[IMGCAP(1)]Ever since the earliest spreadsheet software, people have been relinquishing many tasks and responsibilities to this ubiquitous tool, and for good reason: spreadsheets are easy to set up, perform all but the most complex functions, and are available everywhere.
Admittedly, an application such as Microsoft Excel, which took the business world by storm, is a lot more powerful today than its earlier versions. But while it packs together an impressive collection of features that’s suitable for anything from making simple lists and flat file databases, to adding up columns of numbers, to performing more complex analysis tasks using functions and Visual Basic programming, while incorporating incredible graphing and display capabilities, Excel also inherently presents risks, which become exponentially greater as the complexity of the model increases.
Yet it is commonplace that most of these spreadsheets (workbooks in Excel, containing from several to many individual worksheets, or tabs, often linked to other Excel files across entire computer networks) are authored by individuals. While these individuals have the necessary skills to design and implement them, they almost never think of reviewing them for accuracy or completeness of formulas, functions, links and any programming code. Of the handful of spreadsheets that are looked at in more detail, they are usually reviewed by their own authors and are almost never subject to a peer review, or by someone completely independent.
From an internal control perspective, this is a dangerous practice. The problem is not just that the spreadsheets are flawed—one study found that 94% of spreadsheets have errors—but that they lack the proper risk-mitigating controls, which should be a major concern for those using spreadsheets in accounting and finance functions.
The use of “ungoverned” spreadsheets in daily work is ingrained so deeply that many accounting and finance professionals don’t recognize it as a serious problem. Even with the better than ever built-in audit tools, it is ultimately the end-users who must establish an effective control environment that can be practically maintained and audited. However, this rarely happens in the real world, leaving numerous critical financial statements at risk for material errors. Just ask JPMorgan Chase about how Excel played a role in its $9 billion dollar loss.
In my work in internal audit and financial reporting consulting, I constantly run into organizations—many of which are fairly large and complex—that put too much trust in results produced by an array of homegrown spreadsheets.
This is especially true for spreadsheets entrusted with producing consolidated financial statements and preparing annual corporate budgets and various forecasts. I have advised managers of the need to disclose such material weaknesses, and I have witnessed several occasions when the external auditors insisted on making such disclosures.
When testing the design and effectiveness of an internal control performed in a spreadsheet, and especially consolidations of financial statements, unless there is clear evidence that the spreadsheet is periodically reviewed for accuracy and completeness of design and use, and is under change management control, you can’t help but conclude that there may be a material weakness in this process, one that must be disclosed by publicly traded companies in their annual reports.
What this implies is that (for any type of organization) financial statements produced by spreadsheets are likely to contain material errors. For that reason, purpose-designed consolidation tools are much more preferable to using spreadsheets. Many of the small and midsize company ERP (enterprise resource planning) software applications offer consolidations within the application database without exporting data to a consolidation spreadsheet. In addition, there are driver-based budgeting and forecasting tools that can seamlessly integrate with any ERP and general ledger system, reducing the amount of time spent to consolidate data while ensuring the integrity of the information. Once internal control over the process is established within the database, it is much simpler to monitor and audit than with spreadsheets.
If your organization still relies on financial statements consolidated using a spreadsheet, take another close look at the process and either introduce a well documented and periodically tested set of internal controls over the design, use and change management of this process, or better still, perform it in a purpose-built application. Not taking one of these steps is leaving too much to chance. Invariably, sooner or later, it will result in material misstatements in critical financial statements.
Alan Hart is a former CFO with nearly 20 years of experience in accounting, finance and management. He works with Centage Corporation to evangelize driver-based budgeting and forecasting solutions. To read more of Alan’s thoughts on budgeting and forecasting, visit http://centage.com/Blog.