SlideShare a Scribd company logo

Internal controls over excel and other user directed aps[feb4.10

Download as PPTX, PDF
M
Marc Engel

The document discusses the internal controls required for Excel and other user-directed applications in compliance with SOX, emphasizing the need to assess risks and implement controls to prevent fraud and errors. Key points include risk assessment, limited access, change controls, and monitoring to ensure spreadsheet integrity and compliance. It highlights best practices, including maintaining a spreadsheet inventory, designing reliable sheets, and establishing robust procedures for access and changes.

Investor Relations
1 of 20
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Internal Controls over Excel and other User Directed Applications in a SOX Environment Marc Engel, CPA, CISA, CBA, CFE Director, CFO Consulting Partners LLC mengel@cfoconsultingpartners.com Marc.engelcpa@gmail.com 973-953-8569 Presented February 4, 2010 to the Litigation Services Committee of the NYSSCPA
Key Discussion Points • Topics: • (1)_Overview of Excel risks as part of the risk assessment • (2)_Risks of fraud and errors; best practices to prevent and detect them • (3)_Applying Change controls to Excel Objective: Consider the risks involved in controlling spreadsheets and other user directed applications. Discuss controls that can be easily implemented to meet SOX requirements for risk analysis, and establishing effective controls.
Excel Risks as Part of the Risk Analysis • Background • Many companies not previously subject to SOX are required to comply in their current fiscal year. • This includes non-accelerated filers and smaller reporting companies. Existing companies that are SOX compliant should now be compliant for their primary computer systems and applications. • However, many of these companies may need to tighten controls over applications such as Excel. • These are often used in accounting and finance departments to generate calculations or support for • journal entries or business decisions.
The Problem: Inherently Weak Controls • Can anyone give some personal observations of incorrect information caused by Excel use? • Some of my observations: – a formula for a financial statement number using a random number generator; no documentation – budget equaled actual exactly because the preparer copied the budget numbers – New accountant changed an allocation; Regulator gave MoU.
Risks involving the use of Excel Consider these examples: • An Excel spreadsheet to control fixed assets. • Some Risks: – Formulas are not locked, because each new purchase adds a line to the list of fixed assets. – Approvals consist of a signature on the hard copy. • Excel may be used to prepare financial statements and for variance analyses; • Some Risks of inaccurate information: – Lack of control over input cells, output cells, formula results, and – different versions of the spreadsheet – Consolidation worksheets – information downloaded to standardized workbook then consolidated at corporate offices
Need for Controls • Could such errors appear in the financial statements and the MD&A? Even if totally innocent, whose responsibility? Consequently, lack of proper controls over such applications could result in a finding of a significant deficiency or even a material weakness. If not corrected prior to year end, this might have to be reported as an exception in the annual report.
Solution Overview • COSO compliant, effective controls are easily implemented. Five basic areas to consider are: – Risk Assessment, – Limited Access, – Design and Documentation, – Change Controls, and – Monitoring.
Risk Assessment • Formalized risk assessment is a required element of internal control under COSO. A company could • generate a risk threshold for spreadsheets, based on a percentage of its total assets or gross revenue. • Any spreadsheet generating aggregate entries over that percentage would be deemed critical. So if the • gross revenue is $500m and the threshold is .1% of that, any spreadsheet generating entries of $500k in aggregate over the year would be deemed “critical” and subject to additional controls.
Risk Assessment • Key steps: – Inventory all spreadsheets used to generate journal entries and supporting work papers for published financial information, and – measure them in aggregate by type of entry. In the above fixed asset example, all fixed asset entries would be aggregated to include the spreadsheet in the critical spreadsheet group, rather than excluding it based on many small individual entries it would generate.
