SlideShare a Scribd company logo

Excel sox 404

M
m t

This document discusses considerations for evaluating controls over spreadsheets as part of complying with Section 404 of the Sarbanes-Oxley Act. It outlines a 5-step process: 1) inventorying spreadsheets, 2) evaluating their use and complexity, 3) determining necessary controls, 4) evaluating existing controls, and 5) developing remediation plans. Spreadsheets can range from simple to complex models and are prone to errors. Key controls include change control, access controls, documentation, testing, and segregation of duties. For significant accounts, complex spreadsheets may require migration to systems with stronger IT controls.

Technology
1 of 9
Download to read offline
1
2
3
4
5
6
7
8
9
The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act* July 2004 *connectedthinking
Page 1 The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act Introduction Many companies rely on spreadsheets as a key tool in their financial reporting and operational processes. As a result, the use of spreadsheets is an integral part of the information and decision-making framework for these companies. In developing and using spreadsheets, companies need to balance their ease and flexibility against the importance of reliable information for management’s use. The requirements under Section 404 of the Sarbanes-Oxley Act increase the focus on controls related to the development and maintenance of spreadsheets. This paper discusses the evaluation of the control environment and specific control activities that should be considered by management in evaluating the use of significant spreadsheets as part of their 404 process. As users of spreadsheet applications such as Microsoft Excel® or Lotus 1-2-3® have become more sophisticated, so have spreadsheets. Once used to support simple functions such as logging, tracking and totaling information, spreadsheets with enhanced formulas and built-in advanced features are now used to support such business functions as complex valuation models. The use of macros and multiple spreadsheets which are linked together allows users to build very complicated—and sometimes convoluted—models and other business functions with minimal or no documentation. In addition, these complex spreadsheets are not normally supported by the same control environment as formally-developed, purchased applications. For example, the developers and users of spreadsheets are usually not trained in structured programming, testing, version control or systems development life cycles, and spreadsheets are rarely restricted from unauthorized access by security controls. Background Spreadsheets typically have a wide range of complexity and usage. It is important to separate the complexity and usage issues, as the control requirements may be different for a complex spreadsheet used by one person with specific expertise than for a spreadsheet used and modified by many people. Whatever the situation, companies need to carefully evaluate if it is possible to implement adequate controls over the spreadsheets supporting significant accounts and disclosures. As some companies have discovered, errors in relatively simple spreadsheets can result in potential material misstatements in their financial results. Recently, several large companies have either publicly disclosed control deficiencies or been publicly censured by regulators related to insufficient spreadsheet controls. An article in the May 24, 2004 issue of Computer World indicated that, “Anecdotal evidence suggests that 20% to 40% of spreadsheets have errors, but recent audits of 54 spreadsheets found that 49 (or 91%) had errors, according to research by Raymond R. Panko, a professor at the University of Hawaii.” The Journal of Property Management on July 1, 2002 stated, “30 to 90 percent of all spreadsheets suffer from at least one major user error. The range in error rates depends on the complexity of the spreadsheet being tested. In addition, none of the tests included spreadsheets with more than 200 line items where the probability of error approaches 100 percent.” Perform an online search for spreadsheet errors or spreadsheet audit, and you will find a number of major failures attributed to spreadsheet inaccuracies that hit the press in the past year alone. A spreadsheet error at a major financial institution was deemed a significant factor in a $1 billion financial statement error in the classification of securities. The error resulted from a flawed change control process—an unapproved change to a formula within the spreadsheet—and other control deficiencies, including lack of technical and user documentation, insufficient testing and inadequate backup and recovery procedures.
Page 2 Even seemingly simple calculations may present the risk of a misstatement. Macros (symbols, names or keys that represent a list of commands, actions or keystrokes) or other functions embedded into spreadsheets may drastically impact the functioning of the spreadsheet. For example, a macro embedded into a spreadsheet designed to total invoices for recording an accounts receivable balance may add unsupported amounts to the balance. Visual review of the spreadsheet would probably not identify the error, and analytical review would also not identify the error if the macro is consistently present across the periods under review. Controls that may help mitigate these risks include access controls that limit which employees may view and update the spreadsheet, recalculation of key spreadsheet metrics and comparison to calculated values, and detail review and testing of calculations embedded in the spreadsheet. The use of spreadsheets—and, more importantly, the lack of controls over spreadsheets—has been a contributing factor in financial reporting errors at a number of companies. The examples included here highlight the importance of understanding how spreadsheets are used in a company’s financial reporting process and evaluating the controls over spreadsheets as part of the company’s overall Section 404 process. How Are Companies Using Spreadsheets? To assess how companies are using spreadsheets, it is helpful to categorize both the uses and complexity of spreadsheets. The uses of information contained in spreadsheets can be grouped into the following categories: Operational: Spreadsheets used to facilitate tracking and monitoring of workflow to support operational processes, such as a listing of open claims, unpaid invoices and other information that previously would have been retained in manual, paper file folders. These may