Spreadsheet controls 222

  • The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act
    Many companies rely on spreadsheets as a key tool in their financial reporting and operational processes. As a result, the use of spreadsheets is an integral part of the information and decision-making framework for these companies. In developing and using spreadsheets, companies need to balance their ease and flexibility against the importance of reliable information for management’s use. The requirements under Section 404 of the Sarbanes-Oxley Act increase the focus on controls related to the development and maintenance of spreadsheets. As users of spreadsheet applications such as Microsoft Excel® or Lotus 1-2-3® have become more sophisticated, so have spreadsheets. Once used to support simple functions such as logging, tracking and totaling information, spreadsheets with enhanced formulas and built-in advanced features are now used to support such business functions as complex valuation models. The use of macros and multiple spreadsheets which are linked together allows users to build very complicatedand sometimes convolutedmodels and other business functions with minimal or no documentation. In addition, these complex spreadsheets are not normally supported by the same control environments as formally developed or purchased applications. For example, the developers and users of spreadsheets are usually not trained in structured programming, testing, version control or systems development life cycles, and spreadsheets are rarely restricted from unauthorized access by security controls.
    The use of spreadsheetsand, more importantly, the lack of controls over spreadsheetshas been a contributing factor in financial reporting errors at a number of companies. These examples highlight the importance of understanding how spreadsheets are used in a company’s financial reporting process and evaluating the controls over spreadsheets as part of the company’s overall Section 404 process.
    How Are Companies Using Spreadsheets?
    To assess how companies are using spreadsheets, it is helpful to categorize both the uses and complexity of spreadsheets. The uses of information contained in spreadsheets can be grouped into the following categories:
    · Operational: Spreadsheets used to facilitate tracking and monitoring of workflow to support operational processes, such as a listing of open claims, unpaid invoices and other information that previously would have been retained in manual, paper file folders. These may be used to monitor and control that financial transactions are captured accurately and completely.
    · Analytical/Management Information: Spreadsheets used to support analytical review and management decision-making. These may be used to evaluate the reasonableness of financial amounts.
    · Financial: Spreadsheets used to directly determine financial statement transaction amounts or balances that are populated into the general ledger and/or financial statements.

    The complexity of spreadsheets may be categorized in the following manner:
    Low: Spreadsheets which serve as an electronic logging and information tracking system.
    Moderate: Spreadsheets which perform simple calculations such as using formulas to total certain fields or calculate new values by multiplying two cells. These spreadsheets can be used as methods to translate or reformat information, often for analytical review and analysis, for recording journal entries or for making a financial statement disclosure.
    High: Spreadsheets which support complex calculations, valuations and modeling tools. These spreadsheets are typically characterized by the use of macros and multiple supporting spreadsheets where cells, values and individual spreadsheets are linked. These spreadsheets might be considered applications (i.e., software programs) in their own right. They often are used to determine transaction amounts or as the basis for journal entries into the general ledger or financial statement disclosures.

    Practical Steps for Evaluating Spreadsheet Controls
    Implementing a process to ensure appropriate controls over spreadsheets is a critical element of compliance with Sarbanes-Oxley Section 404. There are five high-level steps to implementing such a process:

    1. Inventory spreadsheets
    2. Evaluate the use and complexity of spreadsheets
    3. Determine the necessary level of controls for key spreadsheets
    4. Evaluate existing as is controls for each spreadsheet
    5. Develop action plans for remediating control deficiencies
      An action plan should be developed for each control gap identified. These action plans should increase the controls over the spreadsheet to the necessary controls based upon the use and complexity of the spreadsheet. Key elements of an action plan include:
    6. Assigning responsibility for actions in plan
    7. Establishing required remediation dates
    8. Prioritizing remediation efforts
      For complex spreadsheets that support significant accounts and disclosures, consider whether these systems should be migrated to production processing environments to provide an adequate level of control. Given the potentially large number of remediation items relating to spreadsheet controls, it is recommended that these efforts start with high priority items, defined as items related to financial spreadsheets containing complex calculations which support significant accounts and disclosures.
      Many companies rely on spreadsheets as a key component in their financial reporting and operational processes. However, it is clear that the flexibility of spreadsheets has sometimes come at a cost. It is important that management identify where control breakdowns could lead to potential material misstatements and that controls for significant spreadsheets be documented, evaluated and tested. Perhaps more importantly, management should evaluate whether it is possible to implement adequate controls over significant spreadsheets to sufficiently mitigate this risk, or if spreadsheets related to significant accounts or with higher complexity should be migrated to an application system with a more formalized information technology control environment. Understanding how spreadsheets are used and the adequacy of related controls is a critical part of management’s assessment of the effectiveness of its internal control over financial reporting under Section 404.
      Note: Knowledge Dynamics provides a software product that can automatically convert Excel Spreadsheets into Java or .Net Enterprise Applications for migration/control needs. For more information call me on 614-286-8229.