Spreadsheet Inventory • Spreadsheet inventory should have: • List of all spreadsheets used for production of financial statements and numbers that support JEs. Include location, owner, main user, frequency of use. (Keep current by requiring all new spreadsheets to be registered.) • Security inventory with all passwords for all sheets; Kept by IT Security.
Control Attributes • Each spreadsheet’s purpose, frequency of being run, and formulas should be documented and explained on a separate tab in the workbook. • Passwords should be backed up separately so if the password keeper leaves or forgets, the company still can unlock the spreadsheet. • All superseded versions should be removed from the production folders.
Design and Documentation Good spreadsheet design makes a spreadsheet reliable, without constant testing or risk of error. Keypoints are: • Range control, Formula control, and Password protection. • Range control entails – setting up input areas, so that formulas do not need to be revised whenever data is added. This is done by – putting formulas on a separate sheet in the workbook; – putting them at the top of the page and adding data underneath. – Controling input via Excel’s excellent Forms functionality
Design and Documentation Formula controls: • Formulas are locked and password protected so the user cannot change them. Only specific input areas are unlocked for the user. • Formulas should be color coded to be easily recognizable. Color coding conventions (standards) should be included in the company’s procedures for designing spreadsheets. – Excel 2007 provides formats for different cell types, such as calculated cell, input, output, and others, on the Home ribbon. • Best practice designs – Use one spreadsheet for a particular purpose so a new version each month (or quarter) is not needed.
Limited Access • The company should set up a secure directory or folder. The network administrator limits access to – specific profiles of staff needing access to perform their duties. – Other staff members are excluded.
Limited Access • Quick connections to external data • In Office Excel 2007, you no longer need to know the server or database names of corporate data sources. Instead, you can use Quicklaunch to select from a list of data sources that your administrator or workgroup expert has made available for you. A connection manager in Excel allows you to view all connections in a workbook and makes it easier to reuse a connection or to substitute a connection with another one. (Excel online documentation). Using these features makes enforcing a secure download process straightforward; (documenting it as well).
Monitoring • Enforcing segregation of duties – i.e. a single individual should not have rights to both prepare and enter an entire transaction. • There must be an audit trail to document the review of entries. A checklist should be used and approved, to prove that all needed spreadsheets were updated timely. • Off premises vacation rules to prevent override of controls > Spreadsheets are updated by other staff.
Monitoring • Management can monitor spreadsheet activity since: – All spreadsheets to prepare FS or supporting info are inventoried, aggregated as to FS impact, risk rated, and all critical spreadsheets are secured. – Mid management knows which are the key spreadsheets and can enforce controls over spreadsheets. – Spreadsheets are password protected and the passwords are kept by IT security.
Change Controls Possibly contentious but consider: How would you feel about the IT staff revising your software just on the programmer’s approval? Same concept applies to your finance dept staff changing critical spreadsheets with no approval.
Change Controls Change controls block unauthorized changes, verify accuracy of changes to the spreadsheet, and enforce version control. Naming conventions lower the risk of using a superseded version. Granted that most spreadsheets will most likely be initially designed by the owner / user. Nevertheless, after a spreadsheet is designed properly, it should be password protected so the designer/ user cannot make changes. Changes should be performed in a test folder set up for this purpose and kept out of the production folders. A second person tests the spreadsheet with a pre-approved test set. The final version is forwarded to the approver who password protects it and posts it to the secure folder.
Questions? Any questions can be addressed to: • Marc Engel, CPA, CISA, CFE Director, CFO Consulting Partners LLC mengel@cfoconsultingpartners.com • Marc.engelcpa@gmail.com 973-953-8569

