Another Example of Spreadsheet Risk

We missed this until now, but a Radical Compliance fan passed along this item for all you internal accounting control enthusiasts: a water development business in Colorado that recently had to correct its financial statements because of sloppy spreadsheet controls.

The company in question is Pure Cycle Corp. ($PYCO), which sells water and wastewater services to planned communities around Denver. The business has been around in one form or another for decades, although it spent most of the 2010s slow-poking along with annual revenues around $1 million. Only in the last three years has the spigot really opened up, from $6.95 million in 2018 to $20 million in 2019 to $25.8 million for 2020. 

This brings us to Pure Cycle’s most recent quarterly report, filed on July 9. In that report, management admitted that it needed to adjust several lines on the income statement for the prior two quarters. The corrects weren’t large enough to be material within each of those two prior quarters, but were large enough that the amounts would be material to the current period. 

What does a company do in that situation? According to several accounting rules, the company has to adjust all relevant periods retroactively — although it doesn’t need to file a formal restatement of past financials. 

Or, as Pure Cycle itself said: 

Based on [our] evaluation, the errors did not rise to the level of requiring a restatement of the financial information for the three and six months ended February 28, 2021, contained in the Form 10-Q as previously filed. Accordingly, management has corrected these errors by adjusting the opening accumulated deficit for the three month period ended May 31, 2021 and has retrospectively adjusted the cumulative periods for the impact of such errors.

The adjustments mostly fell into Pure Cycle’s quarter that ended on Feb. 28. They trimmed net income by 3.14 percent, and cut $0.02 from earnings per share. Figure 1, below, shows the adjustments made.


Source: Calcbench


Most interesting to us, however, was the reason for the financial reporting failure. As described by Pure Cycle:

The errors were a result of ineffective controls related to management’s preparation and review of spreadsheets, which compromised the integrity of the spreadsheets used to support and record the transactions related to the recording and tracking of the public improvement reimbursable amounts.

Spreadsheets, folks. They’ll nail you every time.

Internal Controls and Spreadsheet Risk

In the Controls & Procedures section of its quarterly report, Pure Cycle said the faulty spreadsheet controls were a material weakness, and therefore the company’s internal controls were ineffective. We still don’t know much, however, about exactly what the ineffective controls or procedures were. 

Broadly speaking, we can say that spreadsheets are a notorious weak spot in financial reporting. That’s especially when they’re used in management review controls, since management can change the values within a spreadsheet so easily — or overlook a number, or record a number improperly, and so forth. Any number of failures can happen, and by the time financial statements are under management review, there are relatively few ways to prevent or fix those errors. (Compared to errors introduced earlier in preparing financial statements, where finance team members can check each other’s work.)

The ideal solution is to move away from spreadsheets entirely, in favor of a dedicated GRC or audit management tool. How many businesses are actually doing that? Not enough, probably. 

Earlier this year we saw two reports come out within days of each other. The first one examined how much the burdens around Sarbanes-Oxley compliance, fraud risk, and financial reporting duties were increasing lately, especially due to the Covid-19 pandemic. The second one found that despite those increasing burdens, a considerable number of compliance and internal audit teams still use manual processes for a host of tasks. 

That’s not sustainable, especially for high-growth companies. (Remember the eye-popping growth Pure Cycle has enjoyed over the last three years.) If SOX compliance and financial reporting burdens increase, but you let your technology strategy stagnate, you end up with internal control predicaments pretty much like what we see with Pure Cycle.

What will Pure Cycle do to remedy its situation? The company said it has implemented “additional review procedures and additional check balances to all complicated and infrequently updated schedules.” That’s a good start, although it’s not the same as saying you are moving to a more robust ERP or GRC software system. 

Pure Cycle did also say, however, that it is “continuing to assess additional modifications to its internal controls required to remediate the material weakness noted above and ensure other spreadsheet controls are properly utilized.” Maybe that means the company will adopt a stronger technology for its financial reporting. 

Other firms, meanwhile, can use Pure Cycle as yet another cautionary tale that spreadsheet risks are still out there, and they can still leave you soaking wet.

Leave a Comment

You must be logged in to post a comment.