be used to monitor and control that financial transactions are captured accurately and completely. Analytical/Management Information: Spreadsheets used to support analytical review and management decision-making. These may be used to evaluate the reasonableness of financial amounts. Financial: Spreadsheets used to directly determine financial statement transaction amounts or balances that are populated into the general ledger and/or financial statements. The complexity of spreadsheets may be categorized in the following manner: Low: Spreadsheets which serve as an electronic logging and information tracking system. Moderate: Spreadsheets which perform simple calculations such as using formulas to total certain fields or calculate new values by multiplying two cells. These spreadsheets can be used as methods to translate or reformat information, often for analytical review and analysis, for recording journal entries or for making a financial statement disclosure. High: Spreadsheets which support complex calculations, valuations and modeling tools. These spreadsheets are typically characterized by the use of macros and multiple supporting spreadsheets where cells, values and individual spreadsheets are linked. These spreadsheets might be considered “applications” (i.e., software programs) in their own right. They often are used to determine transaction amounts or as the basis for journal entries into the general ledger or financial statement disclosures. A trader at a bank was able to perpetrate fraud through manipulation of spreadsheet models used by the bank’s risk control staff. While an independent check of the trader’s activities and Value at Risk (VaR) was supposed to be conducted by the bank’s risk control staff, instead a spreadsheet was relied upon that obtained information from the trader’s personal computer which included figures for transactions that were not real. Because of inadequate controls over the spreadsheet, this fraud continued for months. A utilities company took a $24 million charge to earnings after a spreadsheet error—a simple mistake in cutting and pasting—resulted in an erroneous bid for the purchase of hedging contracts at a higher price than it wanted to pay.
Page 3 The importance of the integrity and reliability of the information generated by spreadsheets increases as the complexity progresses from low to high and as usage increases. This assessment should dictate the strength of the control environment surrounding each spreadsheet. Potential Risks and Issues with Spreadsheets When evaluating the risk and significance of potential spreadsheet issues, consider the following: Complexity of the spreadsheet and calculations Purpose and use of the spreadsheet Number of spreadsheet users Type of potential input, logic, and interface errors Size of the spreadsheet Degree of understanding and documentation of the spreadsheet requirements by the developer Uses of the spreadsheet’s output Frequency and extent of changes and modifications to the spreadsheet Development, developer (and training) and testing of the spreadsheet before it is utilized Because spreadsheets can be easily changed and may lack certain control activities, they are subject to increased inherent risk and error. Some of the typical errors that occur in spreadsheets include: Input error: Errors that arise from flawed data entry, inaccurate referencing or other simple cut-and-paste functions. Logic error: Errors in which inappropriate formulas are created and generate improper results. Interface errors: Errors from the import or export of data with other systems. Other errors: Errors include inappropriate definition of cell ranges, inappropriately referenced cells or improperly linked spreadsheets.
Page 4 Practical Steps for Evaluating Spreadsheet Controls Implementing a process to ensure appropriate controls over spreadsheets is a critical element of compliance with Sarbanes-Oxley Section 404. There are five high-level steps to implementing such a process: 1. Inventory spreadsheets 2. Evaluate the use and complexity of spreadsheets 3. Determine the necessary level of controls for “key” spreadsheets 4. Evaluate existing “as is” controls for each spreadsheet 5. Develop action plans for remediating control deficiencies 1. Inventory Spreadsheets The first step is to inventory all spreadsheets within the organization that are used to support significant financial processes. It is important to identify how the spreadsheets support all significant accounts and financial statement disclosures and their relationship to relevant financial statement assertions. All departments utilizing spreadsheets should be evaluated, including, but not limited to, financial reporting, plant/cost accounting, tax, actuarial and operations. The inventory should include: Name of the spreadsheet Brief description of the spreadsheet and the financial amounts calculated Department responsible for the “development” as well as any other departments that utilize the spreadsheet Frequency and extent of changes to the spreadsheet This step is critical to ensuring that the population of spreadsheets in use within the organization is defined and subjected to evaluation. 2. Evaluate the Use and Complexity of Spreadsheets After the inventory, it is necessary to evaluate the use and complexity of each spreadsheet. This involves determining a spreadsheet’s category of uses (operational, analytical and financial) and then assigning and documenting a level of complexity (low, moderate or high) based upon the factors discussed above. 3. Determine the Necessary Level of Controls for the Spreadsheet The appropriate combination of the following controls should be considered to help mitigate the risks inherent in a spreadsheet environment: a) Change Control – Maintaining a controlled process for requesting changes to a spreadsheet, making changes and then testing the spreadsheet and obtaining formal sign-off from an independent individual that the change is functioning as intended. b) Version Control – Ensuring only current and approved versions of spreadsheets are being used by creating naming conventions and directory structures.
