Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· Directory
· Downloads
· FAQ
· Forums
· Search
· Sox_Admin
· Statistics
· Submit News
· Surveys
· Top 10
· Your Account

Sarbox Compliance
The appropriately named Sarbanes-Oxley Compliance Toolkit includes a whole range of materials specifically put together to both introduce, and take you through this most important of legislation.

For detailed information see the toolkit's own website: Sarbanes-Oxley Compliance


SOX Act and Security
As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.

The SOX email storage requirements can be fulfilled using the GFI MailArchiver


SOX Advertisers


Sarbanes What?
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!

Sarbanes-Oxley Act Forum: Forums

The Sarbanes Oxley Act :: View topic - Spreadsheet compliance issues
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

Spreadsheet compliance issues
Goto page 1, 2  Next
 
Post new topic   Reply to topic    The Sarbanes Oxley Act Forum Index -> Sarbanes-Oxley: Audit Issues
View previous topic :: View next topic  
Author Message
Toby
Newbie
Newbie


Joined: Oct 28, 2004
Posts: 2

PostPosted: Thu Oct 28, 2004 3:24 pm    Post subject: Spreadsheet compliance issues Reply with quote

We are a large financial institution in the middle of our compliance process. There are so many spreadsheets around it's a chore just to get them listed into one database. I've thought of doing a *.xls search on the network but that's a scary proposition! SOX requires that we are to analyze each and every spreadsheet within scope for version, change, network, and password controls; and evaluate every spreadsheet for complexity, links, and accuracy etc..
Just identifying which spreadsheets fall into scope is a time-consuming and expensive process.

Here are my questions:
1) How are others defining "In Scope"? I'm looking for something more definitive than "could materially effect the financial statements".

2) How have other organizations gone about trying to investigate a particular spreadsheet for complexity or accuracy?

3) Has anyone seen some good articles on this subject?

4) How many persons in your internal audit department have reported smoke coming out of their ears after working on spreadsheet compliance?

Thanks
Back to top
View users profile
kymike
SoxGuru
SoxGuru


Joined: Jun 02, 2004
Posts: 640
Location: USA

PostPosted: Fri Oct 29, 2004 7:06 am    Post subject: Reply with quote

Toby,

PWC has a great white paper on evaluating the use of spreadsheets as part of the control environment. If you have not looked at it, youshould.

I work for a fortune 500 company. We are excluding quite a few spreadsheets from our analysis, including account reconciliation spreadsheets (unless they are used to calculate amounts to be used for journal entries) because of the volume and simplicity of their usage. We will end up with a short list of spreadsheets which will be subject to pretty strict access and change controls.
Back to top
View users profile
CoolCat
Newbie
Newbie


Joined: Oct 20, 2004
Posts: 14

PostPosted: Fri Oct 29, 2004 9:21 am    Post subject: Reply with quote

We are only looking at spreadsheets which are used in our key controls. That means we have a shortlist of only about a dozen or so that we are considering in scope. Anything else we are treating as user controlled.

For the in- scope ones, we are ensuring they are covered by access controls, change controls etc both at the user end and through IT. This means we are ensuring that the servers and networks where they are located are subject to controls too.
Back to top
View users profile
Guest9999
Guest





PostPosted: Thu Nov 11, 2004 9:08 am    Post subject: Additional Question About Spreadsheet Reply with quote

It's my understanding that any cell with a formula has to have its own password, is this true? If it is how can this be done? Excel doesn't give you the option to assign a password to an individual cell.
Back to top
Denis
Guest





PostPosted: Fri Nov 12, 2004 5:48 am    Post subject: Re: Additional Question About Spreadsheet Reply with quote

Guest9999 wrote:
It's my understanding that any cell with a formula has to have its own password, is this true?


Completely untrue.

In fact the questionable whether spreadsheet password protection is either necessary or sufficient. Given that any excel password can be cracked in about 5 seconds there are those (including PwC) who believe that excel passwords are inadequate.

The preferred option would be to restrict access to critical spreadsheets through the use of file permissions within network directories (or file shares).
Back to top
BrummiePete
Newbie
Newbie


Joined: Nov 02, 2004
Posts: 12
Location: UK

PostPosted: Tue Nov 16, 2004 4:29 pm    Post subject: Re: Additional Question About Spreadsheet Reply with quote

The preferred option would be to restrict access to critical spreadsheets through the use of file permissions within network directories (or file shares).[/quote]

And be sure to have a suitable audit trail in place to know who made what changes to what parts of the spreadsheet and under what authorisation.

You should also ensure that what ever controls you have in place for the above are effectively monitored and the results and actions from the monitoring of controls should be documented.

Cheers
_________________
Brummie Pete
Back to top
View users profile
mrk321
Newbie
Newbie


Joined: Nov 16, 2004
Posts: 1

PostPosted: Wed Nov 17, 2004 8:30 am    Post subject: Reply with quote

I have another question relating to this topic, what is the consensus on an absolute deadline? Is it November 30, or does anyone have a deadline that is later than that?

Thanks.
Back to top
View users profile
kymike
SoxGuru
SoxGuru


Joined: Jun 02, 2004
Posts: 640
Location: USA

PostPosted: Wed Nov 17, 2004 9:39 am    Post subject: Reply with quote

The deadline is the end of your fiscal year ending after Nov 15, 2004. If you are not finished by then, you will have to evaluate the control deficiencies that you have in order to determine whether or not you can assert that internal controls over financial reporting (ICOFR) are effective.

