Sarbanes-Oxley forced companies to look under the rock of their internal controls, but eight years later, spreadsheets and databases are still causing operational risk headaches, and sometimes the public embarrassment of financial restatements or fraud. To combat the problem, the Institute of Internal Auditors (IIA) is rallying the troops. The group has issued a practice guide entitled Auditing User-developed Applications. The guide urges internal auditors to "determine and review" critical spreadsheets and databases, which it distinguishes from their innocuous kin with the term user-developed applications, or UDAs.
Internal auditors should audit UDAs annually, and regard any problems as a control weakness, the IIA recommends.
Since large companies may have thousands of Excel and Access files that reside on employees' computers, many of which may be used for critical calculations or processes, this is no small task, says David Furlonger, an analyst at Gartner Group.
"What you have are these quite powerful applications that carry a whole mass of different data, and an extremely widespread situation that is outside of traditional IT controls," he says.
Bryan Moser, a director in Grant Thornton's forensics practice, has seen plenty of ugly problems with spreadsheets. "Even if someone is not attempting to hide fraud," Moser says, "the details can get buried. It gets a bit out of control."
For companies that haven't yet addressed the issue, the first step should be to identify mission-critical spreadsheets and databases, with the help of internal auditors if necessary. The best method is to start with a final product, a financial statement, for example, and "work backwards, to find what portions are derived from spreadsheets," says David Brand, managing director at Protiviti.
Once critical spreadsheets and databases are identified, companies need to control them the same way IT manages enterprise software. They should control where files are and who can access them; how data are entered and extracted; how functions are tested; how versions are limited and backed up; and, perhaps most important, they should document the purpose and structure of each UDA so the next user can understand the file.
Will the IIA's guidance be the wake-up call that finally focuses companies' attention on the risks posed by spreadsheets? That's not certain, says Protiviti's Brand. But given the limited resources, time pressures and high turnover common at companies today, he says, it should be.
"Even if you don't have a problem today, or last month," Brand says, "that has no bearing on whether you're going to have a problem next month."