More Related Content

PPTX
Generalized audit-software
kzoe1996
 
PPT
Bse 3105 lecture 5-evolution of legacy systems
Alonzee Tash
 
PPT
James hall ch 13
David Julian
 
PPT
James hall ch 14
David Julian
 
PPTX
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Corporation
 
PPTX
Financial reporting compliance cloud service presentation
Feras Ahmad
 
DOCX
Setting up audits and audit reports Fusion Cloud
Feras Ahmad
 
PDF
Validation of excel spreadsheets
Digital-360
 
Generalized audit-software
kzoe1996
 
Bse 3105 lecture 5-evolution of legacy systems
Alonzee Tash
 
James hall ch 13
David Julian
 
James hall ch 14
David Julian
 
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Corporation
 
Financial reporting compliance cloud service presentation
Feras Ahmad
 
Setting up audits and audit reports Fusion Cloud
Feras Ahmad
 
Validation of excel spreadsheets
Digital-360
 

What's hot (18)

PPTX
Parallel simulation
kzoe1996
 
PPTX
Integrated Test Facility
kzoe1996
 
PPTX
Test Data Approach
kzoe1996
 
PPT
Technology Controls in Business - End User Computing
guestc1bca2
 
PDF
Excel sox 404
m t
 
PPT
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
Rikesh Chaurasia
 
DOC
415 quiz1 answers
IIUM
 
PPT
Critical System Specification in Software Engineering SE17
koolkampus
 
PPTX
05.2 auditing procedure application controls
Mulyadi Yusuf
 
DOCX
Audit Checklist for Information Systems
Ahmad Tariq Bhatti
 
PDF
Systems request
Fajar Baskoro
 
PPTX
Icai seminar kolkata
sunil patro
 
PPTX
Information Systems Audit & CISA Prep 2010
Donald E. Hester
 
PPTX
Computer-Assisted Audit Tools and Techniques
_supriadi
 
PDF
Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques
Jim Kaplan CIA CFE
 
DOCX
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Shahzeb Pirzada
 
PDF
System audit questionnaire
Nicholas Kaptingei
 
PDF
Steps in it audit
kinjalmkothari92
 
Parallel simulation
kzoe1996
 
Integrated Test Facility
kzoe1996
 
Test Data Approach
kzoe1996
 
Technology Controls in Business - End User Computing
guestc1bca2
 
Excel sox 404
m t
 
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
Rikesh Chaurasia
 
415 quiz1 answers
IIUM
 
Critical System Specification in Software Engineering SE17
koolkampus
 
05.2 auditing procedure application controls
Mulyadi Yusuf
 
Audit Checklist for Information Systems
Ahmad Tariq Bhatti
 
Systems request
Fajar Baskoro
 
Icai seminar kolkata
sunil patro
 
Information Systems Audit & CISA Prep 2010
Donald E. Hester
 
Computer-Assisted Audit Tools and Techniques
_supriadi
 
Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques
Jim Kaplan CIA CFE
 
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Shahzeb Pirzada
 
System audit questionnaire
Nicholas Kaptingei
 
Steps in it audit
kinjalmkothari92
 
Ad

Similar to Internal controls over excel and other user directed aps[feb4.10 (20)

PDF
Spreadsheet Controls
greghawes
 
PPT
Excel In Managing Spreadsheet Risk Presentation
greghawes
 
PDF
Controlling Excel Chaos
greghawes
 
PDF
Pw Cwp Spreadsheet404 Sarbox
greghawes
 
PDF
Spreadsheet Guidelines_20130618_EuSpRiG
Andy Wiggins MSc FCCA
 
DOCX
Information and technology Basics computer skills required to learn and to un...
VasundharaRajput6
 
PDF
10 Excel-lent Ideas that will make you more Productive
Access Analytic ... providing AMAZING Power BI and Excel solutions
 
PPTX
EXCEL PPT FOR IT.pptx for itt batch basic
prabhatsingh555ps
 
PPTX
Spreadsheet Compliance and Management in Office and SharePoint 2013 Pitch
Micleus
 
PDF
eBook Spreadsheet to WebAPP
Abhishek Ranjan
 
PDF
Excellence In Excel Presentation
cynosure76
 
PPTX
KASSAN KASELEMA -LESSON 1. EXCEL KNOWLEDGE
KassanKaselema
 
DOCX
Unit 42 Assignment 2
Alex Dennis
 
PDF
White Paper: Excel Mischief
Access Analytic ... providing AMAZING Power BI and Excel solutions
 
PDF
Concerns Examiners Have About Your Spreadsheets and How to Respond
Libby Bierman
 
PPTX
A detailed introduction of MS Excel is given in short
AeshwaryaChauhan1
 
PDF
Module 3 comp 312 - computer fundamentals and programming
diosdadamendoza
 
PPTX
Data Visualisation using Spreadsheet.pptx
Anushida1
 
PPT
EGLIUG 1019 1200 presentation of tutorial in excel
AnangSatriaChandrane
 
PDF
Guide to excel
accgenius2
 
Spreadsheet Controls
greghawes
 
Excel In Managing Spreadsheet Risk Presentation
greghawes
 
Controlling Excel Chaos
greghawes
 
Pw Cwp Spreadsheet404 Sarbox
greghawes
 
Spreadsheet Guidelines_20130618_EuSpRiG
Andy Wiggins MSc FCCA
 
Information and technology Basics computer skills required to learn and to un...
VasundharaRajput6
 
