Case Study: Improving Visibility & Control for Mission Critical Spreadsheets in Energy

Published November 6, 2009 Best Practices , Case Studies Leave a Comment
Tags: , , , , , ,

energyIn 2006, a leading US energy provider performed an audit of spreadsheets and end-user computing applications and recognized the need to establish tighter IT controls. Many key spreadsheets used within finance and accounting operations were used in financial, regulatory and management reporting, and were considered in-scope for SOX 404 compliance. At the time, SOX testing for spreadsheets was a manual process evaluating access controls and security, documentation, change management and formula and link verification.

The Need for Automated Controls
Initial testing results concluded that although spreadsheets controls were adequate, they were very manual in nature and difficult to sustain. The director of internal audit and team lead for the project identified a variety of spreadsheet risks, including:

  • Widespread use of spreadsheets
  • Security access issues
  • No audit trail for changes and management review
  • Outdated documentation
  • New users did not always understand the impact of changes made
  • Manually intensive and error-prone review and approval processes

Business Drivers
Operating within a highly-regulated industry, the company had many compelling reasons to automate and improve spreadsheet controls, including mitigating operational risk, reducing audit cycles, and enabling compliance with corporate, regulatory and legal mandates. As a public company, they are subject to SOX 404, SEC and industry-specific regulations. They maintain an active operational risk program and are driven by continual process and quality improvements on a year over year basis. In addition, the company manages hundreds of contracts and has an aggressive M&A strategy. As such, automating controls over critical spreadsheets affected by these mandates represented an opportunity to take a proactive approach to sustaining compliance.

Adopting a Lifecycle Approach
To mitigate these risks, the director of internal audit and his team set out to establish a new methodology for spreadsheet and EUC control by leveraging best practices, the latest guidance from auditors, and software technology to make the new process sustainable. The new spreadsheet control lifecycle included creating a spreadsheet inventory, performing a risk assessment to identify critical spreadsheet tied to financial reporting, and applying automated controls to help track and manage changes.

As a best practice, the project team established risk assessment criteria to help categorize spreadsheets as financial, analytical and operational. Some examples include spreadsheets used in revenue accruals, journal entries (e.g. balance sheet flux analysis, income statement flux analysis, etc.), power controls for plant operations, and management reporting. In addition, the team evaluated spreadsheet complexity, including the number of formulas and spreadsheet size (in MB), number of external links or data sources, and any formula or structural errors.

Identifying Risky Spreadsheets
Risk assessment criteria included:

  • Application or use of the spreadsheet
  • Dollar amount impacted or controlled
  • Number of formulas
  • Complexity of the formulas
  • Number and extent of external links

Any spreadsheets that were deemed critical became candidates for monitoring and control. Risk levels for linked spreadsheets were determined through a relational risk assessment process, where any dependent spreadsheets deemed critical also became part of the controlled spreadsheet population.

The Solution
To automate the spreadsheet controls environment, the company chose the Prodiance Enterprise Spreadsheet Manager (ESM) system, including Prodiance Spreadsheet Compare and Prodiance Spreadsheet IQ. “We selected Prodiance because of their robust set of tools, their credibility with industry analysts, and their responsiveness to meet our needs,” said the director of internal audit.

eDiscovery_largeProdiance ESM provided pervasive monitoring (24×7x365) of all changes to critical spreadsheets and automated change control through cell level audit trails and versioning. Prodiance Spreadsheet Compare was utilized by business analysts to compare changes between spreadsheet versions in a side-by-side fashion to help speed review and approval cycles. Prodiance Spreadsheet IQ provided automated spreadsheet diagnostics to help internal auditors accelerate spreadsheet error checking and the evaluation of links.

SSIQ_large

 The Bottom Line
“By automating internal controls over critical spreadsheets with Prodiance technology, we have realized significant business benefits, including improved data integrity, fewer spreadsheet errors, reduced SOX testing of spreadsheets, reduced change control review, reduced remediation activity due to errors, reduced audit fees, and improved review and approval processes,” said the Chief Financial Officer for the company.

