AUDIT DIRECTOR ROUNDTABLE DECEMBER 2007

www.audit.executiveboard.com

SARBANES-OXLEY COMPLIANCE DISCUSSION GROUP:

SPREADSHEET AUDITING CONTROL SOFTWARE

The Sarbanes-Oxley (SOX) Compliance Peer Group is an email-based forum that allows Internal Audit professionals to anonymously
pose questions and discuss tactics related to SOX compliance. Participants are encouraged to discuss all SOX-related topics, including
emerging issues (such as changes to SOX-related regulations) and evergreen compliance issues. To learn more about the peer group,
visit us at www.audit.executiveboard.com/Members/PeerGroups.

The question below on spreadsheet auditing was posed to the SOX Peer Group in December 2007. A summary of responses follows.

Original Question

User-Developed Software Control Policy

1. Does your organization have a policy in place over end-user developed software (e.g., spreadsheets, Crystal reports)? If so,
could you briefly describe the coverage of those policies (e.g., access control, peer integrity testing, version control, etc.)?

Spreadsheet Auditing Software

Does your organization utilize any “off the shelf” or customized spreadsheet auditing and control software? If “yes,”
• Which groups in your organization use the software?
• Which software does your organization use?
• Which functional modules of the software does your organization use (e.g. location & inventory, workflow approval, version
control, change audit)?
• What are the main pros and cons of this software?

Director, Internal Audit

Transportation Company

Member Responses
Response 1

Please click here for our End-User Co mputing Control Matrix:

https://www.arc.executiveboard.com/Members/ResearchAndTools/Abstract.aspx?cid=100050661

Response 2

As with many other companies we use a variety of spreadsheets to support key controls. Some of these are stand alone spreadsheets
and others are spreadsheets created by exporting data from an ESSbase cube into excel thus allowing the data to potentially be
changed. We developed a policy related to controls that must be put in place for spreadsheets linked to key controls this year.

The spreadsheets are classified based upon their significance with controls defined by classification. These typically include items
such as access restriction, change control (for significant spreadsheets), backup and validation through a review process to ensure the
data agrees to the source data file, the spreadsheet functionality works as intended and the spreadsheet is accurate.

I have attached our policy which will need to be sanitized before publishing. thanks

Access the policy here: https://www.arc.executiveboard.com/Members/ResearchAndTools/Abstract.aspx?cid=100062381

Response 3
AUDIT DIRECTOR ROUNDTABLE DECEMBER 2008
www.audit.executiveboard.com
1. No, we don't really have any policies in place right now over end-user developed software. It's a good idea though and I will
follow up with our management on this topic.

2. We are in process of reviewing off the shelf applications. We've looked at a company called Prodiance (found on the
Audit.net website - there are other vendors on that website also) for controls over spreadsheets. Prodiance came to our
company and gave a presentation, but there were a couple of things that our IT folks were looking at that they didn't offer, so
we are looking at other vendors. Our IT folks wanted to get a product that has more of an intelligent search engine (one that
can crawl through various documents on our shared drives looking for specific information). The audit capabilities look
good though, so our Audit department may want to invest in a license to audit spreadsheets. We are still in the review phase
though and haven't made a decision.

Response 4

We have a comprehensive spreadsheet control policy which covers three broad areas: conducting an inventory of spreadsheets,
conducting a risk assessment in terms of financial restatement, and implementing spreadsheet controls based on perceived risk.

Controls addressed include: access control, change control, documentation requirements, review and testing of spreadsheet function,
input controls, security and integrity of data, and logic inspection.

We have developed an Excel spreadsheet to evaluate and track our end user spreadsheets. Based on risk factors entered, the
spreadsheet database will identify the appropriate level of spreadsheet controls to be implemented.

Response 5

Our policies are primarily focused on access control to files and hardware.

Response 6

We have a policy that considers “end user” developed applications that cover spreadsheets, Access and other databases, and custom
user produced reports. Our policy covers:

• Integrity testing – all new applications and revisions to existing applications must be subject to an independent “logic review”
as well as independent testing of calculations. All applications must be subject to this review before they are “approved” for
use.
• Access control – all applications must provide for limited access – especially for those who can edit or change application
parameters. This is controlled through limited access to server directories or password protection on spreadsheet files
• Change control process – covers changes to the logic of the report / spreadsheet as well as updates to data fields. We have
logs that track these changes and help us maintain “version control” of the application.
• Development life cycle – complicated end user applications follow one of our approved system development processes
• Archiving – old versions of files / applications are archived in read only format.

