This is based on an EBook Joe Helstrom, CPA wrote for CPASelfstudy.com entitled Spreadsheet Controls Under Sarbanes-Oxley Section 404
Spreadsheet Controls
Spreadsheets have become pervasive in most companies and have many uses. Those that are used in the financial reporting process are of most concern to the assessment of the effectiveness of internal controls over financial reporting mandated by Sarbanes-Oxley. Several steps are recommended to accomplish the needed assessment related to spreadsheets. The first would be to get a handle on the population of spreadsheets that are used in the company. Secondly, determine whether the spreadsheet is used in the financial reporting process. Next, identify risk factors of the spreadsheet and grade the overall risk. Next, identify any compensating controls that reduce or mitigate the identified risks. Lastly, determine what remediation steps are necessary, if any, for the identified spreadsheets.
It should be noted that a high risk spreadsheet used in financial reporting, even with compensating controls, may not be able to achieve an adequate level of control in a spreadsheet environment. It may be necessary to migrate the process to an application where the information technology controls are developed and maintained by the information technology function.
Inventory all spreadsheets
The beginning of the “top down” approach would be to identify all spreadsheets used by the organization in the financial reporting process. This would include financial reporting, plant accounting, treasury, tax and operations. This can be done at the department level by asking each department head or supervisor to create a list of all spreadsheets used with the following information:
•
Spreadsheet name
• Location of the spreadsheet file
• Department using the spreadsheet
• Description of spreadsheet purpose
• Spreadsheet users that have access
In addition to the above, the IT staff can be enlisted to query the company’s networks for spreadsheet files. This will help ensure that the inventory is complete.
Determine how current spreadsheets are being used
Once the spreadsheet inventory has been completed, an assessment of spreadsheet use must be performed. The first step is to segregate the spreadsheets into categories. These categories may include financial, operational and analytical.
The spreadsheets that fall into the “financial” category will carry the most risk potential. These will include spreadsheets that:
•
Validate account balances
• Support transactions or journal entries
• Compute financial statement disclosures
• Perform financial reporting controls
Operational and analytical spreadsheets may also be important depending on the organization. However, these generally are used for operational decisions rather than in the financial reporting process.
Determine the risk factors of the spreadsheet
The financial spreadsheets (as well as any others that are significant to the financial reporting process), must be assessed for risk. Risk factors will include:
•
The use of the spreadsheet and the use of the spreadsheet output
• Materiality of the affected account balance or disclosure
• Potential errors in downloaded data such as an incomplete download or a download of incorrect data.
• Whether the spreadsheet uses complex calculations, formulas or macros.
• Number of individuals using the spreadsheet
• Size of the spreadsheet
• How well the spreadsheet is documented
These risk factors must be assessed along with the use of the spreadsheet and a risk rating should be assigned. As an example, a spreadsheet that is used for financial reporting disclosure, uses downloaded data, contains complex calculations and is used by a number of people would have a high risk rating. A similar spreadsheet used solely for analytical purposes would likely carry a moderate to low risk. Additionally, a spreadsheet that is used for a key financial control would likely carry a higher risk rating than one that is used to provide a list of documents. This is a subjective determination. It must be well documented so that a reviewer can assess the conclusions drawn by the company.
Evaluate compensating controls for risk factors
Certain organizations have already put controls in place to reduce the risk of material financial reporting error related to spreadsheets. These controls must be evaluated in light of the risk factors noted above and, once again, a determination must be made as to the effectiveness of the compensating controls. Compensating controls may include:
•
Downloaded data has control totals that are compared the source data and validated by the user.
• If applicable, control totals or logic controls are used to validate user input.
• A logic inspection of the spreadsheet by an independent party is performed and documented prior to spreadsheet use.
• Spreadsheets are protected against unauthorized changes.
• Spreadsheet versions are used and, before a new version is utilized, it is tested and approved.
• Access to the spreadsheet is limited to authorized users via network access limitations and/or use of spreadsheet passwords.
• Spreadsheet documentation is adequate and up to date.
Once again, a determination must be made as to the adequacy of compensating controls. This can be a grade of either “Good”, “Moderate” or “Ineffective”. It is also a subjective determination.
Documentation of procedures
The spreadsheet inventory, description of use, risks and compensating controls should be summarized in a spreadsheet or workpaper. The documentation should also include your risk and control grades as well as a testing strategy for those spreadsheets that are deemed to have adequate compensating controls. Keep in mind that once a control has been identified, it still must be tested.
Remediation
For those spreadsheets whose compensating controls are moderate to ineffective, there should be changes made to enhance the compensating controls. Excel supports many compensating controls.
Keep in mind that a spreadsheet may not be appropriate for high risk accounts. In cases where the risk is high and the balance is material, migration to an application supported by information technology staff and control environment may be warranted.