Spreadsheet compliance issues

[Toby]

We are a large financial institution in the middle of our compliance process. There are so many spreadsheets around it's a chore just to get them listed into one database. I've thought of doing a *.xls search on the network but that's a scary proposition! SOX requires that we are to analyze each and every spreadsheet within scope for version, change, network, and password controls; and evaluate every spreadsheet for complexity, links, and accuracy etc..
Just identifying which spreadsheets fall into scope is a time-consuming and expensive process.

Here are my questions:
1) How are others defining "In Scope"? I'm looking for something more definitive than "could materially effect the financial statements".

2) How have other organizations gone about trying to investigate a particular spreadsheet for complexity or accuracy?

3) Has anyone seen some good articles on this subject?

4) How many persons in your internal audit department have reported smoke coming out of their ears after working on spreadsheet compliance?

Thanks

[kymike]

Toby,

PWC has a great white paper on evaluating the use of spreadsheets as part of the control environment. If you have not looked at it, youshould.

I work for a fortune 500 company. We are excluding quite a few spreadsheets from our analysis, including account reconciliation spreadsheets (unless they are used to calculate amounts to be used for journal entries) because of the volume and simplicity of their usage. We will end up with a short list of spreadsheets which will be subject to pretty strict access and change controls.

[CoolCat]

We are only looking at spreadsheets which are used in our key controls. That means we have a shortlist of only about a dozen or so that we are considering in scope. Anything else we are treating as user controlled.

For the in- scope ones, we are ensuring they are covered by access controls, change controls etc both at the user end and through IT. This means we are ensuring that the servers and networks where they are located are subject to controls too.

[Guest9999]

It's my understanding that any cell with a formula has to have its own password, is this true? If it is how can this be done? Excel doesn't give you the option to assign a password to an individual cell.

[Denis]

[BrummiePete]

The preferred option would be to restrict access to critical spreadsheets through the use of file permissions within network directories (or file shares).[/quote]

And be sure to have a suitable audit trail in place to know who made what changes to what parts of the spreadsheet and under what authorisation.

You should also ensure that what ever controls you have in place for the above are effectively monitored and the results and actions from the monitoring of controls should be documented.

Cheers
_________________
Brummie Pete

[mrk321]

I have another question relating to this topic, what is the consensus on an absolute deadline? Is it November 30, or does anyone have a deadline that is later than that?

Thanks.

[kymike]

The deadline is the end of your fiscal year ending after Nov 15, 2004. If you are not finished by then, you will have to evaluate the control deficiencies that you have in order to determine whether or not you can assert that internal controls over financial reporting (ICOFR) are effective.

Not all deficiencies will need to be remediated by your year end for a clean assertion, especially if the ineffective controls are migitaged by other effective controls. The year-end assertion as to effectiveness is made based on your entire ICOFR structure.

[LouGustav]

One way to address Spreadsheet compliance issue is to have an electronic repository from where users check in and check out spreadsheets, this allows for version control for each time spreadsheet file is checked out, reason for the changes, who made the change, and what the changes were, along with electronic signature.

Take a look at the Excel Version Control System software. Here is the link: 21cfrpart11compliance.com/VCS/evcs00.htm

There is a similiar product for MS Word as well.

Lou Gustav

[Toby]

Hey Everybody,
Thanks for the input. I saw the PWC whitepaper, my supervisor had already modeled our approach after it.

I'll check out the link for the version control software. Thanks

I had looked at the Beta XLSpell product that gives some pretty in-depth statistics on a speadsheet. Takes forever to run on even one spreadsheet and gets a lot of "false-positive" hits but it was kinda impressive.

I personnally believe some of these controls on spread sheets are unneccessary. The PWC whitepaper makes it sound like "spreadsheet hell", but imagine what it was like before spreadsheets? I do! There were just as many errors made by accountants on 10-key adding machines as are made on spreadsheets now! The medium is changing, the problems are basicly the same. The same internal control we used back then (double checking someone else's work and reasonableness reviews) are more likely to catch billion dollar errors like mentioned in the PWC report.

I do support using spreadsheets as a guide to identifiying risks in calculation errors, but getting too detailed will never be a solution. It's just too much!

OK, thanks for listening, I'll get off my soapbox.

[Tonyp]

Another option for managing your spreadsheets (and other document types) that is more generic then the Excel EVCS product is Microsoft's SharePoint product. You get the same capability as EVCS plus a lot more.

In addition, the company that I work for we have helped financial institututions develop solutions around this problem space using off the shelf solutions like Microsoft's SharePoint product.

- Tony



[Note: URL link drops edited out]

[Denis]

Also, don't forget to question whether the spreadsheet is truly the most appropriate way of doing things. In many cases we should be looking for core business systems to be remediated to produce accounting data without the need for manipulation in Excel.

[nate99]

Do you have to go in a check your "major" spreadsheets for accuracy and such? I read the PwC and it just speaks to the controls (access and such) over spreadsheets; however, we use spreadsheets for making material accruals every period. How can you get a correlation between saying a control over a process is effective when a spreadsheet is the most important part of the process, without testing the spreadsheet for set-up, mathmatical accuracy and such?

Sorry, if this should be an easy question...but I was just thrown in to help at the end...and have some various questions.

[Denis]

There are two things that the PwC paper covers:

1. What spreadsheets do you need to look at - this is a function of how complex are they and how important are they to the financial statements.

2. What controls do you need - which is covered by "Determine the necessary level of controlfor the spreadsheet". Testing the spreadsheet is covered under Development Lifecycle and Logic Inspection. Some support is provided by analytics.

Be aware that there are also several spreadsheet auditing tools out there that can help identify potential logic issues for complex spreadsheets.

[holger]

One should try to reduce significantly the spreadsheets in scope.

To do so you like to only look at spreadsheets which have a direct impact on your financial statements, disclosures. E.g. if you do IFRS / GAAP adjustments, asset validation, footnotes etc. in Excel. Then you start to apply the PWC Paper.

There's a second group of spreadsheets which is used to transport or convert data automatically into other systems. E.g. for Batch Input in SAP. These should already be covered by General IT Controls.

I definetly wouldn't look at Spreadsheets which are used as a key control. E.g. using XL for reconsolidation. That would be something like a control over a control. The key control is already documented...

Everything else would take away the reasons for using excel. The individual flexibility.

This is despite the question if Excel is right tool to prepare in significant parts your financial statements. You may like to replace those parts of your financial statement process with something more appropriate.