>>Download the Case Study (pdf)

PCAOB AS No. 5 Report Suggests Room for Improvement Over Testing of Spreadsheet Controls

Published October 21, 2009 Auditor Guidance , Regulatory Mandates Comments
Tags: , , , , , ,

On September 24, 2009 the Public Company Accounting Oversight Board (www.pcaob.com) issued their Report on the First-Year Implementation of Auditing Standard No. 5. The report provides an overview of the most common observations derived from inspections conducted during 2008 on registered firms’ first year implementation of AS No. 5. Because AS No. 5 is a follow-up to improving the implementation of the Sarbanes-Oxley Act of 2002, the focus is on internal controls over financial reporting (ICFR).

Spreadsheet Control Cited as Area for Improvement
Notable areas of focus for inspections conducted include risk assessment, fraud related risk, and focus for controls testing. Ironically, Spreadsheet Controls were cited among the suggested areas for improvement: “The inspectors also observed situations where auditors failed to test a relevant control appropriately or, in some cases, at all. For example, inspectors observed instances where the auditors’ testing of controls over financially significant applications was dependent on appropriate segregation of duties, but the auditors did not test to determine whether appropriate segregation of duties existed. Similarly, in some instances, the auditors tested certain controls without testing the system-generated data on which the tested controls depended; the auditors did not test controls over applications that processed financially significant transactions, including important manual spreadsheets; or the auditors observed evidence of review and approval controls (e.g. management sign-off evidencing review and approval) without testing the design or operating effectiveness of management’s controls.”

Spreadsheet Management Lifecycle

What it Means to Your Business
Based on this new report, the focus on scrutinizing Spreadsheet Controls for SOX 404 and AS No. 5 compliance is likely to continue, demanding that organizations take a proactive and sustainable approach to implementing policies, procedures, best practices and new technology to help automate the process. Best practices and auditor guidance suggest that following a lifecycle approach (including inventory, risk assessment, management and control, optimization, certification and reporting) leads to efficient risk mitigation, more efficient spreadsheet processes, reduced audit fees, faster audit cycles, and improved compliance.

Access the full report.

New Webinar: Spreadsheets & Enterprise Risk, What Every CXO Needs to Know

Published October 1, 2009 Analyst Research , Events Leave a Comment
Tags: , , , , , , ,

 Webinar: Spreadsheets & Enterprise Risk

This new webinar features GRC expert Michael Rasmussen, president and Corporate Integrity LLC and Eric Perry, vice president of marketing at Prodiance.

Register Today Blue

Session Overview
A significant amount of today’s corporate data is stored in end-user computing (EUC) applications including spreadsheets and pc databases. These applications are used in many mission critical business processes – financial reporting, closing the books, revenue recognition, journal entries, equity and commodity trading, insurance and actuarial processes, scientific analysis, and more. Despite their power, speed and flexibility, EUCs often lack the proper safeguards and controls needed to prevent gross accounting errors, avoid poor decisions, prevent fraud, and protect against non-compliance with corporate and regulatory mandates.

Join Prodiance and GRC expert Michael Rasmussen for this online event to learn about what every CXO should know about spreadsheet and EUC risk, and how the latest technology and best practices can help organizations effectively mitigate risk, while improving productivity.

The agenda includes:

  • The latest industry trends, business drivers and regulatory mandates affecting spreadsheet and EUC risk
  • Best practices and auditor guidance for automating internal controls over mission critical EUCs
  • A demonstration of the Prodiance Enterprise Spreadsheet Manager system
  • A review of the business case and benefits

Who should attend: CFOs, controllers, CIOs, COOs, CEOs, VP IT Security & Risk, auditors, risk and compliance executives.

Register Today Blue

EUC Best Practice #2: Implement an EUC Control Policy

Published September 14, 2009 Best Practices Leave a Comment
Tags: , , , , , , , ,

I’m pleased to introduce the 2nd post in my EUC Best Practices Series. This one introduces the operational side of the equation. Although technology is required to mitigate EUC risk on a sustainable basis, having an operational model is also a critical success factor.

Why Your Organization Needs an EUC Control Policy
Putting technology aside, perhaps the most critical element to any EUC Control initiative is to first ensure that a corporate policy is in place to govern the lifecycle of critical spreadsheets, Access databases and EUCs. Without a corporate policy, there is no indication that mitigating EUC risk is important to the business, and no way to ensure the proper safeguards are in place. Mitigating EUC risk is as much about technology as it is about business process, so an EUC Control Policy is a must have for any successful project.

Who Gets Involved?
Typically, an EUC Control policy is created in collaboration with various business lines that develop, use, and monitor EUCs – the CFO or controller, managers in various lines of business, IT, and internal audit.

