Auditors must be aware of and consider the risks associated with spreadsheets provided by management. Amelia Pickard outlines why and shares a five-stage review process.
Every auditor in each audit or assurance engagement they perform – no matter how large or small, complex or simple the entity – is likely to be provided with information by management in the form of a spreadsheet.
In today’s data-driven business landscape, spreadsheets remain indispensable tools for data analysis, decision-making, and financial reporting. They can be straightforward documents used to manually record information, or highly sophisticated instruments used for data processing and analytics that may contain thousands of unique, interdependent formulae.
With the flexibility and accessibility of spreadsheets also comes risk. The majority of users who are preparing spreadsheets will be self-taught, which helps to explain why so many spreadsheets contain mistakes. Many of these errors are expected to be minor and individually unlikely to have a material financial statement impact. However, in aggregate, small mistakes can add up and it is vital for auditors to be confident that reliance can be placed on the data they are given.
Auditors must be aware of the risk that data within the spreadsheet could be modified, deleted, or manipulated, intentionally or unintentionally
Auditors are becoming increasingly aware of the need to perform testing over information technology (IT) systems that process and store data to confirm the reliability, accuracy and integrity of the information underlying the financial statements. However, where IT systems produce reports in the form of spreadsheets that can then be manually edited and altered, auditors must be aware of the risk that data within the spreadsheet could be modified, deleted, or manipulated, either intentionally or unintentionally.
Although an audited entity may have a state-of-the-art accounting software package that is functioning as it should and has effective controls, this may be made redundant if it then spits out data into a manual spreadsheet, which is used in the financial reporting system and which has no further oversight or checks from management. Unlike most IT systems, spreadsheets often lack a robust audit trail, making it difficult to track changes and understand who made them. Potential issues over version control can also arise where similar reports are run from the same IT system at different points in time.
It is therefore crucial for auditors to conduct thorough checks over spreadsheets provided by management. Under the international standard on audit evidence, ISA (UK) 500, when using information produced by the audited entity (commonly known as IPE), the auditor is required to evaluate whether the information is sufficiently reliable for the auditor’s purposes, including obtaining audit evidence about the accuracy and completeness of the information and evaluating whether the information is sufficiently precise and detailed.
This article outlines five review stages for auditors: initial review, structural review, data review, analytical review, and detailed review. They reflect recommendations in ICAEW’s Tech Faculty guide, How to review a spreadsheet, which offers more information on review and on best practice when dealing with spreadsheets in general.
The five review stages can be performed when assessing a spreadsheet provided by management to fulfil the requirements of ISA (UK) 500 regarding the completeness and accuracy of IPE and effectively address the risk of misstatement due to fraud or error that a spreadsheet may present. This article also provides examples of specific checks that could be undertaken within each review stage to obtain evidence over the trustworthiness of spreadsheet data in an audit context.
The work effort of the five stages of review depends on the complexity of the spreadsheet and what audit evidence the auditor is looking to obtain – it needn’t represent excessive work if the spreadsheet is straightforward, but getting into the mindset of the five stages, especially stage 1, may be helpful.
The work effort of the five stages of review depends on the complexity of the spreadsheet and what audit evidence the auditor is looking to obtain
1. Initial review
The initial review is a stage that auditors working under time pressure are often tempted to skip in favour of moving straight to direct testing of the data. However, taking some time to perform this step will be more efficient in the long run. The initial review allows the auditor to gain an understanding of the spreadsheet’s purpose and how the information it contains will be used as audit evidence. This understanding can then direct an initial risk assessment and help the auditor to plan where to focus their checks over the data, rather than indiscriminately looking at everything.
Some specific checks that could be performed as part of an initial review include:
- Identifying the purpose of the spreadsheet and considering how an incorrect output would affect that purpose – why is this spreadsheet required to be produced, and what management information does it support?
- Considering whether management’s rationale for producing the spreadsheet is reasonable – is it necessary for this spreadsheet to exist? Why isn’t this process part of the accounting software? Has something been made manual that could have been automated?
- Assessing the key risk areas associated with the spreadsheet and planning reviews and testing accordingly to focus on calculations that underpin critical values. The auditor should consider materiality when making this assessment, taking care not to dismiss multiple immaterial items that could become material in aggregate.
- Considering the knowledge and competence of the preparer of the spreadsheet, and the experience of any reviewers within the audited entity.
- Considering the lifecycle of the spreadsheet and checking for metadata that shows information such as the date and time of the last update.