  • Quite a few of us involved at this time in spreadsheet control evaluations it appears. Hopefully, you’ll see where I’m going with my scenerio and question below:
    I’ve read through the PWC documentation on the use of spreadsheets and considerations for 404. The understanding I have is we should be concentrating on those spreadsheets that are used in our financial reporting process. However, we have spreadsheets that management uses to make decisions, such as budgeting and forecasting related, and business decisions could be negatively impacted by the reliance on an erroneous spreadsheet used in this process. Ultimately, however, a bad decision translates into an accounting entry that ends up reported correctly given our controls over our accounting processes. Would it be your opinion that this budgeting and forecasting spreadsheet should be identified and controlled within the 404 guidelines, even though our financial reporting process was not impacted?

  • However, we have spreadsheets that management uses to make decisions, such as budgeting and forecasting related, and business decisions could be negatively impacted by the reliance on an erroneous spreadsheet used in this process.
    From a SOX point of view we do not care if management makes bad business decisions. :oops:
    Ultimately, however, a bad decision translates into an accounting entry that ends up reported correctly given our controls over our accounting processes. Would it be your opinion that this budgeting and forecasting spreadsheet should be identified and controlled within the 404 guidelines, even though our financial reporting process was not impacted?

    You’ve answered your own question. A bad decision may result in an accounting entry but if that entry accurately reflects the actual transaction then there is no impact.
    That said there is nothing to stop management looking at things that are important but do not have a financial statements impact. However, the trick here is to maintain visibility on why you are looking at something - if you are not doing it for SOX you will want to seperate out things like testing, gaps, etc, and you will not need to have your suditor look at the non-SOX bits.

  • What would Economics be without assumptions?
    Accounting :.:

  • Yes, good old economics assumptions. Usually the first one is ‘assuming perfect competition’ :roll:
    ‘If you put two economists in a room, you get two opinions, unless one of them is Keynes, in which case you get three.’ - Winston Churchill.

  • Thanks for all this great information.
    I am just starting to creat a document for my company outlining guiding principles for end user computing controls around the use of spreadsheets in particular. Does any one have an outline for something like this?
    Any help would be appreciated. Thanks kindly.

  • Maybe this is wishful thinking, but one topic that has not been touched on is whether or not setting up a control to check end user computing should even be implemented. Section 404 just states that management reports on whether they have an adaquate control structure in place, and that the controls are working effectively. For any material amount/journal that is arrived at by a spreadsheet, I would asssume every company already has a control for some level of review of that supporting documentation. So, if a spreadsheet has an error in it, those errors should be caught anyway by this level of review. An additional control to check all spreadsheets that resulted in a material impact to the financials appears redundant to me. I understand the concern that there are so many errors already in so many spreadsheets, but in every case where this resulted in a material error, the supervisor just failed to do an adaquate review.
    I wonder if the big accounting firms are just making up controls for them to test for more fees. 8O

  • I’m in the process of testing key spreadsheets. During my initial investigation there are number of key spreadsheets relating to operational and analytical which help management make informed decisions but have no impact to the financial accounts. They are key but do they fall under SOX Spreadsheet testing given that they have no impact to the accounts.

  • To mention it again, IT has to focus on key controls. It is not the decision of IT which spreadsheets are SOX relevant or not. Neither IT has to do something like a spreadsheet inventory and then assess which are in scope or not. This is a business side decision. If in a bigger company of course.
    Or do you expect that IT which always liked chaos theory is able to not do it in that case :twisted:
    The business knows exactly which spreadsheets are used to reconcile data from bigger systems, or just reconciling the data from their closing seasons process.
    This is just a waste of time and manpower.
    After you have identified the spreadsheets you can assess them like the PwC document shows. But be aware if taking safeguarding of assets into account. There might be formulae in this sheets which IT just CAN’T test. There is much business knowledge into them. What should IT do? Higher an actuary? This should be adressed by an peer review in the team which created the spreadsheet. (You might have a problem with the segregation of developer and tester - but there is one rule: Knowledge over independency, if your management takes that risk in their decision - off you go)
    Then you just have to ensure that the accessrights to the location of the spreadsheet is properly set (reliance on ITGCs). And maybe its a good idea to create something like ‘light’ ITGCs for End-User-Applications.
    Versioning, ChangeMgmt, AccessControl

  • Syed,
    You may need to reevaluate whether or not these spreadsheets are part of your key processes. If a process is merely in place to help manangement make good operational and financial decisions and does not affect the financial statements, by definition the process itself is not key and therefore, the spreadsheet does not need to be reviewed.
    Key controls should only be controls that have an effect on the financial statements as reported to investors. Now that the PCAOB released new guidance in May, you should have good ammunition for removing some of these controls from your list when you discuss this with your auditors.
    Also, I would be careful in designing a spreadsheet testing plan. The PwC guidance provides a list of all controls that could be in place for spreadsheets, however trying to implement every one of those controls may actually keep your employees from doing their jobs. You should be able to argue that thru the use of entity-level controls such as good staffing and review practices you should be able to reduce the number of controls necessary over your spreadsheets.