Manual vs. Automated Controls
It should be written to support the type of controls being put in place (i.e. manual vs. automated). For manual controls, keep in mind that users will likely be required to perform additional manual tasks to comply with the policy, and that there may breakdowns in the process over time. These additional tasks can include things like periodic verification of proper access controls, creation and maintenance of the EUC inventory, risk assessment, documentation of critical EUCs, documentation and sign-off of significant changes, manual archiving of old versions, and periodic validation of high risk models.

Spreadsheet and EUC Management Software can automate many of these tasks. Keep in mind that if automated controls are being implemented with the deployment of new software, then the policy should be written to support and leverage the new software. This approach will ensure sustainable controls are embedded into everyday business operations.

So what goes into an EUC Control Policy?

Key Elements of an EUC Control Policy

  • Definition- A definition of EUCs along with some examples used within business lines (e.g. within finance examples may include account reconciliations, journal entries, financial statements, etc.). 
  • Categorization- Provide a taxonomy for users to identify and rank EUCs according to use (e.g. operational, financial, analytical) and risk levels (e.g. L1, L2, L3 or High, Medium, Low). 
  • Risk Assessment – Provide a methodology for determining what a risky spreadsheet is within your business. This can be based on a variety of criteria and factors, including complexity, financial significance (i.e. materiality), use, business process, regulatory process, or any number of criteria.Deloitte defines EUC risk based on Complexity and Materiality per the following example:

EUC Risk model based on Materiality and Complexity   A simplistic approach is to consider only Complexity as a first pass. The following is a simple algorhithm and for scoring EUCs based on Complexity. As mentioned above, other risk factors may include financial significance, business impact/use, and whether an EUC contains sensitive data or not.

 

 

risk_complexity_criteria

  • Control Requirements-  Define the IT controls required for critical vs. non-critical EUCs. Controls recommended by leading tax and audit firms include: development lifecycle, segregation of duties, access control, documentation, change control, testing/diagnostics, version control, back-up and archival. A complete set of EUC controls and definitions can be found in the PwC white paper entitled The Use of Spreadsheets: Considerations for Section for 404 of the Sarbanes-Oxley Act. Again, if automated controls are being implemented, make sure the policy is written per software usage guidelines and users are required to leverage the software to satisfy control requirements.
  • Compliance Requirements- Define what the minimum requirements are to comply with the policy. For example, you may require business lines to ensure end users be trained on the new policy as well as any new control software, that business lines be required to inventory and risk rank their EUCs annually, and that business segments be required to comply within a 12 month timeframe.
  • Ownership – Define who is responsible for owning and maintaining the policy. This is a typically risk and control function.
  • Policy Review Schedule – Define how often the policy will be updated or revised.
  • Definitions- Be sure to define any new terms or acronyms like EUC, UDA, risk assessment, etc.

Remember, the goal of the EUC Control policy is to set the minimum standards for managing the lifecycle of EUCs within the organization to effectively mitigate risk, prevent fraud, and improve business processes, while enabling compliance.

Feel free to email me to request a sample EUC Control Policy that you can customize for your organization.

Good luck and let’s hear your comments!

Executive Forums: Financial End-User Computing Risks & Controls

Published August 27, 2009 Events Leave a Comment
Tags: , , , , ,

Executive Forums - September 16 & 18, 2009

When:

  • September 16, 2009 (Philadelphia, PA)
  • September 18, 2009 (Washinton D.C.)

End-user computing risks and controls are key components in sustaining compliance under Bill 198, Sarbanes-Oxley, and the Model Audit Rule for private insurers. Please join Prodiance and Jefferson Wells for an interactive presentation and discussion on spreadsheet compliance and the issues surrounding end user computing risks and controls.

Event Details:

  • 7:30 am – 8:00 am: Registration & Breakfast
  • 8:00 am – 11:00 am: Executive Forum, Discussion & Demonstration

CPE Credit: 3 hours

Who should attend: CFO’s, Controllers, Compliance Officers, Internal Audit and Risk & Control Directors and Managers who have the responsibility for ensuring their organizations are complying with this key Bill 198 and Sarbanes-Oxley component.

Register Today Blue

For questions concerning these events, please contact Jennifer Lanigan at Jefferson Wells at (215) 399-2074.

