Current Authorities: Sarbox and Spreadsheets 1586



  • I’m writing a book about a new approach to Excel reporting, an approach that I think will address many Sarbox spreadsheet problems. But before I go too far out on a limb, I need to research what expert sources I can.
    I have the nine-page PWC whitepaper. Can anyone recommend other Sarbox information for spreadsheet users?
    Also, if you have a good understanding about this issue, would you contact me directly? I would like to ask some questions.
    Thanks.
    Charley Kyd
    ExcelUser.com



  • Hi Charley and welcome to the forums 🙂
    As a starting point, you might try the SEARCH function in the left top area and use the keyword ‘Excel’ … You’ll get several posts returned.
    Briefly, some of challenges of SOX compliancy include: complexity, versioning, testing controls, and change control (so that only authorized users change them). A key thread related to this need is highlighted below:
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=222



  • Thanks, Harry.
    Several weeks ago I reviewed all of the ‘Excel’ and ‘spreadsheet’ material here that I could find. As a former CFO, it made me happy that I changed careers.
    There were several posts about ‘changing’ spreadsheets on the one hand and ‘locking them down’ on the other. But I saw nothing about what those terms mean. If March’s spreadsheet is updated to display June’s data, is that a ‘change’? A ‘new version’? Both? Neither?
    I suspect the answer is that, ‘It all depends.’
    Is it a ‘change’ when…
    …We run a new query for an existing PivotTable? (We could enter a query that returns incorrect results.)
    …We change the view for an existing PivotTable query? (New views of the data could be misinterpreted because of subtle errors in our report’s formulas.)
    …We write updated data to an Excel report from some Corporate data source? (We could ask for the wrong data. We could mess up the data when we sort or summarize it. We could enter stray numbers accidently in the data. We could grab the data two seconds before a last-minute journal entry.)
    …What if we update a spreadsheet database of GL data with this Quarter’s data? (The column could sum to zero, but the accounts could have changed, causing amounts in our database to be associated with incorrect GL accounts.)
    If our workbook is password protected, it’s possible that none of these alterations could take place. In which case, June’s report probably couldn’t be done in Excel.
    The PWC whitepaper looks like it was written by an IT manager who never liked spreadsheets in the first place, and now he can get his revenge.
    Can you cut through the legalistic clutter and summarize what people are actually doing, and not doing, to satisfy the Sarbox police?
    Thanks.
    Charley Kyd
    Microsoft Excel MVP
    ExcelUser.com



  • You’ve asked some good questions and folks use Excel in numerous ways … I’m more of an IT person and the key mission statement on SOX might provide some help.
    The overall guiding principle of SOX is to prevent companies from ‘cooking their books’ (e.g., Enron). Safeguards need to be in place to ensure there is no intentional or accidental misstatements of financial information. Thus when you have captured financial data in a system as flexibile and robust as Excel, and it’s part of the companies official financial records, every change must be tracked through versioning software to create an audit trail . In many companies, autonomy levels are setup where accountants update the latest financial information in test and then based on review by an approver, it is moved into production with both versioning and change management controls. Backups are also important.
    SOX related controls are only needed in cases where Excel spreadsheets are an official part of the companies records. Most of these would be managed by the Accounting, Treasurers, Finance, or other divisions.
    However, if you’re doing analysis with data using Excel, you can pivot/change information as desired – as long as it’s in a test mode and not part of the company’s official reporting process for financial information . I use Excel so extensively to analyze results that I may have to buy one of your books later 😉
    While IT systems track the primary results for a company, there might be unusual business agreements or activity that is tracked manually in separate spreadsheets for an unautomated area. If those figures will be a part of what’s ultimately reported to the SEC then you need SOX data management controls to ensure and preseve integrity.
    Finally, another important element is to sample and test controls related to these Excel spreadsheets if they are an integral part of the companies financial picture. Many auditors want all formulas documented and periodic testing of the accuracy of calculations and controls (usually quarterly).
    Hope some of these ideas from a summary level help 🙂



  • I think at the end of the day what you are trying to define would be the definition of a significant change as well as a non significant change.
    Updating data from January to February would be considered a non significant change unless you altered macros or formulas. Then it would be considered a non significant change.
    If you are working with an external auditing team, they should be able to help you draft language on the difference between the two and the procedures that differ as well.



  • Hi,
    Raymond R. Panko (panko_at_hawaii.edu) authored a comprehensive (44 pg) report on spreadsheets and SOX, ‘Spreadsheets and SarbanesOxley: Regulations, Risks, and Control Frameworks’. I believe that he is associated with the University of Hawaii.
    You might try writing Mr. Panko for his thoughts and feedback. Certainly, authoring an academic paper and publishing it in a recognized journal requires a good understanding and knowledge of the subject matter.
    Good luck,
    Milan


Log in to reply