Taming the cells: automated spreadsheet control can help insurers breeze through regulatory compliance standards.
At many organizations, regulatory compliance works to conform with a slew of state and federal regulations. In the past several years, regulatory requirements such as the Health Insurance Portability and Accountability Act, Sarbanes-Oxley and the Patriot Act have been added to the mix.
One emerging technology rapidly becoming a standard platform in the insurance industry is automated spreadsheet control, which provides significant advantages for both content management and compliance support. Spreadsheet control tools provide automated spreadsheet consolidation and error detection and eliminate the need to spend thousands of hours reviewing accounting. On the compliance side, these tools are able to detect accounting errors, generate reports and alert to possible fraud by identifying suspicious patterns. They can detect violations of the Patriot Act, and satisfy Sarbanes-Oxley requirements as they tally and verify financial data.
Every day, spreadsheet users in the insurance industry are manipulating critical financial data in decentralized networks all over the world. Even with vast armies of staff diligently checking and rechecking spreadsheets to catch the elusive errors, it's a virtual certainty that some will be missed, resulting in a multitude of problems that might include stiff penalties, lawsuits, tumbling share value, loss of investor confidence, damaged reputations, adverse press coverage and ruined careers.
The stakes are high. The risks of noncompliance are powerful motivators for executives to take the time to educate themselves about the far-reaching consequences of spreadsheet errors and to learn about best practices in spreadsheet management and control.
Insurance is among the most highly regulated of the financial services industries. Simply keeping up with (and absorbing the costs of) ever-increasing compliance requirements has confounded even the most sophisticated organizations. But even with the complexity of multiple laws, policies and regulations, one straightforward principle can go a long way to ensuring smooth sailing through rough compliance waters: Just make certain everything is right. And there's no better place to start than with the ubiquitous spreadsheet, used by as many as 95% of U.S. companies for financial reporting.
The Sarbanes-Oxley Act has forced companies to examine the role spreadsheets play in their financial reporting processes as well as financial decisions, such as forecasting, that are based on the use of spreadsheets. "Section 404: Management of Internal Controls" has the most impact on the day-to-day lives of chief financial officers and chief information officers. Section 404 requires management to establish and maintain adequate internal controls and procedures for financial reporting and to assess the effectiveness of those controls.
It sounds simple. But the internal controls for the spreadsheets that collect and consolidate data for planning, budgeting and reporting are weak at best. Spreadsheets are, by definition, handled manually and prone to human error. Regardless of how well-defined and well-documented the rules that produce the data, once those data are imported into a spreadsheet for further manipulation, control is lost and, with it, the ability to ensure accuracy. Some studies have uncovered errors in more than 90% of the spreadsheets audited.
Whatever their potential for serious and frequent errors, spreadsheets are here to stay. Since their introduction in the 1980s, spreadsheet usage has exploded. Microsoft estimates that there are 400 million users of its Office suite, which includes the now-dominant Excel spreadsheet program, and its use in the organization has become more entrenched and mission-critical. So with spreadsheets as one of the most likely points of failure in Sarbanes-Oxley compliance, how does the organization ensure their accuracy?
Some do it the old-fashioned way--by deploying a small army of people to check and recheck spreadsheets and to find the one cell among thousands that holds the potential for disaster. That may seem like risky business if you are giving that responsibility to the very people who may have created the spreadsheets--and the errors--in the first place. Will they accurately detect and correct the errors and find all the affected cells? The problem multiplies exponentially when spreadsheet roll-ups are considered. Take the example of a company whose annual planning process required rolling up data from 1,200 Excel spreadsheets, one for each cost center. On average, it was a six-to-eight-week process each year just to get all the errors worked out. Manual detection and correction may produce accurate data, but it's an expensive, time-consuming way to get the job done.
Clearly, spreadsheets are an enterprise resource. But are they managed as one? Do they get the same level of dedicated resources and controls as other mission-critical applications and infrastructure? Not even close. From an information technology perspective, spreadsheets are easy to manage. They are easy to install, reliable and require little administration. But IT is not responsible for bad data entered into or flowing out of spreadsheets into other systems. How about security? Auditing? The bottom line is that most organizations have few management controls around their spreadsheet usage and those that do, are expending enormous time and resources on manual processes.
The solution is to automate the management of spreadsheets throughout their lifecycles. A robust spreadsheet management solution will provide automated capabilities for version control, security, change management and a collaborative review-and-approval process. An effective automated solution will reduce the costs of eliminating errors and restore confidence in financial reporting by ensuring that spreadsheets are properly controlled, accessed and manipulated.
In evaluating spreadsheet management systems, there are several key capabilities to look for:
Make the process easy for preparers and reviewers: Financial professionals are comfortable with spreadsheets. Don't try to change their working environment. Look for a solution in which the user continues to work almost entirely in Excel, with tracking and management functions taking place in the background.
Ensure secure user access: Users should have access to mission-critical spreadsheets based on their permissions and editing privileges. In addition to system and document-level security, password-protected selective cell locking should be used so key fields, such as formulas, cannot be changed.
Provide change and version control: In a regulated environment, it is critical to be able to track changes from version to version--who made the change, when, the precise nature of the change and the reason. Your system should automatically log the date and time of each edit, prevent users from disabling the tracking feature and make the log easily searchable so you can quickly identify changes in cells or formulas.
Automate the review-and-approval process: An effective spreadsheet-management system should eliminate the error-prone e-mail review process used in many organizations by providing a secure repository and a process in which multiple people can review a spreadsheet but only a single person can approve or reject a particular version. All reviews, approvals and comments should be tracked in the audit log and further changes should be prevented once a version is approved.
Store essential spreadsheets as business records: When final, you must be able to provide retention management for spreadsheets that have to be retained as critical business records, ensuring their availability and protection from tampering.
Effectively automating spreadsheet management will enhance reporting accuracy, enable a sustainable compliance process, improve the productivity of the reporting cycle and reduce the costs of auditing and certification.
Beware: Spreadsheet Dangers
"A spreadsheet error at a major financial institution was deemed a significant factor in a $1 billion financial statement error in the classification of securities. The error resulted from a flawed change control process--an unapproved change to a formula within the spreadsheet ... "
"A utilities company took a $24 million charge to earnings after a spreadsheet error--a simple mistake in cutting and pasting--resulted in an erroneous bid.... "
PricewaterhouseCoopers, "The Use of Spreadsheets." Considerations for Section 404 of the Sarbanes-Oxley Act," July 2004
* The Sarbanes-Oxley Act has forced companies to examine the role spreadsheets play in their financial reporting processes as well as the financial decisions, such as forecasting, that are based on the use of spreadsheets,
* Some studies have uncovered errors in more than 90% of the spreadsheets audited.
* A robust spreadsheet management solution will provide automated capabilities for version control, security, change management and a collaborative review-and-approval process.
Contributor Neil Weiss is director of insurance, Industry Solutions, Mobius Management Systems Inc.
|Printer friendly Cite/link Email Feedback|
|Date:||Mar 1, 2006|
|Previous Article:||Something extra: purchasing longevity insurance can extend retirees' financial good life, but the industry has to design the right product first.|
|Next Article:||Retirement wave: technology aids in addressing the challenge of an aging work force.|