10 Excel-lent Ideas that will make you more Productive
Access Analytic ... providing AMAZING Power BI and Excel solutions
 
EXCEL PPT FOR IT.pptx for itt batch basic
prabhatsingh555ps
 
Spreadsheet Compliance and Management in Office and SharePoint 2013 Pitch
Micleus
 
eBook Spreadsheet to WebAPP
Abhishek Ranjan
 
Excellence In Excel Presentation
cynosure76
 
KASSAN KASELEMA -LESSON 1. EXCEL KNOWLEDGE
KassanKaselema
 
Unit 42 Assignment 2
Alex Dennis
 
White Paper: Excel Mischief
Access Analytic ... providing AMAZING Power BI and Excel solutions
 
Concerns Examiners Have About Your Spreadsheets and How to Respond
Libby Bierman
 
A detailed introduction of MS Excel is given in short
AeshwaryaChauhan1
 
Module 3 comp 312 - computer fundamentals and programming
diosdadamendoza
 
Data Visualisation using Spreadsheet.pptx
Anushida1
 
EGLIUG 1019 1200 presentation of tutorial in excel
AnangSatriaChandrane
 
Guide to excel
accgenius2
 
Ad

Recently uploaded (19)

PDF
Probe Gold Corporate Presentation Aug 2025 Final.pdf
Probe Gold
 
PDF
How to Analyze Market Trends in Precious Metal.pdf
Innova FX
 
PDF
Collective Mining | Corporate Presentation - August 2025
Collective Mining
 
PDF
Corporate Finance, 12th Edition, Stephen Ross, Randolph Westerfield, Jeffrey ...
solutions manual team
 
PPTX
TTL1_LMS-Presenfdufgdfgdgduhfudftation.pptx
hildogavino28
 
PDF
OR Royalties Inc. - Q2 2025 Results, August 6, 2025
OR Royalties Inc.
 
PPTX
North Arrow Corporate Update for August 5, 2025
NickThomas898767
 
PDF
North Arrow Minerals Corporate and Kraaipan Project Update
narminerals
 
PPTX
Chemistry.pptxjhghjgghgyughgyghhhvhbhghjbjb
Justine Mercado
 
PDF
OR Royalties Inc. - Corporate Presentation, August 2025
OR Royalties Inc.
 
PDF
Methanex Investor Presentation - July 2025
Methanex Corporation
 
PPTX
investment-opportunities-in-rajasthan.pptx
sagarsharma242424242
 
PDF
TIM Group - Results Presentation H1 '25.pdf
Gruppo TIM
 
PDF
Investor Presentation - Q2 FY 25 - 6 November 2024.pdf
TusharSugandhi2
 
PPTX
HealthIllnessSociety.pptxjjjjjjjjjjjjjjjjj
zivankabhabha
 
PDF
202507_Sansan presentation materials FY2024
sansanir
 
PDF
Update on North Arrow Minerals and the Kraaipan Gold Project, Botswanaf
NickThomas898767
 
DOC
École毕业证学历认证,劳伦森大学毕业证毕业证文凭
wnukhy
 
PDF
Cyberagent_For New Investors_EN_250808.pdf
CyberAgent, Inc.
 
Probe Gold Corporate Presentation Aug 2025 Final.pdf
Probe Gold
 
How to Analyze Market Trends in Precious Metal.pdf
Innova FX
 
Collective Mining | Corporate Presentation - August 2025
Collective Mining
 
Corporate Finance, 12th Edition, Stephen Ross, Randolph Westerfield, Jeffrey ...
solutions manual team
 
TTL1_LMS-Presenfdufgdfgdgduhfudftation.pptx
hildogavino28
 
OR Royalties Inc. - Q2 2025 Results, August 6, 2025
OR Royalties Inc.
 
