Professional Documents
Culture Documents
www.audit.executiveboard.com
The Sarbanes-Oxley (SOX) Compliance Peer Group is an email-based forum that allows Internal Audit professionals to anonymously
pose questions and discuss tactics related to SOX compliance. Participants are encouraged to discuss all SOX-related topics, including
emerging issues (such as changes to SOX-related regulations) and evergreen compliance issues. To learn more about the peer group,
visit us at www.audit.executiveboard.com/Members/PeerGroups.
The question below on spreadsheet auditing was posed to the SOX Peer Group in December 2007. A summary of responses follows.
Original Question
Member Responses
Response 1
Response 2
As with many other companies we use a variety of spreadsheets to support key controls. Some of these are stand alone spreadsheets
and others are spreadsheets created by exporting data from an ESSbase cube into excel thus allowing the data to potentially be
changed. We developed a policy related to controls that must be put in place for spreadsheets linked to key controls this year.
The spreadsheets are classified based upon their significance with controls defined by classification. These typically include items
such as access restriction, change control (for significant spreadsheets), backup and validation through a review process to ensure the
data agrees to the source data file, the spreadsheet functionality works as intended and the spreadsheet is accurate.
I have attached our policy which will need to be sanitized before publishing. thanks
Response 3
AUDIT DIRECTOR ROUNDTABLE DECEMBER 2008
www.audit.executiveboard.com
1. No, we don't really have any policies in place right now over end-user developed software. It's a good idea though and I will
follow up with our management on this topic.
2. We are in process of reviewing off the shelf applications. We've looked at a company called Prodiance (found on the
Audit.net website - there are other vendors on that website also) for controls over spreadsheets. Prodiance came to our
company and gave a presentation, but there were a couple of things that our IT folks were looking at that they didn't offer, so
we are looking at other vendors. Our IT folks wanted to get a product that has more of an intelligent search engine (one that
can crawl through various documents on our shared drives looking for specific information). The audit capabilities look
good though, so our Audit department may want to invest in a license to audit spreadsheets. We are still in the review phase
though and haven't made a decision.
Response 4
We have a comprehensive spreadsheet control policy which covers three broad areas: conducting an inventory of spreadsheets,
conducting a risk assessment in terms of financial restatement, and implementing spreadsheet controls based on perceived risk.
Controls addressed include: access control, change control, documentation requirements, review and testing of spreadsheet function,
input controls, security and integrity of data, and logic inspection.
We have developed an Excel spreadsheet to evaluate and track our end user spreadsheets. Based on risk factors entered, the
spreadsheet database will identify the appropriate level of spreadsheet controls to be implemented.
Response 5
Our policies are primarily focused on access control to files and hardware.
Response 6
We have a policy that considers “end user” developed applications that cover spreadsheets, Access and other databases, and custom
user produced reports. Our policy covers:
• Integrity testing – all new applications and revisions to existing applications must be subject to an independent “logic review”
as well as independent testing of calculations. All applications must be subject to this review before they are “approved” for
use.
• Access control – all applications must provide for limited access – especially for those who can edit or change application
parameters. This is controlled through limited access to server directories or password protection on spreadsheet files
• Change control process – covers changes to the logic of the report / spreadsheet as well as updates to data fields. We have
logs that track these changes and help us maintain “version control” of the application.
• Development life cycle – complicated end user applications follow one of our approved system development processes
• Archiving – old versions of files / applications are archived in read only format.
With respect to Spreadsheet Auditing Software, we use the functionality built into Excel.
Response 7
Our organisation developed a control framework to cover End User Computing artefacts (EUC) that were deemed to be SOx material
(i.e. over a financial threshold or supporting SOx key controls).
We have a company policy that defines EUC and processes for inception, maintenance and change control.
We maintain a central register of all SOx-critical EUC, covering ownership, materiality and referencing processes and/or controls to
which they relate.
Controls over EUC include:
• Documentation - all EUC must be fully documented, including explanation of the process, inputs and outputs.
• Design effectiveness testing - performed by business owners
• Logic testing - performed by a central team
• Version control - master copies of all EUC are held in a secure LAN
• Change control - all amendments to EUC are approved and recorded
• Periodic audits of selected EUC to periodically compare against live files to detect changes and reference back to change
control.
We use ExChecker to perform logic inspections - useful for identifying potential basic formula errors, mis -referenced cells etc. It also
picks up examples of bad coding practice such as hard-coded variables. Design effectiveness can only be tested by business owners, as
they know what the calculations are supposed to do.
Response 8
All excel spreadsheets that are classified as a financial spreadsheet with a with a level 3 (high risk) designation per the Company's End
User Computing are subject to the policy controls. This includes password protection, lockdown of formulae, access controls and
further reviews. Quarterly, the list of "key" high risk spreadsheets is segregated for testing procedures and presented to the CAO for
review and approval.
Response 9
Yes, the policy was created as part of Sarbanes-Oxley remediation efforts, and is very narrowly focused on spreadsheets that are used
to support manual journal entries and are "original" sources of data (that is, not merely extracts or simple calculated values).
Microsoft Access Databases and Excel Spreadsheets are covered by the policy. The policy has two main components, one covering
access control and the other covering version control. The access controls are preventive and the version controls are directive.
Response 10
We specifically identify key spreadsheet for our entity. Then we apply access control, peer integrity testing and version controls to the
specified spreadsheet. Each of the identified spreadsheets has a required template that must be completed to verify the controls. We
also self assess and have a control in our framework.
Response 11
We do not have a policy regarding end-user developed software. We do not utilize off the shelf spreadsheet auditing and control
software.
Response 12
If you have any related questions for either the SOX Compliance Discussion Group please email the peer group moderator at owner-
adr_sox@ceb.lyris.net. .
To join a Peer Group, or for more information, please visit the Connect with Peers tab on the Audit Director Roundtable website at
www.audit.executiveboard.com/Members/PeerGroups.
In its research, the Audit Director Roundtable refrains from endorsing or recommending a particular product, service or program in any respect.
Sources are contacted within the parameters set by the requesting member, and the resulting sample is rarely of statistically significant size. That
said, it is the goal of the Audit Director Roundtable to provide a balanced review of the study topic within the parameters of this project. The
Roundtable encourages members who have additional questions about this topic to contact the Roundtable.
The Audit Director Roundtable has worked to ensure the accuracy of the information it provides to its members. This project relies upon data
obtained from many sources, however, and the Audit Director Roundtable cannot guarantee the accuracy of the information or its analysis in all
cases. Further, the Audit Director Roundtable is not engaged in rendering legal, accounting or other professional services. Its projects should not
be construed as professional advice on any particular set of facts or circumstances. Members requiring such services are advised to consult an
appropriate professional. Neither Corporate Executive Board nor its programs is responsible for any claims or losses that may arise from any
errors or omissions in their reports, whether caused by Corporate Executive Board or its sources.