  • SoxBriefs
    Thanks for your response. No, you’re absolutely right. If I looked to implementing all the controls recommended by PWC I think I won’t have many friends in the company.
    I’m taking the reasonable assurance view that as long as there is a review taking place by both the user and senior management, there is adequate access control, passwords in some places, appropriate naming convention is being used to reflect current version and any changes are being logged and approved than I’m happy to go with that. These controls in my mind are good busines practice. Furthermore, as you rightly pointed out with adequate ELCs in place such as good staffing we can safely avoid the situation of becoming an over controlled, cumbersome, inefficient working environment.
    Its worrying to think that some auditors are taking a very conservative approach which can lead to a very counter productive environment for businesses to operate.
    I’m finding that there is a severe lack of consistency in how spreadsheets should be managed in line with SOX. I’ve been told to look those regardless of whether they have an impact or not to the financial statements but because they are part of a key control on an operational level, therefore one should look it as part of this spreadsheet testing.

  • Hi Guys,
    Have read through the posts… and have seen that the word ‘review’ is used quite often. Is that the something we could use for an SOX assignments?

  • Our approach to deal with spreadsheets is the following:

    1. We identify and document all critical processes for financial reporting. If spreadsheets are part of the process they are documented in our process flows.
      With that approach we eliminate the need to keep spreadsheets and other small office tools in a separate inventory.
    2. Each process is evaluated for the existence of business controls to ensure correctness and accuracy of the data transferred to the annual report (Plausability checks)
    3. If no business check is made for the data, IT controls apply.
      We found less than 50 spreadsheets which needed to apply IT controls, our auditor is satisfied, we do have very little additional workload because of small office applications.
      However, everything depends on your setup. We do have the luck that we do not really depend on spreadsheets but use a set of professionally managed application for consolidation and reporting.

  • 😢
    I’m sorry to say that this is what is expected. I work for a leading Insurance Company in the UK and we will be auditing all ‘critical’ spreadsheets to ensure that they have been documented and that there are controls to manage changes and that they are tested before put into the production environment.
    Any spreadsheet that in some way contributes to the financial reporting of the company must be effectively signed off the by the executive concerned.
    Kind regards

  • Hey, does anyone have another link to Richards PWC spreadsheet documment…I can not find it.
    I am looking at the controls around spreadsheets and databases and need a starting point, can anyone suggest any other articles of interest.
    I work for a bank and we have hundreds of spreadsheets.

  • Here is the link to the PWC whitepaper if that is what you are looking for -

  • I think my situation is relevant to this thread and I wanted to see if I could get some feedback?%0AMy company uses Excel spreadsheets for calculating non-standard pricing requests from our customers. If a customer of ours needs a lower price in order to complete a deal, Excel is used to calculate what the impact to our profit margin of that deal is in terms of %, total USD, etc… Currently Excel is used only as a calculation, communication, and decision-making device between sales department and the business decision makers.%0AIf the lower pricing is approved, the Excel file is then sent to another group who uses the data from it to make changes in the actual price-quote (which is in an enterprise level database). All aggregate financial reporting of what was sold to whom for how much comes from the database.%0AAre there any compliance issues that stand out to anyone here? Any feedback at all is much appreciated.

  • There are no SOX compliance issues with this. Your risk is purely operational in that you could miscalculate your profit in the pricing and quote too high to get the sale or too low to make money on it.
    Any financial reporting risk comes after the sale when you record the sale and recognize the income from it. Now, if the spreadsheet is used somehow to calculate your cost of the item sold for financial reporting purposes. then you may have some risk if the spreadsheet is not properly reviewed and monitored for accurate formulas, input, etc.

  • Thanks Kymike. That is what I thought. I do believe the spreadsheet is used in some cases to calculate our costs. But this is limited to situations where we must purchase an item from a supply company that we do not normally warehouse ourselves. In which case, if there is an improper calculation, the supplier is quick to point it out and reject our purchase order. We then make the appropriate correction and resubmit.
    I am guessing this kind of natural ‘control’ is also compliant, am I right about that?

  • I am guessing this kind of natural ‘control’ is also compliant, am I right about that?
    Hi - Issues like this are subject to interpretation. Even things that are indirectly related to SOX compliancy might still be seen as needed sometimes.
    I’d suggest working directly with audit for the answer on this potential exposure related to financial risks. If it’s not too difficult, it’d be beneficial to err on the side of caution.
    As an IT person I may be wrong on this, as I’d recommend adding at least some controls for the following reasons:

    1. The supplier will most likely catch most billing discrepancies. However, what if they don’t have good systems or controls?
    2. For example, as long as they’re getting paid they may think it’s a partial or overpayment check and not always assume you’re paying the bill in full each time?
    3. What if you’re overpaying? Not all folks are ethical and they could at a minimum enjoy some ‘cash float’ for a few weeks or months. This is the exception rather than the rule, but it’s worth noting.
    4. I’ve seen enough billing errors in my 34 years of business experience to suggest it’s a good point to place better controls, reconciliation, and testing on this.
    5. At a minimum, I’d suggest capturing any occurrences from documentation standpoint. This way you’d know how much of a risk it truly is and whether it’s something that you need to go the next step on.
      The key point is you don’t want audit comments to go to the executives or board on failures to comply.

Log in to reply