OMB Circular A-123 and Spreadsheet Controls

Published February 18, 2010 Auditor Guidance , Regulatory Mandates Leave a Comment
Tags: , , ,

I recently came across OMB Circular A-123 and thought it was worth a discussion regarding the intersection of this government regulatory mandate and the topic of Spreadsheet Controls. So, here is a quick run down of what you need to know for government entities. Keep in mind this summary is focused on spreadsheet use in financial reporting and close the books activities within government agencies.

First, the Office of Budget and Management (OMB) Circular A-123 is the federal government’s version of SOX. Like SOX 404, it requires that management that management establish effective internal controls over the financial reporting (ICFR) process. Further, it requires that such controls and the assessment process should be documented. As with SOX, material weaknesses (e.g. material misstatements due to spreadsheet errors) can result in non-compliance, and the OMB can request audit opinion if needed to enforce corrective actions. It also recommends a risk assessment to identify areas at risk (e.g. uncontrolled spreadsheets used in financial reporting). In addition, Circular A-123 recommends continuous monitoring and testing to improve the control environment. As specified, “appropriate internal control should be integrated into each system…” which implies an automated approach is preferred over manual controls. With automation, effective controls can be embedded into the business process so that they become part of doing business as usual.

Control activities recommended in Circular A-123 include: policies, segregation of duties, access control, documentation, accurate information processing (e.g. data integrity), input/output control, safeguarding of records (e.g. critical spreadsheets and EUCs), monitoring of controls (e.g. reporting & dashboards). These are all standard control requirements which are consistent with SOX guidelines. That said, spreadsheets controls are not specifically called out, but as with SOX, the NAIC Model Audit Rule, Solvency II, Basel II, and OCC guidelines and similar regulatory mandates, we do know that external auditors are scrutinizing the spreadsheet environment, especially when they see a heavy reliance on uncontrolled spreadsheets.

So, my recommendation on OMB Circular A-123 is to follow Big 4 auditor guidance on Spreadsheet Controls. As a government entity, to be prepared for an audit, you need to be able to answer a few questions with certainty and appropriate documentation:

  • Have you created an inventory of spreadsheets, Access databases and other end-user computing applications?
  • If so, have you performed a risk assessment to determine which ones are considered high risk (e.g. those that directly impact financial, regulatory and management reporting)?
  • For the high risk spreadsheets, what controls are currently in place?

If you can pass this test, then you have taken a proactive approach to mitigating the risks associated with uncontrolled spreadsheets. For more details on controls recommended by Big 4 auditors, I recommend reading my previous post on Spreadsheets and SOX 404 Compliance which references guidance from PwC.

Also, you can access the complete OMB Circular A-123 here.

UK’s FSA Fines BlueBay £140,000 for Spreadsheet Cut/Paste Fraud

Published February 5, 2010 Cases of Fraud & Errors Leave a Comment
Tags: , , , ,

new fraud case just surfaced in the Financial Times involving spreadsheets. This time, a fund manager at BlueBay Asset Management named Simon Treacher “carefully cut out and pasted different figures on to seven original broker quotes”.  The quotes (i.e. spreadsheets) were then provided to administrators who were valuing the assets in the UK-based fund he managed.

The result: an artificial boost in valuation of the fund by $27 million. Nice, unless your an investor. When BlueBay discovered the mis-markings, they closed down the fund, which lost 80% of its value as a result. Then came the fines and damage to company reputation and image.

Bottom line: all firms are at risk when uncontrolled and unmonitored spreadsheets, Access databases and other EUCs are used in critical processes such as reporting on book values. If you combine the autonomy of users who can make changes to spreadsheets, personal motivation, and the current economic environment, then you have the perfect storm for spreadsheet fraud. The best way to mitigate the risk of spreadsheet fraud is to develop a culture of awareness and a new controls to mitigate it.

Last month I wrote about The Spreadsheet Risk Continuum in which spreadsheet and EUC risk can efficiently be mitigated through by adopting a formal policy on EUC control, defining internal controls for EUCs, leveraging best practices, and deploying new technology. It’s worth a read for any organization evaluating their EUC risk.

For more details on the BlueBay fraud case, you can access the full story at FT.com.

The Spreadsheet Risk Continuum

Published January 14, 2010 Best Practices , Breaking News , Press Articles Leave a Comment
Tags: , , , , , , , , ,

After more than 5 years of helping some of the world’s most successful global organizations reduce their risk and exposure due to uncontrolled spreadsheets, Access databases and other end-user computing (EUC) applications, it has become very clear that reducing the risk is as much about technology as it is about cultural change. Almost every company today is dealing with issues surrounding spreadsheet and EUC risk, all with varying levels of maturity. The way I see it, reducing the risk efficiently requires a few key ingredients for success, including: adopting a formal policy on End-user Computing, defining internal controls for critical spreadsheets and EUCs, incorporating best practices, and implementing new Spreadsheet Control technology. As these ingredients are put in place, the organization’s risk level eventually decreases along the Spreadsheet Risk Continuum.