Page 5 c) Access Control (e.g., Create, Read, Update, Delete) – Limiting access at the file level to spreadsheets on a central server and assigning appropriate rights. Spreadsheets can also be password protected to restrict access. d) Input Control – Ensuring that reconciliations occur to make sure that data is inputted completely and accurately. Data may be inputted into spreadsheets manually or systematically through downloads. e) Security and Integrity of Data – Implementing a process to ensure that data embedded in spreadsheets is current and secure. This can be done by “locking” or protecting cells to prevent inadvertent or intentional changes to standing data. In addition, the spreadsheets themselves should be stored in protected directories. f) Documentation – Ensuring that the appropriate level of spreadsheet documentation is maintained and kept up-to-date to understand the business objective and specific functions of the spreadsheet. g) Development Lifecycle – Applying a standard Software Development Life Cycle to the development process of the more critical and complex spreadsheets covering standard phases: requirements specification, design, building, testing and maintenance. Testing is a critical control to ensure that the spreadsheet is producing accurate and complete results. h) Back-ups – Implementing a process to back up spreadsheets on a regular basis so that complete and accurate information is available for financial reporting. i) Archiving – Maintaining historical files no longer available for update in a segregated drive and locking them as “read only.” j) Logic Inspection – Inspecting the logic in critical spreadsheets by someone other than the user or developer of the spreadsheet. This review should be formally documented. k) Segregation of Duties/Roles and Procedures – Defining and implementing roles, authorities, responsibilities and procedures for issues such as ownership, sign-off, segregation of duties and usage. l) Overall Analytics – Implementing analytics as a detective control to find errors in spreadsheets used for calculations. However, analytics alone are not a sufficient control to completely address the inherent risk of financial amounts generated using spreadsheets. The level of controls implemented should be considered relative to the spreadsheet’s use, complexity and required reliability of the information. Even for spreadsheets categorized as low in complexity and importance, control-types (a) through (e) above should generally be in place. Standard manual controls and processes, such as those described above, can be used to help mitigate the risks associated with spreadsheets. However, as the importance of the information being generated by a spreadsheet increases and the complexity increases, reliance on manual controls and processes may not be sufficient to satisfy the requirements under Sarbanes-Oxley Section 404. For more significant amounts and/or spreadsheets with higher complexity, it may be very difficult to achieve an adequate level of control without migrating these functions to an application system with a more formalized information technology controls environment. 4. Evaluate Existing “As Is” Controls for Each Spreadsheet Evaluation of existing controls is typically done by comparing the existing spreadsheet controls against a checklist of “necessary” controls, such as those listed above, based upon the use and complexity of the spreadsheet. In addition, management must develop and execute a test plan to ensure that the controls operate effectively. Any gaps between existing and “necessary” controls should be identified as remediation items as well as any gaps in operating effectiveness.
Page 6 Spreadsheets used as part of their financial reporting process should be treated as manual processes and tested accordingly. Examples include: A company can maintain two copies of a spreadsheet, with changes made to both spreadsheets by separate individuals and the results compared. A company can use cell protection to restrict access to a spreadsheet, and management can test a sample of cells to ensure passwords are assigned for their protection. A company can employ standard naming conventions to ensure the use of the current spreadsheet version, and management can inspect a sample of spreadsheets to confirm that they follow the standard naming convention. If the standard naming convention requires that the spreadsheet name include the date and time of the modification, management would test that the spreadsheet name corresponds to the modification date. 5. Develop Action Plans for Remediating Control Deficiencies An action plan should be developed for each control gap identified. These action plans should increase the controls over the spreadsheet to the necessary controls based upon the use and complexity of the spreadsheet. Key elements of an action plan include: Assigning responsibility for actions in plan Establishing required remediation dates Prioritizing remediation efforts For complex spreadsheets that support significant accounts and disclosures, consider whether these “systems” should be migrated to production processing environments to provide an adequate level of control. Given the potentially large number of remediation items relating to spreadsheet controls, it is recommended that these efforts start with high priority items, defined as items related to financial spreadsheets containing complex calculations which support significant accounts and disclosures. Summary Many companies rely on spreadsheets as a key component in their financial reporting and operational processes. However, it is clear that the flexibility of spreadsheets has sometimes come at a cost. It is important that management identify where control breakdowns could lead to potential material misstatements and that controls for significant spreadsheets be documented, evaluated and tested. And, perhaps more importantly, management should evaluate whether it is possible to implement adequate controls over significant spreadsheets to sufficiently mitigate this risk, or if spreadsheets related to significant accounts or with higher complexity should be migrated to an application system with a more formalized information technology control environment. Understanding how spreadsheets are used and the adequacy of related controls is a critical part of management’s assessment of the effectiveness of its internal control over financial reporting under Section 404.
PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services for public and private clients. More than 120,000 people in 139 countries connect their thinking, experience and solutions to build public trust and enhance value for clients and their stakeholders. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. CI-CI-05-0076-A © 2004 PricewaterhouseCoopers LLP. “PricewaterhouseCoopers” refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership or, as the context requires, the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.
us.pwc.com

