As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Posted: Thu Oct 28, 2004 3:24 pm Post subject: Spreadsheet compliance issues
We are a large financial institution in the middle of our compliance process. There are so many spreadsheets around it's a chore just to get them listed into one database. I've thought of doing a *.xls search on the network but that's a scary proposition! SOX requires that we are to analyze each and every spreadsheet within scope for version, change, network, and password controls; and evaluate every spreadsheet for complexity, links, and accuracy etc..
Just identifying which spreadsheets fall into scope is a time-consuming and expensive process.
Here are my questions:
1) How are others defining "In Scope"? I'm looking for something more definitive than "could materially effect the financial statements".
2) How have other organizations gone about trying to investigate a particular spreadsheet for complexity or accuracy?
3) Has anyone seen some good articles on this subject?
4) How many persons in your internal audit department have reported smoke coming out of their ears after working on spreadsheet compliance?
PWC has a great white paper on evaluating the use of spreadsheets as part of the control environment. If you have not looked at it, youshould.
I work for a fortune 500 company. We are excluding quite a few spreadsheets from our analysis, including account reconciliation spreadsheets (unless they are used to calculate amounts to be used for journal entries) because of the volume and simplicity of their usage. We will end up with a short list of spreadsheets which will be subject to pretty strict access and change controls.
We are only looking at spreadsheets which are used in our key controls. That means we have a shortlist of only about a dozen or so that we are considering in scope. Anything else we are treating as user controlled.
For the in- scope ones, we are ensuring they are covered by access controls, change controls etc both at the user end and through IT. This means we are ensuring that the servers and networks where they are located are subject to controls too.
Posted: Thu Nov 11, 2004 9:08 am Post subject: Additional Question About Spreadsheet
It's my understanding that any cell with a formula has to have its own password, is this true? If it is how can this be done? Excel doesn't give you the option to assign a password to an individual cell.
Posted: Fri Nov 12, 2004 5:48 am Post subject: Re: Additional Question About Spreadsheet
It's my understanding that any cell with a formula has to have its own password, is this true?
In fact the questionable whether spreadsheet password protection is either necessary or sufficient. Given that any excel password can be cracked in about 5 seconds there are those (including PwC) who believe that excel passwords are inadequate.
The preferred option would be to restrict access to critical spreadsheets through the use of file permissions within network directories (or file shares).
The deadline is the end of your fiscal year ending after Nov 15, 2004. If you are not finished by then, you will have to evaluate the control deficiencies that you have in order to determine whether or not you can assert that internal controls over financial reporting (ICOFR) are effective.
Not all deficiencies will need to be remediated by your year end for a clean assertion, especially if the ineffective controls are migitaged by other effective controls. The year-end assertion as to effectiveness is made based on your entire ICOFR structure.
Posted: Mon Nov 22, 2004 2:23 pm Post subject: Excel Version Control System for Spreadsheet compliance
One way to address Spreadsheet compliance issue is to have an electronic repository from where users check in and check out spreadsheets, this allows for version control for each time spreadsheet file is checked out, reason for the changes, who made the change, and what the changes were, along with electronic signature.
Take a look at the Excel Version Control System software. Here is the link: 21cfrpart11compliance.com/VCS/evcs00.htm
Posted: Mon Nov 22, 2004 6:28 pm Post subject: Spreadsheet issues
Thanks for the input. I saw the PWC whitepaper, my supervisor had already modeled our approach after it.
I'll check out the link for the version control software. Thanks
I had looked at the Beta XLSpell product that gives some pretty in-depth statistics on a speadsheet. Takes forever to run on even one spreadsheet and gets a lot of "false-positive" hits but it was kinda impressive.
I personnally believe some of these controls on spread sheets are unneccessary. The PWC whitepaper makes it sound like "spreadsheet hell", but imagine what it was like before spreadsheets? I do! There were just as many errors made by accountants on 10-key adding machines as are made on spreadsheets now! The medium is changing, the problems are basicly the same. The same internal control we used back then (double checking someone else's work and reasonableness reviews) are more likely to catch billion dollar errors like mentioned in the PWC report.
I do support using spreadsheets as a guide to identifiying risks in calculation errors, but getting too detailed will never be a solution. It's just too much!
OK, thanks for listening, I'll get off my soapbox.
Posted: Tue Nov 23, 2004 8:29 am Post subject: Another Option
Another option for managing your spreadsheets (and other document types) that is more generic then the Excel EVCS product is Microsoft's SharePoint product. You get the same capability as EVCS plus a lot more.
In addition, the company that I work for we have helped financial institututions develop solutions around this problem space using off the shelf solutions like Microsoft's SharePoint product.
Also, don't forget to question whether the spreadsheet is truly the most appropriate way of doing things. In many cases we should be looking for core business systems to be remediated to produce accounting data without the need for manipulation in Excel.
Do you have to go in a check your "major" spreadsheets for accuracy and such? I read the PwC and it just speaks to the controls (access and such) over spreadsheets; however, we use spreadsheets for making material accruals every period. How can you get a correlation between saying a control over a process is effective when a spreadsheet is the most important part of the process, without testing the spreadsheet for set-up, mathmatical accuracy and such?
Sorry, if this should be an easy question...but I was just thrown in to help at the end...and have some various questions.
Joined: Nov 25, 2004 Posts: 790 Location: London, UK
Posted: Thu Jan 27, 2005 11:27 am Post subject:
There are two things that the PwC paper covers:
1. What spreadsheets do you need to look at - this is a function of how complex are they and how important are they to the financial statements.
2. What controls do you need - which is covered by "Determine the necessary level of controlfor the spreadsheet". Testing the spreadsheet is covered under Development Lifecycle and Logic Inspection. Some support is provided by analytics.
Be aware that there are also several spreadsheet auditing tools out there that can help identify potential logic issues for complex spreadsheets.
One should try to reduce significantly the spreadsheets in scope.
To do so you like to only look at spreadsheets which have a direct impact on your financial statements, disclosures. E.g. if you do IFRS / GAAP adjustments, asset validation, footnotes etc. in Excel. Then you start to apply the PWC Paper.
There's a second group of spreadsheets which is used to transport or convert data automatically into other systems. E.g. for Batch Input in SAP. These should already be covered by General IT Controls.
I definetly wouldn't look at Spreadsheets which are used as a key control. E.g. using XL for reconsolidation. That would be something like a control over a control. The key control is already documented...
Everything else would take away the reasons for using excel. The individual flexibility.
This is despite the question if Excel is right tool to prepare in significant parts your financial statements. You may like to replace those parts of your financial statement process with something more appropriate.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.