North Arrow Corporate Update for August 5, 2025
NickThomas898767
 
North Arrow Minerals Corporate and Kraaipan Project Update
narminerals
 
Chemistry.pptxjhghjgghgyughgyghhhvhbhghjbjb
Justine Mercado
 
OR Royalties Inc. - Corporate Presentation, August 2025
OR Royalties Inc.
 
Methanex Investor Presentation - July 2025
Methanex Corporation
 
investment-opportunities-in-rajasthan.pptx
sagarsharma242424242
 
TIM Group - Results Presentation H1 '25.pdf
Gruppo TIM
 
Investor Presentation - Q2 FY 25 - 6 November 2024.pdf
TusharSugandhi2
 
HealthIllnessSociety.pptxjjjjjjjjjjjjjjjjj
zivankabhabha
 
202507_Sansan presentation materials FY2024
sansanir
 
Update on North Arrow Minerals and the Kraaipan Gold Project, Botswanaf
NickThomas898767
 
École毕业证学历认证,劳伦森大学毕业证毕业证文凭
wnukhy
 
Cyberagent_For New Investors_EN_250808.pdf
CyberAgent, Inc.
 

Internal controls over excel and other user directed aps[feb4.10

  • 1. Internal Controls over Excel and other User Directed Applications in a SOX Environment Marc Engel, CPA, CISA, CBA, CFE Director, CFO Consulting Partners LLC mengel@cfoconsultingpartners.com Marc.engelcpa@gmail.com 973-953-8569 Presented February 4, 2010 to the Litigation Services Committee of the NYSSCPA
  • 2. Key Discussion Points • Topics: • (1)_Overview of Excel risks as part of the risk assessment • (2)_Risks of fraud and errors; best practices to prevent and detect them • (3)_Applying Change controls to Excel Objective: Consider the risks involved in controlling spreadsheets and other user directed applications. Discuss controls that can be easily implemented to meet SOX requirements for risk analysis, and establishing effective controls.
  • 3. Excel Risks as Part of the Risk Analysis • Background • Many companies not previously subject to SOX are required to comply in their current fiscal year. • This includes non-accelerated filers and smaller reporting companies. Existing companies that are SOX compliant should now be compliant for their primary computer systems and applications. • However, many of these companies may need to tighten controls over applications such as Excel. • These are often used in accounting and finance departments to generate calculations or support for • journal entries or business decisions.
  • 4. The Problem: Inherently Weak Controls • Can anyone give some personal observations of incorrect information caused by Excel use? • Some of my observations: – a formula for a financial statement number using a random number generator; no documentation – budget equaled actual exactly because the preparer copied the budget numbers – New accountant changed an allocation; Regulator gave MoU.
  • 5. Risks involving the use of Excel Consider these examples: • An Excel spreadsheet to control fixed assets. • Some Risks: – Formulas are not locked, because each new purchase adds a line to the list of fixed assets. – Approvals consist of a signature on the hard copy. • Excel may be used to prepare financial statements and for variance analyses; • Some Risks of inaccurate information: – Lack of control over input cells, output cells, formula results, and – different versions of the spreadsheet – Consolidation worksheets – information downloaded to standardized workbook then consolidated at corporate offices
  • 6. Need for Controls • Could such errors appear in the financial statements and the MD&A? Even if totally innocent, whose responsibility? Consequently, lack of proper controls over such applications could result in a finding of a significant deficiency or even a material weakness. If not corrected prior to year end, this might have to be reported as an exception in the annual report.
  • 7. Solution Overview • COSO compliant, effective controls are easily implemented. Five basic areas to consider are: – Risk Assessment, – Limited Access, – Design and Documentation, – Change Controls, and – Monitoring.
  • 8. Risk Assessment • Formalized risk assessment is a required element of internal control under COSO. A company could • generate a risk threshold for spreadsheets, based on a percentage of its total assets or gross revenue. • Any spreadsheet generating aggregate entries over that percentage would be deemed critical. So if the • gross revenue is $500m and the threshold is .1% of that, any spreadsheet generating entries of $500k in aggregate over the year would be deemed “critical” and subject to additional controls.
  • 9. Risk Assessment • Key steps: – Inventory all spreadsheets used to generate journal entries and supporting work papers for published financial information, and – measure them in aggregate by type of entry. In the above fixed asset example, all fixed asset entries would be aggregated to include the spreadsheet in the critical spreadsheet group, rather than excluding it based on many small individual entries it would generate.
