Spreadsheet controls - in terms of testing 2876

  • I did a search on the forums and read through the relevant posts, and most of the discussions were a few years old. When the spreadsheet controls issue was a new topic, there was the ‘infamous’ PwC whitepaper and companies scrambled to take inventory of their spreadsheets and perhaps proceeded with full-blown testing of such. I am wondering what companies actually do in these days to satisfy their control environment, now that SOX is quite a few years old, and the topic of spreadsheet controls is not new any more.
    Does your company actually have a separate set of testing on spreadsheets, treating them like mini-applications? Or does your company take the approach that any critical spreadsheets critical to financial reporting, as covered by SOX would have been included in the key controls, which are in turn tested for effectiveness?
    We are taking the approach that when the appropriate managers review these spreadsheets/analyses that would directly or indirectly result in entries in the financial statements, they would critically review the analyses before signing off. Hence, if there were errors on the spreadsheet, it becomes an ineffective control related to that process.
    Could you share what you do?

  • Each of our cycles has one or more control activities in their SOX documentation related to the identification, documentation, security, change control and periodic validation of critical spreadsheets (if the cycle relies on critical spreadsheets). When we perform either self assessments or independent testing of our SOX controls (by internal audit), the critical spreadsheet controls are subject to testing just as any other control activity. So, to answer to your question, we don’t do a separate audit just around spreadsheets, but we do include critical spreadsheet controls in our annual testing. One of the companies that we benchmark with had a >USD20M spreadsheet error last year which resulted in an SD, so we really have tried to keep our guard up in this area.

Log in to reply