More Related Content

PDF
Pw Cwp Spreadsheet404 Sarbox
greghawes
 
PDF
Features of a World-Class Safety System
Perficient, Inc.
 
PPTX
[DF2U] Deep Dive into Salesforce.com Reporting, Analytics, and Dashboard
Joshua Hoskins
 
PDF
Validation of excel spreadsheets
Digital-360
 
PPTX
Reports and dashboards @salesforce
Kapil Kumar Patle
 
PPT
Building Reports That Fly
Salesforce Developers
 
PDF
Oracle argus safety data sheet
Heather Bettis
 
PDF
How Oracle Argus Safety 8.x Supports Product Safety Needs
Perficient, Inc.
 
Pw Cwp Spreadsheet404 Sarbox
greghawes
 
Features of a World-Class Safety System
Perficient, Inc.
 
[DF2U] Deep Dive into Salesforce.com Reporting, Analytics, and Dashboard
Joshua Hoskins
 
Validation of excel spreadsheets
Digital-360
 
Reports and dashboards @salesforce
Kapil Kumar Patle
 
Building Reports That Fly
Salesforce Developers
 
Oracle argus safety data sheet
Heather Bettis
 
How Oracle Argus Safety 8.x Supports Product Safety Needs
Perficient, Inc.
 

What's hot (6)

PDF
Performance Management Using Audit Trail
Blackbaud
 
DOCX
Web based quality management system
selinasimpson361
 
PPTX
isritechnologies
isri technologies
 
PDF
Getting Started with Visualforce
Rati Sharma
 
PDF
Solidcore Report catalog
Raj Rajamani
 
PPT
L02 navigate
Naresh Kumar SAHU
 
Performance Management Using Audit Trail
Blackbaud
 
Web based quality management system
selinasimpson361
 
isritechnologies
isri technologies
 
Getting Started with Visualforce
Rati Sharma
 
Solidcore Report catalog
Raj Rajamani
 
L02 navigate
Naresh Kumar SAHU
 
Ad

Similar to Excel sox 404 (20)

PDF
eBook Spreadsheet to WebAPP
Abhishek Ranjan
 
PPT
Excel In Managing Spreadsheet Risk Presentation
greghawes
 
PPT
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
renetta
 
PPT
Technology Controls in Business - End User Computing
guestc1bca2
 
PPT
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
gueste080564
 
PDF
What is the relationship between Accounting and an Accounting inform.pdf
annikasarees
 
