Most organizations don’t have any of those standard controls in place around spreadsheets, and Chugach was no different.”
– Cheryl Klein, Founder and Principal Consultant, GRC Consulting Services
Spreadsheets out of Control
Chugach Electric Association needed to get its Excel spreadsheets under control for compliance with Sarbanes-Oxley (SOX) regulations. “A lot of organizations have issues with Excel spreadsheets,” said Cheryl Klein, founder and principal consultant of GRC Consulting Services. “The most often-used financial application for tracking, accounting and reporting is Excel. Unfortunately there are very few controls around anything within Excel to ensure that the information is valid, that it is correct, that it reports correctly, that someone hasn’t made a change inadvertently… Generally speaking most organizations don’t have any of those standard controls in place around spreadsheets, and Chugach was no different.”
Chugach Electric, headquartered in Anchorage, Alaska, is the largest producer and distributor of electricity in the state. It is a member-owned cooperative and therefore a private organization, though it had taken on a public debt which required it to comply with federal financial regulations, including SOX.
To bring the organization into compliance, Chugach Electric enlisted an outside consultancy, Certified Security Solutions. Cheryl Klein was the lead consultant for this project. She assembled a team of IT and financial professionals to implement the proper controls and processes for SOX compliance, test them for effectiveness and interface with their external auditor KPMG. (Klein has since started her own company, GRC Consulting Services, which specializes in governance, risk and compliance initiatives.)
The proliferation of spreadsheets for financial reporting was a major issue. By scanning the file server for last-modified dates at the end of the quarter, they were able to determine which spreadsheets were used in financial reporting. “We tested and validated the functionality of each one of those spreadsheets to ensure that all the formulas were being called correctly, the summations used the right ranges… So we knew that those were the key spreadsheets, tested and signed off,” said Klein.
From that point, they looked for a way to secure the spreadsheets by limiting access only to authorized individuals and creating an audit trail around journal entries and approvals. As a midsized organization, Chugach Electric did not have the time or resources to deploy a comprehensive enterprise resource planning (ERP) system such as SAP or Oracle. Instead they wanted a cost-effective, targeted solution that would enable them to achieve and maintain SOX compliance.
Brainloop Secure Dataroom for SOX Controls
Chugach Electric adopted Brainloop Secure Dataroom, a hosted service for managing and sharing confidential documents. It provides a secure, Web-based document repository with user authentication and access rights, a tamper-proof audit trail and collaboration tools. Chugach Electric used the Brainloop platform to establish controls around their financial spreadsheets.
Now they actually have a more streamlined workflow process that is better controlled than they did when just emailing spreadsheets back and forth.”
– Cheryl Klein, GRC Consulting Services
Klein continued, “The goal was to create efficient, repeatable processes for compliance. Because compliance with SOX is not a one-time thing – it’s every year you have to go through this. So the goal was to bring them to the point of initial compliance, and then a cost-effective, repeatable compliance process going forward. The use of Brainloop Secure Dataroom does both of those. We got them into compliance initially. And now they actually have a more streamlined workflow process that is better controlled than they did when just emailing spreadsheets back and forth.”
Time and Money Saved – Every Year
Reining in Excel spreadsheets closed major gap for SOX compliance. The Brainloop platform allowed Chugach Electric to achieve SOX compliance initially, as mandated by law, as well as to save time and money maintaining compliance going forward. SOX requires organizations to perform testing internally, in addition to the testing done by an external auditor. By establishing secure controls and processes around their financial spreadsheets, Chugach Electric and its auditor KPMG only have to confirm that the controls are in place and working instead of manually re-testing and re-validating the spreadsheets each quarter. This saves a tremendous amount of time and money in labor and consulting fees every year.
Copyright © 2010 Apropos LLC. All rights reserved.
Filed under: Authentication and Access Control, Outsourcing, Hosting and Software-as-a-Service, Regulatory Compliance, Utilities | Leave a comment »