Spreadsheets are seldom a cause for concern or suspicion during internal audits, even though they should be — spreadsheets can be easily changed, may lack certain internal control activities, and are vulnerable to human error. Some internal auditors may believe there is little reason for concern because they have used the same spreadsheet software for many years. However, there are good reasons for concern. While spreadsheets are much like the lens of a camera through which auditors can view an organization's data, an auditor's assessment of the information in the spreadsheet might be skewed if the lens is dirty or slightly flawed. Therefore, it is important for auditors to be aware of the different kinds of risks associated with spreadsheet use, five of which are explained below.
Risk 1: Unskilled Users
Spreadsheet training is not just for beginner auditors. In fact, lack of adequate training will result in poor to mediocre spreadsheet results, such as improper referencing, linking to other spreadsheets, or using inaccurate formulas to master complex calculations.
Common Spreadsheet Controls
Setting documentation standards.
Establishing data entry procedures.
Using good security measures.
Backing up data frequently.
Source: IT Compliance Institute.
The Committee of Sponsoring Organizations of the Treadway Commission's Internal Control–Integrated Framework requires a commitment to competence, which is an important aspect of internal control. Spreadsheet training for all auditors is one way to help achieve internal control. For instance, long-term learning plans that incorporate spreadsheet training will help to make sure users are up-to-date with the latest version of the spreadsheet in use. In addition to free Excel online training from Microsoft's Web site or free Lotus 1-2-3 training from IBM's site, the American Institute of Certified Public Accountants' Journal of Accountancy has a special section each month devoted to using technology tools. There is also a variety of software for auditing spreadsheets that may be appropriate for widespread use in an organization.
Risk 2: Lack of Guidelines for Spreadsheet Preparation
If the policies and procedures to mitigate spreadsheet risks are inadequate, errors will become more common and lack of consistency will show up in internal control audit reports. Therefore, the style, content, and accountability for spreadsheets should be documented in the organization's policies and procedures or in the spreadsheet used.
To this end, documentation is a best practice to explain how spreadsheets are used. Organizations need to explain — in common language within the workbook file, on the worksheet (e.g., at the top of the page), or in written policies and procedures — the spreadsheet's purpose and intended functions so other users can read the instructions before using it. If documentation is kept separately (e.g., a policies and procedures document), it should identify the style and organizationwide requirements for using spreadsheets.
Also, an inventory of spreadsheets used to prepare complex tasks or financial statements will help ensure where adequate documentation is needed. In addition, documentation needs to be kept up-to-date and include who was responsible for preparing or updating the spreadsheet or policy.
Risk 3: Data Entry and Recycling
People are creatures of habit, which is one reason why spreadsheets are reused from year to year. Unfortunately, after cutting and pasting information, the spreadsheet might not work the way it did before — formulas can be damaged, links can be broken, or cells can be overwritten.
To help mitigate spreadsheet recycling risks, auditors need to make sure the information added to the spreadsheet is as good as the expected output by:
Saving input data separately from the active spreadsheet used for calculations.
Using a control total (i.e., a result obtained by subjecting a set of data to an algorithm to check the data at the time the algorithm is applied) to prevent errors in formulas totaling columns of data, numbers, or dollars.
Using self-checks, like a hash or batch total, to verify that formula results are accurate.
Using an automatic tool to stop errors from creeping into spreadsheets.
Verifying that spreadsheet templates are not changed accidentally by using password protection.
Risk 4: Spreadsheet Errors
Phone calls, chatty coworkers, and coffee breaks are common reasons workers make data entry errors such as skipped entries or transposed numbers. A 2004 PricewaterhouseCoopers study shows that up to 91 percent of sophisticated spreadsheets contain errors. Unfortunately, if auditors know there are spreadsheet errors, so do fraudsters. For example, inadequate spreadsheet controls may lead to errors, misstatements, and possibly fraud.
Although auditors may not be expected to detect every instance of fraud, they do have a duty to take reasonable steps to detect situations that may lead to fraud. To help prevent fraud, several laws and regulations in the United States (e.g., the USA Patriot Act of 2001, the Foreign Corrupt Practices Act of 1977, the U.S. Sarbanes-Oxley Act of 2002, Statement on Auditing Standard No. 99, and Auditing Standard No. 5) have developed an array of regulatory compliance mechanisms, which are meant to deter persons from criminal activities. These laws and regulations have emphasized the importance for the auditor — internal or external — to continuously be on the lookout for misstatements that could have been intentional.
One way to reduce the number of spreadsheet errors and to help mitigate fraud is to limit access to files. A spreadsheet is no different than other software, so access to spreadsheet information should be limited to persons on a need-to-know basis, which can help to deter fraudsters. Furthermore, storing important spreadsheets in an access-limited server can protect information from prying eyes. If open-access file storage is used, implementing password-limited access makes sense with these spreadsheets. Locked access to certain cells also can protect valuable formulas from tampering.
Risk 5: Loss of Data
Failure to back up data is a common and sometimes fatal error that may result in the loss of hours of data entry for computer users, which applies equally to all software tools including spreadsheets. Hardware and software breakdowns do occur from time to time, and backing up regularly and frequently is the best prevention for the spreadsheet user. As a general rule, it's always easier to retrieve information from a backup file than redo the entire spreadsheet. The auto-save function in the spreadsheet software is a reliable means for preventing accidental loss of data in the event of errors or system malfunctions.
Balancing Risks With Controls
Whether an organization is large or small, spreadsheets were an overlooked risk by many people until Sarbanes-Oxley mandated spreadsheet controls compliance in Section 404. Flexibility, ease of use, and transferability are a few of the advantages of electronic spreadsheets. Yet, the same features that make spreadsheets useful also make them risky. The five examples in this article emphasize the need for auditors to treat spreadsheets with skepticism and to instill controls to mitigate these risks as they relate to their own use of the tool.