Policies & Controls
In a previous post, I discussed the merits and basics of adopting a formal EUC policy. I have also discussed the latest auditor guidance on spreadsheet controls from the famous white paper published in 2004 by PwC. There about 10 key controls to consider, including: access control, version control, change control, backup and archival, input control, documentation, segregation of duties, logic inspection/analytics, development lifecycle and data integrity.

Best Practices
There are many best practices, but I will mention a few here. The first requires following a formal process when implementing Spreadsheet Control. At Prodiance, we have developed a methodology we call the Spreadsheet Management Lifecycle, which involves inventory, risk assessment, control, remediation and reporting. In addition, it is important to have users properly trained on how to efficiently develop spreadsheets. This can result is models that have a smaller file size and have less margin for error because they are developed properly and are well documented.

Technology
The final stage in the Spreadsheet Risk Continuum involves implementing a technology solution to help make the earlier stages sustainable. Without technology, the tasks and controls  in the earlier stages become one-off projects, requiring end users to do extra work to follow policies. This manual approach often breaks down over time. So my point in all of this is the following:

To efficiently mitigate spreadsheet and EUC risk within an organization, there is a Spreadsheet Risk Continuum leading to success which requires a cultural change (e.g. policies, controls, best practices) and adoption of new technology.

What are your thoughts on this assertion?

Spreadsheet Fraud Linked to Madoff Case

Published January 8, 2010 Cases of Fraud & Errors Leave a Comment
Tags: , , , ,

Although this story surfaced in September of 2009 in the Financial Times, I thought it was noteworthy enough to list here under Cases of Fraud & Errors linked to the uncontrolled use of spreadsheets. In many cases, personal motivation, lack of adequate controls, and the autonomy granted to users to make unauthorized (or fraudulent) changes to key spreadsheets has led to cases of errors and fraud. The Madoff case is no different, but in this scenario it was perhaps the source of data (and not the actual spreadsheet) that was fraudulent.

The story summaries the inner workings of the Madoff operation and how spreadsheets were updated through queries into an old AS/400 main frame system which tracked false trades, each resulting in a 1 cent profit. Using a simple spreadsheet, his client’s accounts were all magically updated -  unbelievable!

Read the Full Story.

Spreadsheets & Accounting Fraud – the Perfect Storm?

Published December 5, 2009 Auditor Guidance , Breaking News , Cases of Fraud & Errors , Press Articles Leave a Comment
Tags: , , , , , , ,

Accounting Fraud on the Rise
In November, PwC published a new report entitled The Global Economic Crime Survey: Economic Crime in a Downturn. Of 3,000 senior executives survey across 54 countries, 62% reported their organizations suffered a decline in revenues in the past year, and 40% reported the risk of economic crime has risen due to the recession. Given this 60-40 split, they expected organizations with increasing revenues would be immune to the increase in economic crime. However, this was not the case. To this end, economic crime remains a pervasive risk in today’s business environment where increasing pressures to perform, increased opportunities to commit fraud, and people’s attitude are skewed by survival instinct and personal motivation.

Spreadsheets & Fraud – The Perfect Storm?
One of the key findings from the survey is the sharp rise in accounting fraud, which contributed 38% of reported cases, which PwC claims is linked to the economic downturn. If we then link this trend with the ubiquity of spreadsheets used in financial and management reporting, we have the “perfect storm” conditions for fraud to occur. Spreadsheets, PC databases and other types of end-user computing applications (EUCs) are used to support many key financial and operational processes, including (but not limited to) journal entries, account reconciliations,  tracking and executing trades, revenue recognition, 401k contributions, executive compensation, actuarial processes, underwriting, budgeting, forecasting, and consolidation. Organizations are at risk and exposed when these mission critical spreadsheets are unmonitored and lack the proper IT controls such as change control, versioning, security and access control, segregation of duties, testing and validation, etc.

Is Your Organization at Risk?
So how do you know if your organization is at risk of spreadsheet accounting fraud? Clearly an assessment is needed which typically requires (at a minimum) performing an inventory and risk assessment of a sampling of key spreadsheets. This process can take several weeks or months to complete via manual means, but it can be accelerated by using Spreadsheet Management & Control software, domain expertise, and best practices from Prodiance. To read more about spreadsheets and fraud, I encourage readers to download my latest white paper entitled Fraud Detection & Prevention for Mission Critical Spreadsheets. For more details from the 2009 PwC Global Economic Crime Survey, you may download the full report here.

Your comments and thoughts?

