Spreadsheets have become pervasive in most companies and have many uses. Those that are used in the financial reporting process are of most concern to the assessment of the effectiveness of internal controls over financial reporting mandated by Sarbanes-Oxley. Several steps are recommended to accomplish the needed assessment related to spreadsheets. The first would be to get a handle on the population of spreadsheets that are used in the company. Secondly, determine whether the spreadsheet is used in the financial reporting process. Next, identify risk factors of the spreadsheet and grade the overall risk. Next, identify any compensating controls that reduce or mitigate the identified risks. Lastly, determine what remediation steps are necessary, if any, for the identified spreadsheets.
The beginning of the “top down” approach would be to identify all spreadsheets used by the organization in the financial reporting process. This would include financial reporting, plant accounting, treasury, tax and operations. This can be done at the department level by asking each department head or supervisor to create a list of all spreadsheets used with the following information:
• Location of the spreadsheet file
• Department using the spreadsheet
• Description of spreadsheet purpose
• Spreadsheet users that have access
Once the spreadsheet inventory has been completed, an assessment of spreadsheet use must be performed. The first step is to segregate the spreadsheets into categories. These categories may include financial, operational and analytical.
The spreadsheets that fall into the “financial” category will carry the most risk potential. These will include spreadsheets that:
• Support transactions or journal entries
• Compute financial statement disclosures
• Perform financial reporting controls
Operational and analytical spreadsheets may also be important depending on the organization. However, these generally are used for operational decisions rather than in the financial reporting process.
The financial spreadsheets (as well as any others that are significant to the financial reporting process), must be assessed for risk. Risk factors will include:
• Materiality of the affected account balance or disclosure
• Potential errors in downloaded data such as an incomplete download or a download of incorrect data.
• Whether the spreadsheet uses complex calculations, formulas or macros.
• Number of individuals using the spreadsheet
• Size of the spreadsheet
• How well the spreadsheet is documented
Evaluate compensating controls for risk factors
Certain organizations have already put controls in place to reduce the risk of material financial reporting error related to spreadsheets. These controls must be evaluated in light of the risk factors noted above and, once again, a determination must be made as to the effectiveness of the compensating controls. Compensating controls may include:
• If applicable, control totals or logic controls are used to validate user input.
• A logic inspection of the spreadsheet by an independent party is performed and documented prior to spreadsheet use.
• Spreadsheets are protected against unauthorized changes.
• Spreadsheet versions are used and, before a new version is utilized, it is tested and approved.
• Access to the spreadsheet is limited to authorized users via network access limitations and/or use of spreadsheet passwords.
• Spreadsheet documentation is adequate and up to date.
Documentation of procedures
The spreadsheet inventory, description of use, risks and compensating controls should be summarized in a spreadsheet or workpaper. The documentation should also include your risk and control grades as well as a testing strategy for those spreadsheets that are deemed to have adequate compensating controls. Keep in mind that once a control has been identified, it still must be tested.
For those spreadsheets whose compensating controls are moderate to ineffective, there should be changes made to enhance the compensating controls. Excel supports many compensating controls.
Keep in mind that a spreadsheet may not be appropriate for high risk accounts. In cases where the risk is high and the balance is material, migration to an application supported by information technology staff and control environment may be warranted.