Outgrown Your SOX?

Since the Sarbanes Oxley Act was first introduced in 2002, organizations have been lured by the relative ease of use and low cost of a nearly ubiquitous data management tool—the
Microsoft Excel spreadsheet. And why not? For many reasons, using spreadsheets might initially seem to make sense:

  • In most cases, Excel is already available on an organization’s standard desktop— usually bundled with those other corporate workhorses, Word and PowerPoint—and therefore doesn’t cost extra money to license.
  • Auditors, being financially inclined, love spreadsheets and often recommend their use. As a rule, people tend toward solutions with which they’re most familiar.
  • Spreadsheet-based systems seem easy to modify if compliance rules or processes change.

More and more companies, though, are finding out the hard way that they’re outgrowing their hundreds (or even thousands) of cobbled-together spreadsheets—and they’ve begun searching for something better.

Are you starting to feel like the spreadsheets you use to manage SOX compliance are part of the problem? Here are four signs you’ve outgrown your SOX.

You’re having trouble monitoring performance

Organizing data. Storing it. Analyzing it. These are the functions for which spreadsheets were built—and at which, if you’ll forgive the pun, they excel.

What a spreadsheet is less good at, however, is precisely the type of work that SOX compliance demands. A spreadsheet makes a poor dashboard—you can’t use Excel to track issues, for example, or gauge progress toward 302 and 404 sign-off.

To properly measure performance and track improvements, you need enterprise software that supports robust business analysis.

Errors and security risks are threatening your compliance

One of the greatest drawbacks of maintaining multiple spreadsheets? It’s simply too easy to make mistakes. One survey of several studies found errors in 94% of the spreadsheets that had been examined; the same investigation estimated that a typical large spreadsheet contains dozens or even hundreds of errors.

Those numbers are the stuff of nightmares—because as you’re well aware, if even a single one of your spreadsheets creates the risk of a material financial error, your organization’s entire reporting system must be considered flawed.

Without automated tools to check for and stamp out errors, the time, effort and cost required to ensure the integrity of hundreds of spreadsheets can become simply overwhelming.

It’s getting harder to work with other business areas

In any large organization, there exists the need to share the “compliance burden;” processes such as risk assessment, control testing and issue management necessarily require input from many different business areas.

Unfortunately, spreadsheets just don’t support these kinds of multi-user workflows. Collaboration becomes an exercise in tortuous version control and painstaking error correction, rather than anything approaching true productivity.

It’s simple—if you’re responsible for using spreadsheets to manage SOX compliance, expect many more documents than you ever thought you’d see… and much more work than you ever thought you’d do.

Hidden costs are starting to become apparent

If you’re like most organizations, working with spreadsheets seemed like a good idea when you got started. Perhaps you were experiencing pressure from the CIO or CFO to adopt a no-cost- added solution. (“We already have Excel! Why would you need anything else?”)

Sadly, there is rarely an “inexpensive” software option that doesn’t come with hidden costs. With Excel and other spreadsheets, what you save in licensing fees you pay back in employee time—internal staff, contractors, external auditors… All of these end up putting in more effort than they should when they’re working with spreadsheets to manage GRC.

And that’s not including the time it takes to update scores of spreadsheets if a deficiency or weakness is discovered, or to roll up data for reporting. When you look at the whole picture, you can easily see that—like the cliché says—there’s no such thing as a free lunch.

Considering Software?

Dedicated GRC software makes all the ways you’ve been managing SOX compliance more efficient and effective. Compared to spreadsheets, software can offer a host of advantages.

Gain visibility

When you can use advanced analytics and reporting to gain the visibility you need to track progress, you’ll be able to more confidently sign off on 302 and 404 certifications. Look for software that lets you build rich, interactive dashboards and drill-down reports with just a few simple clicks. Remember—if you can see the root causes of deficiencies early in the process, you can better plan for success.

Increase confidence

Software can help define issue-tracking accountabilities, scope, follow-up actions and more. If you’re considering moving away from spreadsheets, look for workflow tools and comprehensive dashboards that make it easy to review and approve changes, ensure the right people are doing the right work, and track issues through to closure. The result will be increased confidence in your data and progress.

Streamline control testing

The right software will help you reduce your total testing time with a fully integrated risk- based approach. Move from hours per control—multiplied by hundreds or thousands of controls across multiple processes—to quick, easy testing of controls that address multiple risks.

Manage documentation effortlessly

And if you’re still attached to spreadsheets, some software suites let you use them if you still want to. Look for an application that lets you create Excel files (as well as Word, PowerPoint, and Visio documents, if desired) then attach them to items or reports, upload them to the cloud, or edit them directly in the software. Bonus: if the software you’re considering takes care of version control for you, you’ll never again have to worry if you’re using the most up-to- date document.

Summing Up

That sinking feeling that you’ve outgrown your SOX spreadsheets doesn’t have an official name, but that doesn’t mean it’s not real. There’s no need for frustration or regret; your organization’s initial decision to use spreadsheets was very likely the best one at the time.

But as your business needs change, continuing with spreadsheets can present significant risk. An investment in dedicated GRC software is one way to mitigate that risk—and one that merits further investigation.

Rate this article