With respect to Spreadsheet Auditing Software, we use the functionality built into Excel.

Response 7

Our organisation developed a control framework to cover End User Computing artefacts (EUC) that were deemed to be SOx material
(i.e. over a financial threshold or supporting SOx key controls).

We have a company policy that defines EUC and processes for inception, maintenance and change control.
We maintain a central register of all SOx-critical EUC, covering ownership, materiality and referencing processes and/or controls to
which they relate.
Controls over EUC include:

2008 Corporate Executive Board ©

AUDIT DIRECTOR ROUNDTABLE DECEMBER 2008
www.audit.executiveboard.com

• Documentation - all EUC must be fully documented, including explanation of the process, inputs and outputs.
• Design effectiveness testing - performed by business owners
• Logic testing - performed by a central team
• Version control - master copies of all EUC are held in a secure LAN
• Change control - all amendments to EUC are approved and recorded
• Periodic audits of selected EUC to periodically compare against live files to detect changes and reference back to change
control.

We use ExChecker to perform logic inspections - useful for identifying potential basic formula errors, mis -referenced cells etc. It also
picks up examples of bad coding practice such as hard-coded variables. Design effectiveness can only be tested by business owners, as
they know what the calculations are supposed to do.

Response 8

All excel spreadsheets that are classified as a financial spreadsheet with a with a level 3 (high risk) designation per the Company's End
User Computing are subject to the policy controls. This includes password protection, lockdown of formulae, access controls and
further reviews. Quarterly, the list of "key" high risk spreadsheets is segregated for testing procedures and presented to the CAO for
review and approval.

Response 9

Yes, the policy was created as part of Sarbanes-Oxley remediation efforts, and is very narrowly focused on spreadsheets that are used
to support manual journal entries and are "original" sources of data (that is, not merely extracts or simple calculated values).
Microsoft Access Databases and Excel Spreadsheets are covered by the policy. The policy has two main components, one covering
access control and the other covering version control. The access controls are preventive and the version controls are directive.

Response 10

We specifically identify key spreadsheet for our entity. Then we apply access control, peer integrity testing and version controls to the
specified spreadsheet. Each of the identified spreadsheets has a required template that must be completed to verify the controls. We
also self assess and have a control in our framework.

Response 11

We do not have a policy regarding end-user developed software. We do not utilize off the shelf spreadsheet auditing and control
software.

Response 12

We do have a policy related to spreadsheets that includes the following:

1. Access to modify/update these key spreadsheets/databases should be limited to key personnel and their designated back-ups.
2. The key functions within the spreadsheet/database should be periodically reviewed for accuracy and integrity.
3. As the financial spreadsheets/databases are completed, these files for the prior fiscal periods should be archived and retained on an
appropriate network drive or other backup source.
4. As spreadsheets/databases are used to help derive financial data used in journal entry postings, the determination of whether
controls are required for the key functions of the spreadsheet/database are based upon other existing key controls for the process.
5. Evidence of the review of key functions within the spreadsheet/database for accuracy and integrity by appropriate business unit
management should be retained.

We don’t use any off-the-shelf software

2008 Corporate Executive Board ©

AUDIT DIRECTOR ROUNDTABLE DECEMBER 2008
www.audit.executiveboard.com

If you have any related questions for either the SOX Compliance Discussion Group please email the peer group moderator at owner-
adr_sox@ceb.lyris.net. .

To join a Peer Group, or for more information, please visit the Connect with Peers tab on the Audit Director Roundtable website at
www.audit.executiveboard.com/Members/PeerGroups.

Professional Services Note

In its research, the Audit Director Roundtable refrains from endorsing or recommending a particular product, service or program in any respect.
Sources are contacted within the parameters set by the requesting member, and the resulting sample is rarely of statistically significant size. That
said, it is the goal of the Audit Director Roundtable to provide a balanced review of the study topic within the parameters of this project. The
Roundtable encourages members who have additional questions about this topic to contact the Roundtable.

The Audit Director Roundtable has worked to ensure the accuracy of the information it provides to its members. This project relies upon data
obtained from many sources, however, and the Audit Director Roundtable cannot guarantee the accuracy of the information or its analysis in all
cases. Further, the Audit Director Roundtable is not engaged in rendering legal, accounting or other professional services. Its projects should not
be construed as professional advice on any particular set of facts or circumstances. Members requiring such services are advised to consult an
appropriate professional. Neither Corporate Executive Board nor its programs is responsible for any claims or losses that may arise from any
errors or omissions in their reports, whether caused by Corporate Executive Board or its sources.

2008 Corporate Executive Board ©