Not all deficiencies will need to be remediated by your year end for a clean assertion, especially if the ineffective controls are migitaged by other effective controls. The year-end assertion as to effectiveness is made based on your entire ICOFR structure.
Back to top
View users profile
LouGustav
Guest





PostPosted: Mon Nov 22, 2004 2:23 pm    Post subject: Excel Version Control System for Spreadsheet compliance Reply with quote

One way to address Spreadsheet compliance issue is to have an electronic repository from where users check in and check out spreadsheets, this allows for version control for each time spreadsheet file is checked out, reason for the changes, who made the change, and what the changes were, along with electronic signature.

Take a look at the Excel Version Control System software. Here is the link: 21cfrpart11compliance.com/VCS/evcs00.htm

There is a similiar product for MS Word as well.

Lou Gustav
Back to top
Toby
Newbie
Newbie


Joined: Oct 28, 2004
Posts: 2

PostPosted: Mon Nov 22, 2004 6:28 pm    Post subject: Spreadsheet issues Reply with quote

Hey Everybody,
Thanks for the input. I saw the PWC whitepaper, my supervisor had already modeled our approach after it.

I'll check out the link for the version control software. Thanks

I had looked at the Beta XLSpell product that gives some pretty in-depth statistics on a speadsheet. Takes forever to run on even one spreadsheet and gets a lot of "false-positive" hits but it was kinda impressive.

I personnally believe some of these controls on spread sheets are unneccessary. The PWC whitepaper makes it sound like "spreadsheet hell", but imagine what it was like before spreadsheets? I do! There were just as many errors made by accountants on 10-key adding machines as are made on spreadsheets now! The medium is changing, the problems are basicly the same. The same internal control we used back then (double checking someone else's work and reasonableness reviews) are more likely to catch billion dollar errors like mentioned in the PWC report.

I do support using spreadsheets as a guide to identifiying risks in calculation errors, but getting too detailed will never be a solution. It's just too much!

OK, thanks for listening, I'll get off my soapbox.
Back to top
View users profile
Tonyp
Guest





PostPosted: Tue Nov 23, 2004 8:29 am    Post subject: Another Option Reply with quote

Another option for managing your spreadsheets (and other document types) that is more generic then the Excel EVCS product is Microsoft's SharePoint product. You get the same capability as EVCS plus a lot more.

In addition, the company that I work for we have helped financial institututions develop solutions around this problem space using off the shelf solutions like Microsoft's SharePoint product.

- Tony



[Note: URL link drops edited out]
Back to top
Denis
Guest





PostPosted: Wed Nov 24, 2004 10:32 am    Post subject: Reply with quote

Also, don't forget to question whether the spreadsheet is truly the most appropriate way of doing things. In many cases we should be looking for core business systems to be remediated to produce accounting data without the need for manipulation in Excel.
Back to top
nate99
Newbie
Newbie


Joined: Jan 26, 2005
Posts: 2

PostPosted: Thu Jan 27, 2005 11:20 am    Post subject: Reply with quote

Do you have to go in a check your "major" spreadsheets for accuracy and such? I read the PwC and it just speaks to the controls (access and such) over spreadsheets; however, we use spreadsheets for making material accruals every period. How can you get a correlation between saying a control over a process is effective when a spreadsheet is the most important part of the process, without testing the spreadsheet for set-up, mathmatical accuracy and such?

Sorry, if this should be an easy question...but I was just thrown in to help at the end...and have some various questions.
Back to top
View users profile
Denis
SoxGuru
SoxGuru


Joined: Nov 25, 2004
Posts: 790
Location: London, UK

PostPosted: Thu Jan 27, 2005 11:27 am    Post subject: Reply with quote

There are two things that the PwC paper covers:

1. What spreadsheets do you need to look at - this is a function of how complex are they and how important are they to the financial statements.

2. What controls do you need - which is covered by "Determine the necessary level of controlfor the spreadsheet". Testing the spreadsheet is covered under Development Lifecycle and Logic Inspection. Some support is provided by analytics.

Be aware that there are also several spreadsheet auditing tools out there that can help identify potential logic issues for complex spreadsheets.
Back to top
View users profile
holger
MasterSoxer
MasterSoxer


Joined: May 18, 2004
Posts: 117
Location: Europe

PostPosted: Fri Jan 28, 2005 3:00 am    Post subject: Reply with quote

One should try to reduce significantly the spreadsheets in scope.

To do so you like to only look at spreadsheets which have a direct impact on your financial statements, disclosures. E.g. if you do IFRS / GAAP adjustments, asset validation, footnotes etc. in Excel. Then you start to apply the PWC Paper.

There's a second group of spreadsheets which is used to transport or convert data automatically into other systems. E.g. for Batch Input in SAP. These should already be covered by General IT Controls.

I definetly wouldn't look at Spreadsheets which are used as a key control. E.g. using XL for reconsolidation. That would be something like a control over a control. The key control is already documented...

Everything else would take away the reasons for using excel. The individual flexibility.

This is despite the question if Excel is right tool to prepare in significant parts your financial statements. You may like to replace those parts of your financial statement process with something more appropriate. icon_biggrin.gif
Back to top
View users profile Send email


Display posts from previous:   
Post new topic   Reply to topic    The Sarbanes Oxley Act Forum Index -> Sarbanes-Oxley: Audit Issues All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Forums ©

 
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters.
Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox.
Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.