New E&Y Viewpoint Outlines Spreadsheet Risk in Automotive Industry

Published August 22, 2009 Auditor Guidance , Best Practices Leave a Comment
Tags: , , , , , ,

E&Y Viewpoint Spreadsheet GovernanceIn a recent Viewpoint, Dan Smith of E&Y highlighted the risks of using uncontrolled spreadsheets in the automotive industry. Smith suggests that the industry is currently undergoing extreme financial stress, and that automakers should actively manage the spreadsheet risk while putting the proper governance structure in place. Smith also offers some best practices and claims managing spreadsheet risk is among the top priorities for the current year.

You can download the article here.

Webinar: Spreadsheets & Fraud – An Emerging Enterprise Risk

Published July 17, 2009 Events Comment
Tags: , , , , , , , , , , , ,

iStock_000003233994XSmall

When: Thursday, July 30th, 2009
(10:00 am CDT / 11:00 am EDT / 4:00 pm BST)

Where: Microsoft Live Meeting

Duration: 60 minutes

Cost: Complimentary

Event Description:
In the current economic environment, greed, lack of oversight, and lack of transparency have left an open door in many organizations for non-compliance, gross accounting errors, and even fraud. A significant amount of today’s corporate data is stored in end-user computing (EUC) applications including critical spreadsheets and databases. These media often lack the proper safeguards and controls needed to prevent fraud and spreadsheet errors. As a result, undocumented transactions can be hidden in invisible cells or hidden worksheets, and unauthorized changes can be made without detection, and data integrity can be compromized – creating unacceptable risk and exposure for organizations.

Join Prodiance and Jefferson Wells for this online event to learn about common spreadsheet fraud scenarios and how the latest technology and best practices can help organizations improve transparency and effectively mitigate fraud-related risk.

Register Today Blue

EUC Best Practice #1: Use Automated Spreadsheet Diagnostics for Baselining

Published July 10, 2009 Best Practices Comment
Tags: , , , , , , , , ,

I’ve decided to start a new series of posts on EUC Control Best Practices. Our customers and prospects are always asking us how other companies are managing their spreadsheet and EUC control projects, and what the Best Practices are, so here we go!

Auditors Recommend Baselining Spreadsheets

Many of the leading audit firms and consultancies recommend starting an EUC control project by first creating an inventory and performing a risk assessment. The purpose of these exercises are to identify risky or critical spreadsheets within your business (i.e. separate the cooking recipes and fantasy football stats from the journal entries and financial statements). Critical spreadsheets will be the ones directly linked to financial, regulatory or P&L reporting processes where errors or issues with fraud, data integrity and non-compliance can have an adverse, material impact on your business.

Once you have identified the critical spreadsheet population, auditors recommend Baselining spreadsheets. The goal of this exercise is to provide a clean slate – to ensure that your mission critical spreadsheets are doing what they are supposed to be doing. To baseline a spreadsheet, you need to do several things, including (but not limited to):

  • Analyze the spreadsheet structure and validate that it follows spreadsheet development best practices
  • Test the spreadsheet against known input/output data (e.g. test harness) to verify it is mathematically correct
  • Re-mediate any errors (e.g. broken links, formula errors, plugged cells, etc.)
  • Document the spreadsheet

Manual Diagnostic Efforts Do Not Scale

Performing these tasks manually for a typical consolidation spreadsheet model (i.e. complex spreadsheet) is very time consuming and error prone, and the challenges are numerous. How will you easily understand and document the structure of the spreadsheet? What kind of skills and training are needed? How can you quickly find any and all errors? What will you use to highlight any fraudulent practices? How will you identify and verify the external links? I could go on here…

Enter, Automated Diagnostics

The point is, baselining spreadsheets manually just isn’t very efficient. Enter the Automated Spreadsheet Diagnotic Tool. With automated speadsheet diagnostics, an auditor or spreadsheet developer can quickly analyze any and all external links (including dependent spreadsheets, Access databases, text files, web feeds, SQL queries, etc.) and create graphical diagrams to help document and verify the data sources are correct. Here is an example created with Prodiace Spreadsheet IQ:

Prodiance Spreadsheet IQ Workbook Relationship Diagram

The application of color coding schemes can be used to easily understand and identify the spreadsheet structure, including input cells, formulas, external links, blank referenced cells, errors, and more. Here is an example color scheme applied to a workbook using the Color Scheme tool in Prodiance Spreadsheet IQ.

