SOX critical spreadsheets? How to select them? 2797

  • Hi,
    I am working on a SOX critical spreadsheet issue in the US these days.
    The company that undergoes the audit has stated some criterias for selection and scoping of spreadsheets with criticality with regards to SOX compliance. One criteria is a materiality level which is fair, and another one is that the spreadsheet generate direct input to general ledger.
    In my oppinion a SOX critical spreadsheet does not necessarily generate direct input to general ledger for it to be sox critical. My oppinion is that spreadsheets used for management reporting, NPV analysis, impairment calculations and so on, should undergo the same control procedures as those that generate direct input to general ledger?

  • It depends on what you mean with ‘generate input for the general ledger’.
    There must be an at least reasonably possible likelihood that the spreadsheet could directly or indirectly lead to a material misstatement of the (consolidated) financial statements (i.e. the amount in the spreadhseet must be potentially material in relation to the financial statements).
    It does not matter whether the spreadsheet is automatically uploaded into the general ledger or whether somebody just uses the spreadsheet to make a decision whether a manual entry to the general ledger is necessary (e.g. a test whether goodwill is impaired or a calculation whether there is a deficit in the retirement benefit plan if the amounts are potentially material).
    I would not say that internal management reporting is related to the financial statements unless the review of the management reports is a the only and a critical control to prevent material misstatements in the financial statements (e.g. inventory turnover reports in order to identify inventory balances that are overvalued because of obsolecence). A net present value analysis that is purely used to decide whether to invest in a project or whether to acquire a company has no impact on the financial statements yet and would be out of scope.
    Spreadsheets can also be used to determine the fair value of stock options or of (payments in) shares that are not listed on a stock exchange. The question is whether such payments have at least potentially a material effect on net profit.

  • Thanks for your reply.
    I am somewhat enlightened by your opinion about SOX critical spreadsheets and I totally agree when it comes to NPV analysis and management decisions.
    It is the ‘indirectly lead to a material misstatement’ which in some degree represents the challenge here I guess. As the criteria is working for the company now they have only considered direct input, which I am a little confused about. But I guess that will be up to my chief inspector to discuss further with the company then. [/b][/u]

  • Hi Jim - to add to gmerkl’s good feedback, the following might be helpful from a control standpoint.
    – Critical spreadsheets which represent financial material risks must be properly controls in terms of change management and the approval process.
    – While there are Excel based change management systems, companies using Microsoft’s Sharepoint library system could implement the needed controls inexpensively using Sharepoint’s checkout and approval system. The key is to setup the proper privacy and security controls to manage all aspects of Excel document management.
    – Even indirect impacts to financial systems should be throroughly assessed using risk analysis techniques. SOX is somewhat a self regulatory process, that’s subject to interpretation (and sometimes differing implmentations of controls will occur by companies). However, the more due diligence that is performed – the more confidence senior management and SOX auditors will have in signing off on the SOX 302 and SOX 404 annual compliance.

Log in to reply