PDF
Accounting Information Systems 14Th Edition Romney Solutions Manual
Jose Katab
 
DOCX
Quality management in projects
selinasimpson311
 
PDF
Download ebooks file Guide to Data Analytics Aicpa all chapters
rhajaesuntha
 
PPTX
Internal controls over excel and other user directed aps[feb4.10
Marc Engel
 
PDF
Download full ebook of Guide to Data Analytics Aicpa instant download pdf
ulvphvd2681
 
PDF
Bridging the cost schedule divide - integrating primavera and cost systems wh...
p6academy
 
PDF
Spreadsheet Management with the new Microsoft Office
David J Rosenthal
 
DOCX
Running head The REA Approach1The REA Approach8The REA Approa.docx
todd521
 
PPTX
Computer aided audit techniques (CAAT) sourav mathur
sourav mathur
 
PDF
UX Design to Improve User Productivity in Healthcare Registries
CitiusTech
 
PPTX
CAAT ppt.pptx (Computer Asstt. Technique)
rkhasua004
 
DOCX
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Shahzeb Pirzada
 
PDF
The Ideal A/R Dashboard: 5 Reporting Dashboards Required for Every Credit and...
WilliamJames346254
 
DOCX
Artikel
Wawan Kurniadi
 
eBook Spreadsheet to WebAPP
Abhishek Ranjan
 
Excel In Managing Spreadsheet Risk Presentation
greghawes
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
renetta
 
Technology Controls in Business - End User Computing
guestc1bca2
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
gueste080564
 
What is the relationship between Accounting and an Accounting inform.pdf
annikasarees
 
Accounting Information Systems 14Th Edition Romney Solutions Manual
Jose Katab
 
Quality management in projects
selinasimpson311
 
Download ebooks file Guide to Data Analytics Aicpa all chapters
rhajaesuntha
 
Internal controls over excel and other user directed aps[feb4.10
Marc Engel
 
Download full ebook of Guide to Data Analytics Aicpa instant download pdf
ulvphvd2681
 
Bridging the cost schedule divide - integrating primavera and cost systems wh...
p6academy
 
Spreadsheet Management with the new Microsoft Office
David J Rosenthal
 
Running head The REA Approach1The REA Approach8The REA Approa.docx
todd521
 
Computer aided audit techniques (CAAT) sourav mathur
sourav mathur
 
UX Design to Improve User Productivity in Healthcare Registries
CitiusTech
 
CAAT ppt.pptx (Computer Asstt. Technique)
rkhasua004
 
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Shahzeb Pirzada
 
The Ideal A/R Dashboard: 5 Reporting Dashboards Required for Every Credit and...
WilliamJames346254
 
Artikel
Wawan Kurniadi
 
Ad

Recently uploaded (20)

PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 

Excel sox 404

  • 1. The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act* July 2004 *connectedthinking
  • 2. Page 1 The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act Introduction Many companies rely on spreadsheets as a key tool in their financial reporting and operational processes. As a result, the use of spreadsheets is an integral part of the information and decision-making framework for these companies. In developing and using spreadsheets, companies need to balance their ease and flexibility against the importance of reliable information for management’s use. The requirements under Section 404 of the Sarbanes-Oxley Act increase the focus on controls related to the development and maintenance of spreadsheets. This paper discusses the evaluation of the control environment and specific control activities that should be considered by management in evaluating the use of significant spreadsheets as part of their 404 process. As users of spreadsheet applications such as Microsoft Excel® or Lotus 1-2-3® have become more sophisticated, so have spreadsheets. Once used to support simple functions such as logging, tracking and totaling information, spreadsheets with enhanced formulas and built-in advanced features are now used to support such business functions as complex valuation models. The use of macros and multiple spreadsheets which are linked together allows users to build very complicated—and sometimes convoluted—models and other business functions with minimal or no documentation. In addition, these complex spreadsheets are not normally supported by the same control environment as formally-developed, purchased applications. For example, the developers and users of spreadsheets are usually not trained in structured programming, testing, version control or systems development life cycles, and spreadsheets are rarely restricted from unauthorized access by security controls. Background Spreadsheets typically have a wide range of complexity and usage. It is important to separate the complexity and usage issues, as the control requirements may be different for a complex spreadsheet used by one person with specific expertise than for a spreadsheet used and modified by many people. Whatever the situation, companies need to carefully evaluate if it is possible to implement adequate controls over the spreadsheets supporting significant accounts and disclosures. As some companies have discovered, errors in relatively simple spreadsheets can result in potential material misstatements in their financial results. Recently, several large companies have either publicly disclosed control deficiencies or been publicly censured by regulators related to insufficient spreadsheet controls. An article in the May 24, 2004 issue of Computer World indicated that, “Anecdotal evidence suggests that 20% to 40% of spreadsheets have errors, but recent audits of 54 spreadsheets found that 49 (or 91%) had errors, according to research by Raymond R. Panko, a professor at the University of Hawaii.” The Journal of Property Management on July 1, 2002 stated, “30 to 90 percent of all spreadsheets suffer from at least one major user error. The range in error rates depends on the complexity of the spreadsheet being tested. In addition, none of the tests included spreadsheets with more than 200 line items where the probability of error approaches 100 percent.” Perform an online search for spreadsheet errors or spreadsheet audit, and you will find a number of major failures attributed to spreadsheet inaccuracies that hit the press in the past year alone. A spreadsheet error at a major financial institution was deemed a significant factor in a $1 billion financial statement error in the classification of securities. The error resulted from a flawed change control process—an unapproved change to a formula within the spreadsheet—and other control deficiencies, including lack of technical and user documentation, insufficient testing and inadequate backup and recovery procedures.
  • 3. Page 2 Even seemingly simple calculations may present the risk of a misstatement. Macros (symbols, names or keys that represent a list of commands, actions or keystrokes) or other functions embedded into spreadsheets may drastically impact the functioning of the spreadsheet. For example, a macro embedded into a spreadsheet designed to total invoices for recording an accounts receivable balance may add unsupported amounts to the balance. Visual review of the spreadsheet would probably not identify the error, and analytical review would also not identify the error if the macro is consistently present across the periods under review. Controls that may help mitigate these risks include access controls that limit which employees may view and update the spreadsheet, recalculation of key spreadsheet metrics and comparison to calculated values, and detail review and testing of calculations embedded in the spreadsheet. The use of spreadsheets—and, more importantly, the lack of controls over spreadsheets—has been a contributing factor in financial reporting errors at a number of companies. The examples included here highlight the importance of understanding how spreadsheets are used in a company’s financial reporting process and evaluating the controls over spreadsheets as part of the company’s overall Section 404 process. How Are Companies Using Spreadsheets? To assess how companies are using spreadsheets, it is helpful to categorize both the uses and complexity of spreadsheets. The uses of information contained in spreadsheets can be grouped into the following categories: Operational: Spreadsheets used to facilitate tracking and monitoring of workflow to support operational processes, such as a listing of open claims, unpaid invoices and other information that previously would have been retained in manual, paper file folders. These may be used to monitor and control that financial transactions are captured accurately and completely. Analytical/Management Information: Spreadsheets used to support analytical review and management decision-making. These may be used to evaluate the reasonableness of financial amounts. Financial: Spreadsheets used to directly determine financial statement transaction amounts or balances that are populated into the general ledger and/or financial