  • 10. Spreadsheet Inventory • Spreadsheet inventory should have: • List of all spreadsheets used for production of financial statements and numbers that support JEs. Include location, owner, main user, frequency of use. (Keep current by requiring all new spreadsheets to be registered.) • Security inventory with all passwords for all sheets; Kept by IT Security.
  • 11. Control Attributes • Each spreadsheet’s purpose, frequency of being run, and formulas should be documented and explained on a separate tab in the workbook. • Passwords should be backed up separately so if the password keeper leaves or forgets, the company still can unlock the spreadsheet. • All superseded versions should be removed from the production folders.
  • 12. Design and Documentation Good spreadsheet design makes a spreadsheet reliable, without constant testing or risk of error. Keypoints are: • Range control, Formula control, and Password protection. • Range control entails – setting up input areas, so that formulas do not need to be revised whenever data is added. This is done by – putting formulas on a separate sheet in the workbook; – putting them at the top of the page and adding data underneath. – Controling input via Excel’s excellent Forms functionality
  • 13. Design and Documentation Formula controls: • Formulas are locked and password protected so the user cannot change them. Only specific input areas are unlocked for the user. • Formulas should be color coded to be easily recognizable. Color coding conventions (standards) should be included in the company’s procedures for designing spreadsheets. – Excel 2007 provides formats for different cell types, such as calculated cell, input, output, and others, on the Home ribbon. • Best practice designs – Use one spreadsheet for a particular purpose so a new version each month (or quarter) is not needed.
  • 14. Limited Access • The company should set up a secure directory or folder. The network administrator limits access to – specific profiles of staff needing access to perform their duties. – Other staff members are excluded.
  • 15. Limited Access • Quick connections to external data • In Office Excel 2007, you no longer need to know the server or database names of corporate data sources. Instead, you can use Quicklaunch to select from a list of data sources that your administrator or workgroup expert has made available for you. A connection manager in Excel allows you to view all connections in a workbook and makes it easier to reuse a connection or to substitute a connection with another one. (Excel online documentation). Using these features makes enforcing a secure download process straightforward; (documenting it as well).
  • 16. Monitoring • Enforcing segregation of duties – i.e. a single individual should not have rights to both prepare and enter an entire transaction. • There must be an audit trail to document the review of entries. A checklist should be used and approved, to prove that all needed spreadsheets were updated timely. • Off premises vacation rules to prevent override of controls > Spreadsheets are updated by other staff.
  • 17. Monitoring • Management can monitor spreadsheet activity since: – All spreadsheets to prepare FS or supporting info are inventoried, aggregated as to FS impact, risk rated, and all critical spreadsheets are secured. – Mid management knows which are the key spreadsheets and can enforce controls over spreadsheets. – Spreadsheets are password protected and the passwords are kept by IT security.
  • 18. Change Controls Possibly contentious but consider: How would you feel about the IT staff revising your software just on the programmer’s approval? Same concept applies to your finance dept staff changing critical spreadsheets with no approval.
  • 19. Change Controls Change controls block unauthorized changes, verify accuracy of changes to the spreadsheet, and enforce version control. Naming conventions lower the risk of using a superseded version. Granted that most spreadsheets will most likely be initially designed by the owner / user. Nevertheless, after a spreadsheet is designed properly, it should be password protected so the designer/ user cannot make changes. Changes should be performed in a test folder set up for this purpose and kept out of the production folders. A second person tests the spreadsheet with a pre-approved test set. The final version is forwarded to the approver who password protects it and posts it to the secure folder.
  • 20. Questions? Any questions can be addressed to: • Marc Engel, CPA, CISA, CFE Director, CFO Consulting Partners LLC mengel@cfoconsultingpartners.com • Marc.engelcpa@gmail.com 973-953-8569