SOX and Spreadsheets – a Bad Marriage?

SOX and Spreadsheets – a Bad Marriage?

Basic Overview of Microsoft Excel

From the time it debuted in 1985, Microsoft Excel has gradually picked up a huge base of loyal users and is now, the most popular computer software for business applications. Today, Excel is used for a wide range of problem-solving and data-recording functions in organizations, from complicated financial models to large payroll databases. So much so that even the initial creators of Excel would never have envisioned the type of data that is processed in Excel spreadsheets right now.

The Abuse of Excel in Organizations

Commenting on the abuse of Excel, Douglas Klunder, former Head of Excel development team at Microsoft remarked in the article on How Microsoft Excel Changed the World “It’s the same thing with PowerPoint—Excel lets things look professional, and people assume there’s substance behind it.” And therein lies a question on whether using Excel for every business application is a wise decision. There is no denying the fact that Excel is a powerful tool that makes even mind-numbing logical and mathematical problems easy to manage. But, as many financial executives are beginning to realize, certain tasks require more finesse and precision than what a set of spreadsheets can provide. In such situations, using an Excel not only complicates the task but also leads to more errors.

What are the Risks of Using Excel Spreadsheets for Compliance?

Sarbanes-Oxley (SOX) Compliance is no different. When the Sarbanes-Oxley Act was enacted in 2002 and mandated public companies to document and test their controls, the first software that organizations turned to for managing this task was the spreadsheet. Today, over 98% of companies still manage their SOX Compliance program on Excel spreadsheets. For each documented control, there ends up being 5-6 spreadsheets when you include the individual test sheets, PBC listings, RCMs, Status Sheets, etc. Internal Audit departments end up with thousands and thousands of spreadsheets which ultimately lead to high administrative costs of managing the documentation and testing efforts.

This leads us to the question of why then is Excel still being used so extensively in organizations. The reasons are obvious:

Pros of Excel

1. Excel is Free

Most corporate users have full Microsoft Office suites pre-installed on their desktops. There is not much motivation to shop for specific software to meet each business requirement and thus, companies end up getting as much as possible done using software (MS Office) that is already available.

2. No User Training

In his insightful article on Excel in Business, David Ross, Sr. Engineer Manager at 10up mentions that people use excel to “circumvent the official software and just write something that works” and more importantly, to show work in a manner that decision makers understand. Hence, universal acceptance and ease of use could be a big factor why people still stick to Excel for key functions (like SOX compliance)

Considering the above factors, using Excel seems like a logical decision right – no extra costs and no additional user training. Then why is there a constant clamor for specialized software for major tasks like SOX compliance? Well, the simple fact is that the cons of using a spreadsheet far outweigh the pros.

Cons of Excel

1. Version Control Issues

How many times have you pulled your hair out trying to figure out the latest and most updated version of a file? It happens more often than you think. Spreadsheets do not offer a streamlined visual representation of file updates and hence, compel users to save multiple versions of a file to keep track of updates. This issue is compounded in SOX compliance because of the continuous field work was done by testers and reviewers using spreadsheets as base documents.

2. Lack of Visibility into Status

With spreadsheets, it is very difficult to explain things in a simple way to management. Instead of comforting them that the process is running as planned, it very often leads to more questions and concerns. Generating SOX status reports from multiple spreadsheets is no different and moreover, there is no real-time actionable data about SOX compliance available to the management.

3. High SOX Costs

Using spreadsheets for key functions is adversely impacting a company’s bottom line. With manpower costs continuously rising, smart CFOs are realizing that increasing employee productivity by using efficient software is the key to controlling costs. In a 2013 Sarbanes-Oxley Compliance Survey, it was noted that despite using the same procedures for SOX YOY, over one-third of the companies reported an increase in compliance costs.

4. Higher Error Rate

There is a huge human element involved in updating, maintaining and consolidating spreadsheets. And, as with functions where a lot of activities are processed manually, the error rate can be pretty high. In the report Sarbanes-Oxley: What About all the Spreadsheets?, it was noted serious errors were found in 94 percent of all real-world audits. In this same study, 91 percent of audited spreadsheets was found to contain at least a 5 percent error in a bottom-line value. Studies measuring errors on a per-cell or per-formula basis found errors in an average of 5.2 percent.

5. Lower External Auditor Leverage

With the revision of ISA 610 on “Using the Work of Internal Auditors” effective for audits of financial statements for periods ended on or after 15 December 2014, there is greater scrutiny on the type of software that internal auditors are using. This again brings us back to the question on whether spreadsheets are the right tools to document and test SOX controls, and going forward, to what extent external auditors will place reliance on spreadsheets based testing.


From the above-mentioned challenges we can clearly see that there is a huge productivity constraint when it comes to managing key processes using spreadsheets and this is why many companies are migrating important tasks to specialized software.


Daniel Kim, CPA, is co-founder of AuditBoard. Formerly global head of audit for two multibillion-dollar public companies, Daniel leverages his 15+ years of audit, risk, compliance, and SOX program consulting with hundreds of pre-IPO and public companies to deliver modern solutions for today’s corporate audit needs.