Spreadsheet controls 222



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • We have classified our spreadsheets based on complexity and risk (low risk, moderate, high) and have indicated if they pertain to either a key control or not. Spreadsheets associated with high risk and all that involve a key control will be tested for design and operating effectiveness. Spreadsheets are equivalent to any other system so we’re ensuring we have adequate controls around those ‘key’ or high risk spreadsheets (i.e. password protection, version control etc.). The classification of spreadsheets (ie. developing an inventory of them) was a time consuming task but we felt it had to be done. We ignored any spreadsheets employees use for individual or sub-analyses.



  • Richard,
    There is a document from PWC on Spreadsheets and Sox Section 404.
    Jonathan



  • Richard,
    There is a document from PWC on Spreadsheets and Sox Section 404.
    Jonathan
    To save you the hunt:
    pwcglobal.com/extweb/service.nsf/8b9d788097dff3c9852565e00073c0ba/cd287e403c0aeb7185256f08007f8caa/USDFILE/PwCwpSpreadsheet404Sarbox.pdf



  • Related to controls on spreadsheets, are the controls around meeting minutes from internal financial reviews. Can anyone tell me if SOX requires similar controls around these documents as for excel spreadsheets?
    Thanks. :?



  • Related to controls on spreadsheets, are the controls around meeting minutes from internal financial reviews. Can anyone tell me if SOX requires similar controls around these documents as for excel spreadsheets?
    Thanks. :? I hope you are joking. I do not think that minutes will flow into FINANCIAL STATEMENT LINE ITEMS like spreadsheets do, what do you think?



  • _at_zoost: Why? I could think of some committee minutes which could find entrance into the financial statements. Just think about decisions made by a reserving committee. The numbers they agree on will be reflected by the financial statements and therefor their minutes will be a SOX issue.



  • _at_zoost: Why? I could think of some committee minutes which could find entrance into the financial statements. Just think about decisions made by a reserving committee. The numbers they agree on will be reflected by the financial statements and therefor their minutes will be a SOX issue.
    At best this is a control i.e. a decision made by the reserving committee is authorisation/approval.
    We don’t normally need to address controls over controls.



  • _at_Denis: I didn’t want to mention to implement a control over a control. But it is subject of testing as I would consider this committee as a entity level control.



  • As always the answer is 'it depends… ’ 😉



  • You’ll name it men… 😄



  • Regarding Controls over Minutes and Policy Setting.
    Minutes and Policies used as input in key controls/processes should be authorised. That is as far as I would go. Off course there are still risks concerning: Were the persons autorised to authorise that policy, where is that documented, who signed that document. Are there any measurements to prevent fraude with that document (copy protection), how is version management on policies/memo’s implemented, who autoried that etc etc.
    Please keep in mind that SOx is looking at key controls.
    [/b]



  • My thought is that if an organization has too many spreadsheets, an effort should be made to do the following:

    1. Consolidate the data.
    2. Populate the data into a database
    3. Create a web application portal to access the data.


  • If a group is preparing a whole consolidation with something like excel, one could ask if that is the appropiate tool for such a task… 😉



  • I would think the issue with spreadsheets are twofold. Who are the ‘author/developers’ of the spreadsheets, and who are the ‘users’ of the spreadsheets. One would have to use the same kind of controls they use for other software development (file management, security, versioning, documentation, etc) for the ‘author/developer’ types.
    A potentially more interesting aspect is more on the User side. If there was a way that these spreadsheets could be converted into a Java or .Net Enterprise application, then the compliance issues of access, security, auditing, etc all go away because now these are applications running in an enterprise environment (thin client/server-based).



  • We have classified our spreadsheets based on complexity and risk (low risk, moderate, high) and have indicated if they pertain to either a key control or not. Spreadsheets associated with high risk and all that involve a key control will be tested for design and operating effectiveness. Spreadsheets are equivalent to any other system so we’re ensuring we have adequate controls around those ‘key’ or high risk spreadsheets (i.e. password protection, version control etc.). The classification of spreadsheets (ie. developing an inventory of them) was a time consuming task but we felt it had to be done. We ignored any spreadsheets employees use for individual or sub-analyses.
    We are just at the stage of finding all the spreadsheets that people may be using that are not documented, but the end product is going into our financial systems. I was wondering if you have any tips on how to move through this process. Did you start with the major apps and work your way out to the business groups or the other way around.
    Do you have any good check lists or questions you used when interviewing people to find out what they were using? What about tools or other resources that you might have used. If you have anything that might help me in the search, I would greatly appreciate the direction.
    :roll:



  • In our case, European locations only, we did ask each of our Finance people to provide a copy of each of the spreadsheet they were using to input data into our financial systems.
    All these were then agregated, tested for accuracy of formulas and saved.
    Nothing has been mentionned by the Big 4 auditors during their testing…
    Might be too easy or not very compliant with SOXA requeriment, but that is indeed what we just did.


Log in to reply