Spreadsheet compliance issues 218



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Toby,
    PWC has a great white paper on evaluating the use of spreadsheets as part of the control environment. If you have not looked at it, youshould.
    I work for a fortune 500 company. We are excluding quite a few spreadsheets from our analysis, including account reconciliation spreadsheets (unless they are used to calculate amounts to be used for journal entries) because of the volume and simplicity of their usage. We will end up with a short list of spreadsheets which will be subject to pretty strict access and change controls.



  • We are only looking at spreadsheets which are used in our key controls. That means we have a shortlist of only about a dozen or so that we are considering in scope. Anything else we are treating as user controlled.
    For the in- scope ones, we are ensuring they are covered by access controls, change controls etc both at the user end and through IT. This means we are ensuring that the servers and networks where they are located are subject to controls too.



  • It’s my understanding that any cell with a formula has to have its own password, is this true? If it is how can this be done? Excel doesn’t give you the option to assign a password to an individual cell.



  • It’s my understanding that any cell with a formula has to have its own password, is this true?
    Completely untrue.
    In fact the questionable whether spreadsheet password protection is either necessary or sufficient. Given that any excel password can be cracked in about 5 seconds there are those (including PwC) who believe that excel passwords are inadequate.
    The preferred option would be to restrict access to critical spreadsheets through the use of file permissions within network directories (or file shares).



  • The preferred option would be to restrict access to critical spreadsheets through the use of file permissions within network directories (or file shares).[/quote]
    And be sure to have a suitable audit trail in place to know who made what changes to what parts of the spreadsheet and under what authorisation.
    You should also ensure that what ever controls you have in place for the above are effectively monitored and the results and actions from the monitoring of controls should be documented.
    Cheers



  • I have another question relating to this topic, what is the consensus on an absolute deadline? Is it November 30, or does anyone have a deadline that is later than that?
    Thanks.



  • The deadline is the end of your fiscal year ending after Nov 15, 2004. If you are not finished by then, you will have to evaluate the control deficiencies that you have in order to determine whether or not you can assert that internal controls over financial reporting (ICOFR) are effective.
    Not all deficiencies will need to be remediated by your year end for a clean assertion, especially if the ineffective controls are migitaged by other effective controls. The year-end assertion as to effectiveness is made based on your entire ICOFR structure.


Log in to reply