2. Structural review
Once the auditor has completed an initial review, they can move on to the next stage: assessing the spreadsheet itself via a structural review. The structural review aims to provide an overview of the entire spreadsheet without getting into details, allowing the auditor to gain a sense of the overall soundness of the workbook.
Some specific checks that could be performed as part of a structural review include:
- Checking for any hidden worksheets, rows or columns within the spreadsheet that may be affecting the outputs.
- Reviewing the spreadsheet’s structure and logical flow – is it clear how the sheets link together? Is there a summary sheet that draws in the key values?
- Assessing the legibility of any formulas used – have they been created to aid validation (short formulas with only a few operands that have been copied over several rows), or have they become overly complex (multi-line formulas), making them challenging to unpick and verify?
- Understanding which cells contain input data, which are calculations, and which contain output data. Check that these are separated and clearly labelled, with units.
- Confirming that monetary units have been clearly identified and are used consistently (both currency and scale – thousands/millions). Auditors should also verify that the workbook uses clear and consistent sign (+/-) conventions.
- Where there are checks and flags that have been built in to validate the results being generated, confirming that they are all indicating correct operation.
- Where the spreadsheet relies on links to other spreadsheets or external data sources, checking that these are clearly identified. Confirm that these have been refreshed to ensure they are up to date.
3. Data review
This stage is likely to be the most familiar to auditors. The purpose of the data review is to check that the input data in the spreadsheet makes sense and agrees with the external sources from which it comes. This is a relatively short but critical step in ensuring that the spreadsheet is up to date and capable of producing the outputs it was made for.
Some specific checks that could be performed as part of a data review include:
- Checking that any opening balances agree to prior year closing values as per the previous year’s audited figures.
- Checking that other externally verifiable input data used agrees to external sources – for example, can the tax and FX rates used be agreed to reliable third-party websites or to other audit work that has already been performed?
- Where a spreadsheet has been generated as a report from an IT system that has been tested, checking that key data agrees back to the underlying database.
- Cross-referencing figures to other audit work on file where relevant.
4. Analytical review
An analytical review is completed to independently assess whether the spreadsheet results look right. Using charts, ratios and recalculation will provide signals that either confirm or challenge the validity of values. This can help an auditor understand the big picture and interrogate what the information contained within the spreadsheet is telling them. If a result appears to be anomalous, this can then be followed up with management at the audited entity and understood.
Some specific checks that could be performed as part of an analytical spreadsheet review include:
- Assessing the reasonableness of the final outputs, as well as any assumptions used to calculate these. For example, an assumption about revenue growth at 10% per annum may be reasonable for the next year or even two, but if compounded more than 10 years will have provided over 250% growth. Is this likely to be the case?
- Performing a trend analysis. Charts can help auditors to identify patterns or trends that either support or contradict expectations and direct them to areas in the spreadsheet that may need further investigation. The lower the level of aggregation this procedure is performed at, the more effectively the auditor will be able to identify and challenge any outliers. For example, looking at individual cost line items and revenue streams separately can be more revealing than looking at profit.
- Performing a ratio analysis. Developing a set of ratios can add insight into the way a time series of values is evolving. If appropriate, checks can be included that flag when a ratio exceeds its expected range, which the auditor can then follow up with management. For example, what is causing the operating profit margin to narrow or widen? Why is cash increasing or decreasing? Are there sufficient staff for the changing scale of the business?
- Reperforming the key calculations. Reperformance of the calculations will affirm the results being generated. For spreadsheets where the wrong result would have serious consequences, it may be appropriate to have a full parallel computation.
5. Detailed review
The final review stage involves validating details within the spreadsheet. The actual steps performed at this stage will need to be proportionate to the context, scale and risk of the spreadsheet being reviewed, based on the understanding developed in the earlier stages.
Some specific checks that could be performed as part of the detailed review include:
- Checking external links and confirming that the source data is accessible and up to date.
- Checking for use of balancing figures or hidden calculations to manipulate the outputs.
- Detailed testing of formulas. Where long or complex formulas are used in the spreadsheet, the auditor should ensure that these are fully understood and are working correctly. Common issues can include circular references or incorrect data formatting.
- Inspecting the workbook. Excel has a function to inspect a workbook and look for potential issues. A list of 22 attributes can be individually selected, returning a report of findings.
- Independent expert review. For spreadsheets that cover a technical area, such as a detailed tax calculation, it may be appropriate to ask a specialist to complete a review.
Amelia Pickard, Technical Manager, Audit and Assurance, ICAEW