Catch 22 – eDiscovery & Spreadsheets: How Much Control Do You Need?

Published November 23, 2009 Events Leave a Comment

What: Special Webinar

Duration: 1 hour

Session Overview
A significant amount of today’s corporate data is stored in end-user computing (EUC) applications including spreadsheets and PC databases. These applications are used in many mission-critical business processes – financial reporting, closing the books, revenue recognition, journal entries, equity and commodity trading, insurance and actuarial processes, scientific analysis, and more. Despite their power, speed and flexibility, EUCs often lack the proper safeguards and controls needed to prevent gross accounting errors, avoid poor decisions, prevent fraud, and protect against non-compliance with corporate and regulatory mandates. Furthermore, organizations often fail to properly inventory and account for them in preparing for litigation and legal discovery.

Join Prodiance and Microsoft GRC expert Jeff Jinnett for this exciting online event to learn the key issues surrounding spreadsheet and EUC risk, and how to leverage the latest technology and best practices to establish a sustainable EDRM model to efficiently mitigate risk, improve compliance, and gain business process efficiency.

Join the Prodiance Professional Network on LinkedIn

Published November 13, 2009 Best Practices , Breaking News , Events Leave a Comment
Tags: ,

Prodiance_LinkedIn_GroupProdiance has launched a new LinkedIn Group called the Prodiance Professional Network. The purpose of this group is to connect former and present Prodiance Enterprise Spreadsheet Management users, administrators and employees, allowing them to expand their professional development, exchange ideas, network and continue to be a part of the Prodiance community. The new group also provides news and updates from the company’s web site along with RSS feeds, recent blog posts, articles, upcoming events, job listings and Twitter feeds.

Join Here Today!

Case Study: Improving Visibility & Control for Mission Critical Spreadsheets in Energy

Published November 6, 2009 Best Practices , Case Studies Comment
Tags: , , , , , ,

energyIn 2006, a leading US energy provider performed an audit of spreadsheets and end-user computing applications and recognized the need to establish tighter IT controls. Many key spreadsheets used within finance and accounting operations were used in financial, regulatory and management reporting, and were considered in-scope for SOX 404 compliance. At the time, SOX testing for spreadsheets was a manual process evaluating access controls and security, documentation, change management and formula and link verification.

The Need for Automated Controls
Initial testing results concluded that although spreadsheets controls were adequate, they were very manual in nature and difficult to sustain. The director of internal audit and team lead for the project identified a variety of spreadsheet risks, including:

  • Widespread use of spreadsheets
  • Security access issues
  • No audit trail for changes and management review
  • Outdated documentation
  • New users did not always understand the impact of changes made
  • Manually intensive and error-prone review and approval processes

Business Drivers
Operating within a highly-regulated industry, the company had many compelling reasons to automate and improve spreadsheet controls, including mitigating operational risk, reducing audit cycles, and enabling compliance with corporate, regulatory and legal mandates. As a public company, they are subject to SOX 404, SEC and industry-specific regulations. They maintain an active operational risk program and are driven by continual process and quality improvements on a year over year basis. In addition, the company manages hundreds of contracts and has an aggressive M&A strategy. As such, automating controls over critical spreadsheets affected by these mandates represented an opportunity to take a proactive approach to sustaining compliance.

Adopting a Lifecycle Approach
To mitigate these risks, the director of internal audit and his team set out to establish a new methodology for spreadsheet and EUC control by leveraging best practices, the latest guidance from auditors, and software technology to make the new process sustainable. The new spreadsheet control lifecycle included creating a spreadsheet inventory, performing a risk assessment to identify critical spreadsheet tied to financial reporting, and applying automated controls to help track and manage changes.

As a best practice, the project team established risk assessment criteria to help categorize spreadsheets as financial, analytical and operational. Some examples include spreadsheets used in revenue accruals, journal entries (e.g. balance sheet flux analysis, income statement flux analysis, etc.), power controls for plant operations, and management reporting. In addition, the team evaluated spreadsheet complexity, including the number of formulas and spreadsheet size (in MB), number of external links or data sources, and any formula or structural errors.

Identifying Risky Spreadsheets
Risk assessment criteria included:

  • Application or use of the spreadsheet
  • Dollar amount impacted or controlled
  • Number of formulas
  • Complexity of the formulas
  • Number and extent of external links

Any spreadsheets that were deemed critical became candidates for monitoring and control. Risk levels for linked spreadsheets were determined through a relational risk assessment process, where any dependent spreadsheets deemed critical also became part of the controlled spreadsheet population.

