Spreadsheet Change Control 1097



  • Has anyone addressed the issue of spreadsheet change control? If so, to what extent and did you elect to deploy a toolset to facilitate the monitoring of changes that could have a material impact. We have:

    1. Inventoried spreadsheets
    2. Ensured that proper segregation of duties are in place
    3. Verified that spreadsheets are in a secured directory
    4. Verified that they are documented
    5. Implememted password protection
    6. Verified that they are backed up
      We are currently addressing the issue of change control. If a change is made to a formula/macro that could have a significant impact who made the change, why was the change made and was it reviewed and approved. To what extent are others addressing this issue?
      Thanks in advance.


    1. Inventoried spreadsheets SOMEWHAT
    2. Ensured that proper segregation of duties are in place NOPE
    3. Verified that spreadsheets are in a secured directory YES
    4. Verified that they are documented NOPE
    5. Implememted password protection NOPE
    6. Verified that they are backed up NOPE
      The control of spreadsheets seems to be inconsistantly sneaking into various locations (europe primarily). So far we have really only been responsible for identifying the key financial excel files and verifying restricted access.
      Dan


  • We are receiveing SIGNIFICANT pushback from our external auditors. they mention given the facts that there were some companies that has spreadsheet errors last year (even if discovered and fixed) may have resulted in innacurrate filings. As a result they say that the PCAOB is taking a hard look over the controls on spreadsheets and therefore they are looking for change control AT THE CELL LEVEL. Has anyone had any dealings with the EA regarding this?
    Thanks



  • I have one client that actually prepared consolidated financials via two, independent spreadsheets and then compared the results. Another option would be to turn Excel’s auditing feature on and have an independent party sign off quarterly.



  • In order to have cell-level change tracking/audit trail across multiple spreadsheets at the same time, you need to manage the spreadsheet data interactions through a database which is driven by spreadsheets.



  • We are in year 2 of SOX (clean opinion year 1) and have received different guidance for spreadsheets this year. Last year was all about tick-marks showing calculations had been reviewed and spreadsheet output had been agreed back to support etc. This year, we have been allowed to rely on existing controls around the spreadsheet and its inputs / outputs.
    For example: take a spreadsheet used to calculate a large P-and-L journal. Control is that all journals above a de minimis limit are subject to independent review and sign-off. This review should then detect and correct any significant misstatement. Similarly, spreadsheet reconciliations: all reconciliations for large accounts are subject to independent review and sign-off.
    We do still use check totals to help facilitate the review but don’t use cell level controls.


Log in to reply