statements. The complexity of spreadsheets may be categorized in the following manner: Low: Spreadsheets which serve as an electronic logging and information tracking system. Moderate: Spreadsheets which perform simple calculations such as using formulas to total certain fields or calculate new values by multiplying two cells. These spreadsheets can be used as methods to translate or reformat information, often for analytical review and analysis, for recording journal entries or for making a financial statement disclosure. High: Spreadsheets which support complex calculations, valuations and modeling tools. These spreadsheets are typically characterized by the use of macros and multiple supporting spreadsheets where cells, values and individual spreadsheets are linked. These spreadsheets might be considered “applications” (i.e., software programs) in their own right. They often are used to determine transaction amounts or as the basis for journal entries into the general ledger or financial statement disclosures. A trader at a bank was able to perpetrate fraud through manipulation of spreadsheet models used by the bank’s risk control staff. While an independent check of the trader’s activities and Value at Risk (VaR) was supposed to be conducted by the bank’s risk control staff, instead a spreadsheet was relied upon that obtained information from the trader’s personal computer which included figures for transactions that were not real. Because of inadequate controls over the spreadsheet, this fraud continued for months. A utilities company took a $24 million charge to earnings after a spreadsheet error—a simple mistake in cutting and pasting—resulted in an erroneous bid for the purchase of hedging contracts at a higher price than it wanted to pay.
  • 4. Page 3 The importance of the integrity and reliability of the information generated by spreadsheets increases as the complexity progresses from low to high and as usage increases. This assessment should dictate the strength of the control environment surrounding each spreadsheet. Potential Risks and Issues with Spreadsheets When evaluating the risk and significance of potential spreadsheet issues, consider the following: Complexity of the spreadsheet and calculations Purpose and use of the spreadsheet Number of spreadsheet users Type of potential input, logic, and interface errors Size of the spreadsheet Degree of understanding and documentation of the spreadsheet requirements by the developer Uses of the spreadsheet’s output Frequency and extent of changes and modifications to the spreadsheet Development, developer (and training) and testing of the spreadsheet before it is utilized Because spreadsheets can be easily changed and may lack certain control activities, they are subject to increased inherent risk and error. Some of the typical errors that occur in spreadsheets include: Input error: Errors that arise from flawed data entry, inaccurate referencing or other simple cut-and-paste functions. Logic error: Errors in which inappropriate formulas are created and generate improper results. Interface errors: Errors from the import or export of data with other systems. Other errors: Errors include inappropriate definition of cell ranges, inappropriately referenced cells or improperly linked spreadsheets.
  • 5. Page 4 Practical Steps for Evaluating Spreadsheet Controls Implementing a process to ensure appropriate controls over spreadsheets is a critical element of compliance with Sarbanes-Oxley Section 404. There are five high-level steps to implementing such a process: 1. Inventory spreadsheets 2. Evaluate the use and complexity of spreadsheets 3. Determine the necessary level of controls for “key” spreadsheets 4. Evaluate existing “as is” controls for each spreadsheet 5. Develop action plans for remediating control deficiencies 1. Inventory Spreadsheets The first step is to inventory all spreadsheets within the organization that are used to support significant financial processes. It is important to identify how the spreadsheets support all significant accounts and financial statement disclosures and their relationship to relevant financial statement assertions. All departments utilizing spreadsheets should be evaluated, including, but not limited to, financial reporting, plant/cost accounting, tax, actuarial and operations. The inventory should include: Name of the spreadsheet Brief description of the spreadsheet and the financial amounts calculated Department responsible for the “development” as well as any other departments that utilize the spreadsheet Frequency and extent of changes to the spreadsheet This step is critical to ensuring that the population of spreadsheets in use within the organization is defined and subjected to evaluation. 2. Evaluate the Use and Complexity of Spreadsheets After the inventory, it is necessary to evaluate the use and complexity of each spreadsheet. This involves determining a spreadsheet’s category of uses (operational, analytical and financial) and then assigning and documenting a level of complexity (low, moderate or high) based upon the factors discussed above. 3. Determine the Necessary Level of Controls for the Spreadsheet The appropriate combination of the following controls should be considered to help mitigate the risks inherent in a spreadsheet environment: a) Change Control – Maintaining a controlled process for requesting changes to a spreadsheet, making changes and then testing the spreadsheet and obtaining formal sign-off from an independent individual that the change is functioning as intended. b) Version Control – Ensuring only current and approved versions of spreadsheets are being used by creating naming conventions and directory structures.
