Think again. They probably are not as complete, reliable and accurate as they appear to be.
Earlier this summer I was on an internal control engagement at a local publically held company that must annually comply with the Sarbanes Oxley act concerning internal control over financial reporting, management disclosure and attestation by an external auditor. This process recurs every year and following the audit the external auditor gives an opinion before the company can file its annual report (FORM 10-K).
Since this was not my first year on this engagement I knew the company had certain deficiencies with IT change management and with end user computing controls. These are usually internal controls over the design, implementation and use of end-user programmed databases and spreadsheets used in financial and accounting processes that affect external financial reporting, and the control environment over changes made to these databases and spreadsheets.
As is the case with many companies, this organization had an infinite number (so it seemed) of Excel spreadsheets that were designed and maintained by many employees, practically in every department of the company.
For the purpose of my engagement I was only interested in spreadsheets used to compile and consolidate financial information that was used in the preparation of external financial statements. I identified several of these spreadsheets; some were very complex where data from many sources were consolidated into a set of reports. These spreadsheets also included inter-company eliminations and other formulas, functions plus macros and VBA code.
As is required in this type of engagement, all deficiencies were reported to the company management and it was up to them whether or not to further disclose them in the filing. The external auditor’s job was to audit the control framework both for design and effectiveness of controls and form their own opinion, requiring management to disclose certain material weaknesses, defined as severe deficiencies, or a combination of deficiencies aggregated to a material weakness.
It is common with spreadsheets used in accounting, finance and reporting to have little or no internal control over critical spreadsheets which implies that:
1) There may be undetected errors and omissions in one or more of the worksheets included in one or more workbooks.
2) There may be undetected erroneous or broken links among the many worksheets (tabs within one workbook), or workbooks (separate Excel files).
3) Formula and function cells and other critical areas of spreadsheets may be at risk of being unprotected from accidental erasure of data, tampering with formulas and links, etc.
4) Changes to cells, formulas, functions, links, macros and other VBA code usually performed by the original authors of these spreadsheets may introduce new or additional errors to these spreadsheets.
What this implies is that financial statements compiled with the use of Excel spreadsheets may be flawed due to undetected errors. I recently wrote about this topic in an article published in Accounting Today.
These are the financial statements that are filed with the SEC (by publically held companies), and / or given to shareholders, bankers and other persons on a periodic basis. Unless the errors are detected either by internal audit or by the external auditors, misstatements will occur and may not be detected for a long time. Restatements of financial statements are often the result of detection of erroneous financial statements.
Use of spreadsheets to compile financial statements without a solid internal control framework and change management is a bad idea. So is use of spreadsheets in other important financial processes, such as corporate planning and budgeting.
Fortunately, similar to certain ERP solutions where consolidated financial statements can be produced without use of spreadsheets (requiring specific setup which many companies simply prefer to ignore), there are planning and budgeting applications that do not rely on spreadsheets. These are always preferred to the use of spreadsheets.
Unfortunately, among these “purpose built” financial applications and primarily planning and budgeting applications, many still rely on user supplied formulas, links and other programming, which in addition to significant amounts of time and effort to design, implement and maintain, always pose risks of errors and omissions and ideally require an mature internal control environment over these processes, rarely seen in most industries.
This leaves us with only one sensible option: Implementing financial applications that are not only removed from the spreadsheet environment but also do not require user-designed formulas, functions, links or other programming code. I see this as an emerging product category in the years to come, with anticipated positive acceptance by finance managements of many organizations.