As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - Spreadsheet control
Posted: Wed May 25, 2005 12:52 am Post subject: Spreadsheet control
Can anyone give me some tips on my questions:
1. Our Marketing Department uses lots of spreadsheets for their analytical review. The analysis is important to management's decision making but they may not have direct impact on the financial statements. Should these spreadsheets be tightly controlled in compliance with SOX404?
2. Our CFO uses spreadsheet to conduct financial analysis by her own (i.e. she is the preparer of the spreadsheet). According to the White Paper of PWC, the spreadsheets are classified as highly "complex" and for financial purpose. I understand that the spreadsheets should be well controlled but how about the issue on segregation of duties?
Spreadsheets not used in calculating account balances, journal entries, etc. should not be subject to spreadsheet controls for SOX purposes. While possibly impacting operational controls, it does not appear that the Marketing spreadsheets impact financial controls.
As to the CFO, if the spreadsheet is purely for his analytical purposes and does not impact the financial statements, I would not consider it falling under SOX spreadsheet control requirements.
We identified very few spreadsheets that met the requirements of needing to be well-controlled.
I don't follow your comment on SOD for the CFO and his spreadsheet analysis - can you expand on your concerns?
Re the white paper of PWC, one of the recommended controls is Segregation of duties / Role and Procedures. My interpretion on such control is that duties should be properly segregate among spreadsheet developer, user and reviewer. For those complex financial spreadsheet, I'll treat the best practice as (1) developer creates the spreadsheet with formulas being protected in particular cells and he'll keep the password (2) user input current data to the spreadsheet in doing those analysis; whenever there is a need to change the formulas, he has to go back to the developer (3) a senior reviewer perform final checking on the result of the spreadsheet before posting it to the financail statement.... However, for our CFO's case, she is both the spreadsheet developer and user, and no reviewer exists throughout the process. Will there be a problem on the issue of SOD? Or do I misinterpret something? Please kindly advise. Thanks.
SOD should only apply to the critical spreadsheets that are used in determining balances for journal entries or other adjustments to the financial statement accounts. If used purely for analytical purposes, while nice to have SOD in place, it is not critical, especially for SOX purposes.
Posted: Tue May 31, 2005 8:54 am Post subject: Re: Spreadsheet
new joiner wrote:
Is it means that the operational and analytical/Management Information type of spreadsheet are not fall into the spreadsheet controls under SOX requirements
If they do not lead directly to adjustments to the financial statements, they are not in scope for SOX. It may be good business practice to have some controls over these types of spreadsheets, especially if they lead to management decisions, but SOX would not require them to.
Posted: Thu Oct 27, 2005 4:33 pm Post subject: spreadsheet controls
If the company relies on fiancial projections from sales analysis to provide future guidance in earnings releases or conference calls, then I am pretty sure these should be included under SOX compliance.
Most spreadsheets are created by the user of the data. Rather than take away the usability of spreadsheets by segragating author and user roles. It seems like it would be sufficient to insert a validation step were some IT staffer would interview the end user to find out what he was trying to accomplish, use the spreedsheet calculations as the specification and verify the correctness and the validity of the data sources.
I believe the SOX requires that users not be able to both develop and print from a spreadsheet program. The better solution is to develop the spreadsheet with a print disabled spreadsheet program. Then export the spreadsheet to the central database system which would extract the heading cells to autoconstruct the database schema. Identify the data fields and either propmt the enduser to map the data sources from the central database or have a IT staffer assist int the data export mapping. Data extraction would require fixed time scheduling data as data may only be validate at a fix time say as monthend closing. Next the system would extract the calulations from the spreadsheet and enter them as a spreadsheet transaction, that would also require a set of lifecycle approvals/acceptances, needs statement, testing, user signoff, and production signoff, etc.
If any data is being pulled from the corporate database then you can be certain it requires SOX compliance.
Short of this type of system, companies need to stop using spreadsheets.
As much as it seems logical that SOX should cover forward-looking statements that might be based on information from a marketing spreadsheet, this is not included in SOX compliance.
While the laws and guidance almost always stop short of providing any information on HOW to comply, this is the one area that is very clear from the law and guidance: the limit of the compliance umbrella. (Inside the umbrella is where it gets murky again).
SOX compliance encompasses the financial statements only. Forward-looking statements are not used to book journal entries and do not end up in the financial statements. If, for some reason, the marketing spreadsheets end up being used to book journal entries, then you have a different issue. _________________ Lisa Vann, CEO
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.