  • 6. Page 5 c) Access Control (e.g., Create, Read, Update, Delete) – Limiting access at the file level to spreadsheets on a central server and assigning appropriate rights. Spreadsheets can also be password protected to restrict access. d) Input Control – Ensuring that reconciliations occur to make sure that data is inputted completely and accurately. Data may be inputted into spreadsheets manually or systematically through downloads. e) Security and Integrity of Data – Implementing a process to ensure that data embedded in spreadsheets is current and secure. This can be done by “locking” or protecting cells to prevent inadvertent or intentional changes to standing data. In addition, the spreadsheets themselves should be stored in protected directories. f) Documentation – Ensuring that the appropriate level of spreadsheet documentation is maintained and kept up-to-date to understand the business objective and specific functions of the spreadsheet. g) Development Lifecycle – Applying a standard Software Development Life Cycle to the development process of the more critical and complex spreadsheets covering standard phases: requirements specification, design, building, testing and maintenance. Testing is a critical control to ensure that the spreadsheet is producing accurate and complete results. h) Back-ups – Implementing a process to back up spreadsheets on a regular basis so that complete and accurate information is available for financial reporting. i) Archiving – Maintaining historical files no longer available for update in a segregated drive and locking them as “read only.” j) Logic Inspection – Inspecting the logic in critical spreadsheets by someone other than the user or developer of the spreadsheet. This review should be formally documented. k) Segregation of Duties/Roles and Procedures – Defining and implementing roles, authorities, responsibilities and procedures for issues such as ownership, sign-off, segregation of duties and usage. l) Overall Analytics – Implementing analytics as a detective control to find errors in spreadsheets used for calculations. However, analytics alone are not a sufficient control to completely address the inherent risk of financial amounts generated using spreadsheets. The level of controls implemented should be considered relative to the spreadsheet’s use, complexity and required reliability of the information. Even for spreadsheets categorized as low in complexity and importance, control-types (a) through (e) above should generally be in place. Standard manual controls and processes, such as those described above, can be used to help mitigate the risks associated with spreadsheets. However, as the importance of the information being generated by a spreadsheet increases and the complexity increases, reliance on manual controls and processes may not be sufficient to satisfy the requirements under Sarbanes-Oxley Section 404. For more significant amounts and/or spreadsheets with higher complexity, it may be very difficult to achieve an adequate level of control without migrating these functions to an application system with a more formalized information technology controls environment. 4. Evaluate Existing “As Is” Controls for Each Spreadsheet Evaluation of existing controls is typically done by comparing the existing spreadsheet controls against a checklist of “necessary” controls, such as those listed above, based upon the use and complexity of the spreadsheet. In addition, management must develop and execute a test plan to ensure that the controls operate effectively. Any gaps between existing and “necessary” controls should be identified as remediation items as well as any gaps in operating effectiveness.
  • 7. Page 6 Spreadsheets used as part of their financial reporting process should be treated as manual processes and tested accordingly. Examples include: A company can maintain two copies of a spreadsheet, with changes made to both spreadsheets by separate individuals and the results compared. A company can use cell protection to restrict access to a spreadsheet, and management can test a sample of cells to ensure passwords are assigned for their protection. A company can employ standard naming conventions to ensure the use of the current spreadsheet version, and management can inspect a sample of spreadsheets to confirm that they follow the standard naming convention. If the standard naming convention requires that the spreadsheet name include the date and time of the modification, management would test that the spreadsheet name corresponds to the modification date. 5. Develop Action Plans for Remediating Control Deficiencies An action plan should be developed for each control gap identified. These action plans should increase the controls over the spreadsheet to the necessary controls based upon the use and complexity of the spreadsheet. Key elements of an action plan include: Assigning responsibility for actions in plan Establishing required remediation dates Prioritizing remediation efforts For complex spreadsheets that support significant accounts and disclosures, consider whether these “systems” should be migrated to production processing environments to provide an adequate level of control. Given the potentially large number of remediation items relating to spreadsheet controls, it is recommended that these efforts start with high priority items, defined as items related to financial spreadsheets containing complex calculations which support significant accounts and disclosures. Summary Many companies rely on spreadsheets as a key component in their financial reporting and operational processes. However, it is clear that the flexibility of spreadsheets has sometimes come at a cost. It is important that management identify where control breakdowns could lead to potential material misstatements and that controls for significant spreadsheets be documented, evaluated and tested. And, perhaps more importantly, management should evaluate whether it is possible to implement adequate controls over significant spreadsheets to sufficiently mitigate this risk, or if spreadsheets related to significant accounts or with higher complexity should be migrated to an application system with a more formalized information technology control environment. Understanding how spreadsheets are used and the adequacy of related controls is a critical part of management’s assessment of the effectiveness of its internal control over financial reporting under Section 404.
  • 8. PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services for public and private clients. More than 120,000 people in 139 countries connect their thinking, experience and solutions to build public trust and enhance value for clients and their stakeholders. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. CI-CI-05-0076-A © 2004 PricewaterhouseCoopers LLP. “PricewaterhouseCoopers” refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership or, as the context requires, the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.