Prodiance Spreadsheet IQ Color Scheme Tool

With the right tool, an extensive set of diagnostic checks can be run on any spreadsheet to document and analyze the spreadsheet structure. This process also highlights any red flags or potential errors that will require remediation. Potential red flags may include formula errors, blank referenced cells, hidden rows and columns, invisible cells, numerics stored as text, names with errors, very hidden worksheets, etc. Here is an example report from Prodiance Spreadsheet IQ.

Prodiance Spreadsheet IQ Workbook Analysis Report

There are several other powerful features included with such tools, including the ability to clean excess cell formatting to optimize file size and performance, ad-hoc error checking tools, cell and worksheet dependency diagrams, and more. You can learn more about Prodiance Spreadsheet IQ or download a trial version on our web site.

The “So What?”

The bottom line is that using Automated Spreadsheet Diagnostic Tools can really accelerate and ease your EUC baselining efforts and help spreadsheet developers to create error free spreadsheet models. The ROI is simple:

  • Before Automated Diagnostics: 8+ man hours to validate each complex, critical spreadsheet model
  • Typical # critical spreadsheets: 500 (you may have more or less)
  • Typical hourly rate for a spreadsheet domain expert: $225
  • Cost Before: $900,000 (ouch, who has the budget for that??!!)

Based on our experience, the use of Automated Spreadsheet Diagnostic Tools can reduce these efforts by more than 50%, but we’ll assume 30% savings to be conservative here.

  • Typical cost Savings/Cost Avoidance:  $270,000 (per typical project)

This is real cost savings if you have a heavy reliance on critical spreadsheets because its work you need to do anyway. Additional cost savings and productivity gains can be realized by using technology to automate inventory, risk assessment, and change controls.

Tune in next week for more Best Practices!

Protiviti Says Unchecked Spreadsheets Can Lead to Major Accounting & Financial Reporting Problems

Published June 30, 2009 Auditor Guidance Leave a Comment
Tags: , , , , , , , , , , , ,

Yesterday Protiviti issued a press release and an update to their white paper entitled Spreadsheet Risk Management: Frequently Asked Questions. In the press release, Protiviti indicated that few organizations have properly addressed the risks associated with uncontrolled spreadsheets, but are now being forced to due to potential financial losses due to errors and fraud, regulatory pressures, and increasing scrutiny from auditors.

The white paper examines the risks associated with uncontrolled spreadsheets and EUCs, cites various cases of error and fraud, presents a framework for spreadsheet control, best practices for measuring risk, and a review of available technologies.

While the white paper is spot on for the type of information companies need now – how to get started, practical advice, frameworks, best practices – it is light on promoting technology. The main goal of any spreadsheet or EUC control initiative should be to embed the controls into everyday business processes and to make them sustainable. This cannot be achieved via manual processes and policies alone. It has to be driven by technology and automated controls.

You can view the press release here and the download the FAQ white paper here.

Enjoy, and please let me know your thoughts!

Spreadsheet Errors and M&A Transactions – A Risky Proposition

Published June 26, 2009 Cases of Fraud & Errors Leave a Comment
Tags: , , , , ,

diceComplex spreadsheets have been used extensively in mergers and acquisitions. Although spreadsheets can provide rapid and immediate results to speed due diligence efforts, the potential for error is high and left undiscovered such errors can lead to disastrous results.

We saw an example of this last year during the Lehman fire sale when a complex spreadsheet containing hidden data for 179 contracts went undetected in a spreadsheet, causing Barclays to acquire more assets in the deal. Due to the tight timelines to complete the transaction before a bankruptcy court dealine, the spreadsheet was converted to PDF and the unwanted contracts (apparently in a hidden worksheet tab) were included in the deal.

To avoid this type of risk, organizations relying on spreadsheets for M&A activity should ensure they are inventoried, managed in a controlled environment with access control, versioning and audit trails, and finally analyzed for errors using diagnotic tools prior to the close of the deal. For more information on technology to satisfy these needs, check out www.prodiance.com.

The complete details of the Lehman-Barclays story are in this PC World article.

Next Page »

Subscribe by Email Subscribe by Email
Add to Technorati Favorites

Prodiance on Twitter

 

November 2009
M T W T F S S
« Oct    
 1
2345678
9101112131415
16171819202122
23242526272829
30