The Solution
To automate the spreadsheet controls environment, the company chose the Prodiance Enterprise Spreadsheet Manager (ESM) system, including Prodiance Spreadsheet Compare and Prodiance Spreadsheet IQ. “We selected Prodiance because of their robust set of tools, their credibility with industry analysts, and their responsiveness to meet our needs,” said the director of internal audit.

eDiscovery_largeProdiance ESM provided pervasive monitoring (24×7x365) of all changes to critical spreadsheets and automated change control through cell level audit trails and versioning. Prodiance Spreadsheet Compare was utilized by business analysts to compare changes between spreadsheet versions in a side-by-side fashion to help speed review and approval cycles. Prodiance Spreadsheet IQ provided automated spreadsheet diagnostics to help internal auditors accelerate spreadsheet error checking and the evaluation of links.

SSIQ_large

 The Bottom Line
“By automating internal controls over critical spreadsheets with Prodiance technology, we have realized significant business benefits, including improved data integrity, fewer spreadsheet errors, reduced SOX testing of spreadsheets, reduced change control review, reduced remediation activity due to errors, reduced audit fees, and improved review and approval processes,” said the Chief Financial Officer for the company.

>>Download the Case Study (pdf)

PCAOB AS No. 5 Report Suggests Room for Improvement Over Testing of Spreadsheet Controls

Published October 21, 2009 Auditor Guidance , Regulatory Mandates Comments
Tags: , , , , , ,

On September 24, 2009 the Public Company Accounting Oversight Board (www.pcaob.com) issued their Report on the First-Year Implementation of Auditing Standard No. 5. The report provides an overview of the most common observations derived from inspections conducted during 2008 on registered firms’ first year implementation of AS No. 5. Because AS No. 5 is a follow-up to improving the implementation of the Sarbanes-Oxley Act of 2002, the focus is on internal controls over financial reporting (ICFR).

Spreadsheet Control Cited as Area for Improvement
Notable areas of focus for inspections conducted include risk assessment, fraud related risk, and focus for controls testing. Ironically, Spreadsheet Controls were cited among the suggested areas for improvement: “The inspectors also observed situations where auditors failed to test a relevant control appropriately or, in some cases, at all. For example, inspectors observed instances where the auditors’ testing of controls over financially significant applications was dependent on appropriate segregation of duties, but the auditors did not test to determine whether appropriate segregation of duties existed. Similarly, in some instances, the auditors tested certain controls without testing the system-generated data on which the tested controls depended; the auditors did not test controls over applications that processed financially significant transactions, including important manual spreadsheets; or the auditors observed evidence of review and approval controls (e.g. management sign-off evidencing review and approval) without testing the design or operating effectiveness of management’s controls.”

Spreadsheet Management Lifecycle

What it Means to Your Business
Based on this new report, the focus on scrutinizing Spreadsheet Controls for SOX 404 and AS No. 5 compliance is likely to continue, demanding that organizations take a proactive and sustainable approach to implementing policies, procedures, best practices and new technology to help automate the process. Best practices and auditor guidance suggest that following a lifecycle approach (including inventory, risk assessment, management and control, optimization, certification and reporting) leads to efficient risk mitigation, more efficient spreadsheet processes, reduced audit fees, faster audit cycles, and improved compliance.

Access the full report.

New Webinar: Spreadsheets & Enterprise Risk, What Every CXO Needs to Know

Published October 1, 2009 Analyst Research , Events Leave a Comment
Tags: , , , , , , ,

 Webinar: Spreadsheets & Enterprise Risk

This new webinar features GRC expert Michael Rasmussen, president and Corporate Integrity LLC and Eric Perry, vice president of marketing at Prodiance.

Register Today Blue

Session Overview
A significant amount of today’s corporate data is stored in end-user computing (EUC) applications including spreadsheets and pc databases. These applications are used in many mission critical business processes – financial reporting, closing the books, revenue recognition, journal entries, equity and commodity trading, insurance and actuarial processes, scientific analysis, and more. Despite their power, speed and flexibility, EUCs often lack the proper safeguards and controls needed to prevent gross accounting errors, avoid poor decisions, prevent fraud, and protect against non-compliance with corporate and regulatory mandates.

Join Prodiance and GRC expert Michael Rasmussen for this online event to learn about what every CXO should know about spreadsheet and EUC risk, and how the latest technology and best practices can help organizations effectively mitigate risk, while improving productivity.

The agenda includes:

  • The latest industry trends, business drivers and regulatory mandates affecting spreadsheet and EUC risk
  • Best practices and auditor guidance for automating internal controls over mission critical EUCs
  • A demonstration of the Prodiance Enterprise Spreadsheet Manager system
  • A review of the business case and benefits

Who should attend: CFOs, controllers, CIOs, COOs, CEOs, VP IT Security & Risk, auditors, risk and compliance executives.

Register Today Blue

Next Page »

Subscribe by Email Subscribe by Email
Add to Technorati Favorites

Prodiance on Twitter