Spreadsheet control 724



  • Can anyone give me some tips on my questions: :lol:

    1. Our Marketing Department uses lots of spreadsheets for their analytical review. The analysis is important to management’s decision making but they may not have direct impact on the financial statements. Should these spreadsheets be tightly controlled in compliance with SOX404?
    2. Our CFO uses spreadsheet to conduct financial analysis by her own (i.e. she is the preparer of the spreadsheet). According to the White Paper of PWC, the spreadsheets are classified as highly ‘complex’ and for financial purpose. I understand that the spreadsheets should be well controlled but how about the issue on segregation of duties?


  • Spreadsheets not used in calculating account balances, journal entries, etc. should not be subject to spreadsheet controls for SOX purposes. While possibly impacting operational controls, it does not appear that the Marketing spreadsheets impact financial controls.
    As to the CFO, if the spreadsheet is purely for his analytical purposes and does not impact the financial statements, I would not consider it falling under SOX spreadsheet control requirements.
    We identified very few spreadsheets that met the requirements of needing to be well-controlled.
    I don’t follow your comment on SOD for the CFO and his spreadsheet analysis - can you expand on your concerns?



  • Dear Kymike, thanks for your advice.
    Re the white paper of PWC, one of the recommended controls is Segregation of duties / Role and Procedures. My interpretion on such control is that duties should be properly segregate among spreadsheet developer, user and reviewer. For those complex financial spreadsheet, I’ll treat the best practice as (1) developer creates the spreadsheet with formulas being protected in particular cells and he’ll keep the password (2) user input current data to the spreadsheet in doing those analysis; whenever there is a need to change the formulas, he has to go back to the developer (3) a senior reviewer perform final checking on the result of the spreadsheet before posting it to the financail statement… However, for our CFO’s case, she is both the spreadsheet developer and user, and no reviewer exists throughout the process. Will there be a problem on the issue of SOD? Or do I misinterpret something? Please kindly advise. Thanks.



  • SOD should only apply to the critical spreadsheets that are used in determining balances for journal entries or other adjustments to the financial statement accounts. If used purely for analytical purposes, while nice to have SOD in place, it is not critical, especially for SOX purposes.



  • From The white paper issued by PWC, depending on the usage (i.e. Operational, Analytical/Management Information, Financial), spreadsheet can be derived into 3 categories.
    However, it is mentioned before only spreadsheets used to determine Journal transaction amount (i.e. Financial Type spreadsheet) requiring spreadsheet controls.
    Is it means that the operational and analytical/Management Information type of spreadsheet are not fall into the spreadsheet controls under SOX requirements :?: :?: :?:



  • Is it means that the operational and analytical/Management Information type of spreadsheet are not fall into the spreadsheet controls under SOX requirements :?: :?: :?:
    If they do not lead directly to adjustments to the financial statements, they are not in scope for SOX. It may be good business practice to have some controls over these types of spreadsheets, especially if they lead to management decisions, but SOX would not require them to.



  • If the company relies on fiancial projections from sales analysis to provide future guidance in earnings releases or conference calls, then I am pretty sure these should be included under SOX compliance.
    Most spreadsheets are created by the user of the data. Rather than take away the usability of spreadsheets by segragating author and user roles. It seems like it would be sufficient to insert a validation step were some IT staffer would interview the end user to find out what he was trying to accomplish, use the spreedsheet calculations as the specification and verify the correctness and the validity of the data sources.
    I believe the SOX requires that users not be able to both develop and print from a spreadsheet program. The better solution is to develop the spreadsheet with a print disabled spreadsheet program. Then export the spreadsheet to the central database system which would extract the heading cells to autoconstruct the database schema. Identify the data fields and either propmt the enduser to map the data sources from the central database or have a IT staffer assist int the data export mapping. Data extraction would require fixed time scheduling data as data may only be validate at a fix time say as monthend closing. Next the system would extract the calulations from the spreadsheet and enter them as a spreadsheet transaction, that would also require a set of lifecycle approvals/acceptances, needs statement, testing, user signoff, and production signoff, etc.
    If any data is being pulled from the corporate database then you can be certain it requires SOX compliance.
    Short of this type of system, companies need to stop using spreadsheets.



  • Software Factory,
    As much as it seems logical that SOX should cover forward-looking statements that might be based on information from a marketing spreadsheet, this is not included in SOX compliance.
    While the laws and guidance almost always stop short of providing any information on HOW to comply, this is the one area that is very clear from the law and guidance: the limit of the compliance umbrella. (Inside the umbrella is where it gets murky again).
    SOX compliance encompasses the financial statements only. Forward-looking statements are not used to book journal entries and do not end up in the financial statements. If, for some reason, the marketing spreadsheets end up being used to book journal entries, then you have a different issue.


Log in to reply