potential risks.
Larry R. Metz, CIA, CCSA, CGAP, CPA
U.S. Department of Natural Resources, State of Wisconsin
Spreadsheets are seldom a cause for concern or suspicion during internal audits, even though they should be — spreadsheets can be easily changed, may lack certain internal control activities, and are vulnerable to human error. Some internal auditors may believe there is little reason for concern because they have used the same spreadsheet software for many years. However, there are good reasons for concern. While spreadsheets are much like the lens of a camera through which auditors can view an organization's data, an auditor's assessment of the information in the spreadsheet might be skewed if the lens is dirty or slightly flawed. Therefore, it is important for auditors to be aware of the different kinds of risks associated with spreadsheet use, five of which are explained below.
RISK 1: UNSKILLED USERS
Spreadsheet training is not just for beginner auditors. In fact, lack of adequate training will result in poor to mediocre spreadsheet results, such as improper referencing, linking to other spreadsheets, or using inaccurate formulas to master complex calculations.
|
Common Spreadsheet Controls
Source: IT Compliance Institute. |
The Committee of Sponsoring Organizations of the Treadway Commission's Internal Control–Integrated Framework requires a commitment to competence, which is an important aspect of internal control. Spreadsheet training for all auditors is one way to help achieve internal control. For instance, long-term learning plans that incorporate spreadsheet training will help to make sure users are up-to-date with the latest version of the spreadsheet in use. In addition to free Excel online training from Microsoft's Web site or free Lotus 1-2-3 training from IBM's site, the American Institute of Certified Public Accountants' Journal of Accountancy has a special section each month devoted to using technology tools. There is also a variety of software for auditing spreadsheets that may be appropriate for widespread use in an organization.
RISK 2: LACK OF GUIDELINES FOR SPREADSHEET PREPARATION
If the policies and procedures to mitigate spreadsheet risks are inadequate, errors will become more common and lack of consistency will show up in internal control audit reports. Therefore, the style, content, and accountability for spreadsheets should be documented in the organization's policies and procedures or in the spreadsheet used.
To this end, documentation is a best practice to explain how spreadsheets are used. Organizations need to explain — in common language within the workbook file, on the worksheet (e.g., at the top of the page), or in written policies and procedures — the spreadsheet's purpose and intended functions so other users can read the instructions before using it. If documentation is kept separately (e.g., a policies and procedures document), it should identify the style and organizationwide requirements for using spreadsheets.
Also, an inventory of spreadsheets used to prepare complex tasks or financial statements will help ensure where adequate documentation is needed. In addition, documentation needs to be kept up-to-date and include who was responsible for preparing or updating the spreadsheet or policy.
RISK 3: DATA ENTRY AND RECYCLING
People are creatures of habit, which is one reason why spreadsheets are reused from year to year. Unfortunately, after cutting and pasting information, the spreadsheet might not work the way it did before — formulas can be damaged, links can be broken, or cells can be overwritten.
To help mitigate spreadsheet recycling risks, auditors need to make sure the information added to the spreadsheet is as good as the expected output by:
- Saving input data separately from the active spreadsheet used for calculations.
- Using a control total (i.e., a result obtained by subjecting a set of data to an algorithm to check the data at the time the algorithm is applied) to prevent errors in formulas totaling columns of data, numbers, or dollars.
- Using self-checks, like a hash or batch total, to verify that formula results are accurate.
- Using an automatic tool to stop errors from creeping into spreadsheets.
- Verifying that spreadsheet templates are not changed accidentally by using password protection.
RISK 4: SPREADSHEET ERRORS
Phone calls, chatty coworkers, and coffee breaks are common reasons workers make data entry errors such as skipped entries or transposed numbers. A 2004 PricewaterhouseCoopers study shows that up to 91 percent of sophisticated spreadsheets contain errors. Unfortunately, if auditors know there are spreadsheet errors, so do fraudsters. For example, inadequate spreadsheet controls may lead to errors, misstatements, and possibly fraud.
|
One way to reduce the number of spreadsheet errors and to help mitigate fraud is to limit access to files. A spreadsheet is no different than other software, so access to spreadsheet information should be limited to persons on a need-to-know basis, which can help to deter fraudsters. Furthermore, storing important spreadsheets in an access-limited server can protect information from prying eyes. If open-access file storage is used, implementing password-limited access makes sense with these spreadsheets. Locked access to certain cells also can protect valuable formulas from tampering.
RISK 5: LOSS OF DATA
Failure to back up data is a common and sometimes fatal error that may result in the loss of hours of data entry for computer users, which applies equally to all software tools including spreadsheets. Hardware and software breakdowns do occur from time to time, and backing up regularly and frequently is the best prevention for the spreadsheet user. As a general rule, it's always easier to retrieve information from a backup file than redo the entire spreadsheet. The auto-save function in the spreadsheet software is a reliable means for preventing accidental loss of data in the event of errors or system malfunctions.
BALANCING RISKS WITH CONTROLS
Whether an organization is large or small, spreadsheets were an overlooked risk by many people until Sarbanes-Oxley mandated spreadsheet controls compliance in Section 404. Flexibility, ease of use, and transferability are a few of the advantages of electronic spreadsheets. Yet, the same features that make spreadsheets useful also make them risky. The five examples in this article emphasize the need for auditors to treat spreadsheets with skepticism and to instill controls to mitigate these risks as they relate to their own use of the tool.
Larry R. Metz, CIA, CCSA, CGAP, CPA, is an auditor and accountant at the Wisconsin Department of Natural Resources. He is a frequent speaker at professional events, serves as president of the Madison IIA Chapter, and is a faculty member of the Wisconsin Performance Improvement Network.
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>
