This article will guide you on how to address Sarbanes Oxley S404 with regards to spreadsheets, using only Excel’s built in tools. Unfortunately the built in tools do not address all the requirements of the SoX act and, depending on your reliance on spreadsheets and their potential impact, you may need to consider some specialized tools. Where appropriate we have indicated where a spreadsheet checker could help your organization.
However, the features shown here will improve your controls over spreadsheets and at least show your auditors that you are trying to address the issue. Get all your staff to go through this material and make sure they are familiar with it. You can also look at the free online Auditing Excel Spreadsheets course.
We also have some thoughts for the project managers and people responsible for the overall risks posed by spreadsheets as concerns Section 404 of the SOX act. Read our article on how to address the risks and look at the tools we offer by clicking on the part you want to read ( SOX Part 1, Part 2, Part 3, Part 4, Part 5).
Spreadsheet Error Issues
Spreadsheets are notoriously difficult to control. The very features that make them so useful, also make them risky i.e.
- ease of use and
Hence the new requirements per SoX legislation. Don’t feel happy if you don’t live or deal with the US. This legislation, maybe under another name, will be coming to your town soon. So you may as well prepare now!
Below are some of the controls that need to be considered and implemented for spreadsheets. You can click on each one to get practical ideas of how to address them using only Excel’s inbuilt tools and features.
Keep in mind that depending on the importance of the spreadsheet, you may need to introduce more stringent controls, but these suggestions will show you how to use the tools you already have in the most effective manner. At the very least, all spreadsheet users in the organization should know this.
The controls that will reduce your risk exposure are
Spreadsheet Documentation (click here to see how)
Ensure that the appropriate level of spreadsheet documentation is maintained and kept up-to-date to understand the business objective and specific functions of the spreadsheet. By clicking on this section you will learn
- Practical way of including the documentation into your spreadsheets
- How to find External links in a spreadsheet
Professional Excel Add Ins assists with easily documenting a spreadsheet.
Limit access to a spreadsheet to the appropriate staff, either to allow changes, or to view the spreadsheet. Spreadsheets can also be password protected to restrict access. By clicking on this section you will learn
- Thoughts on where the spreadsheet should be kept
- How to password protect a spreadsheet
- How to protect cells within a spreadsheet
- How to validate the data within a cell.
Ensure that the information input into a spreadsheet is controlled. Data may be inputted into spreadsheets manually or systematically through downloads. By clicking on this section you will learn
- Thoughts on how to transfer data into a spreadsheet
- How to protect the contents of cells
- How to control what inputs can be made in a cell
Inspect the logic in critical spreadsheets to find and eliminate errors or potential errors. This testing should be formally documented. By clicking on this section you will learn
- Excel’s built in tools for testing i.e. the Auditing Toolbar and the GO TO Special feature
- A process for testing your spreadsheets
- Password protection after testing to reduce new errors
- The benefits of Spreadsheet Professional
Spreadsheet Version Control (click here to see how)
Ensure only current and approved versions of spreadsheets are being used by creating naming conventions and directory structures. By clicking on this section you will learn
- A naming convention for spreadsheets
- Thoughts on the folder structures
Spreadsheet Audit Trails
Establish and maintain an audit trail of changes made to a spreadsheet either at an input, formula or structural level. By clicking on this section you will learn
- Thoughts on the audit trail
- The tracking feature in Excel and how to use it
- Spreadsheet Professional’s comparison tool
- Other tools
Maintain a controlled process for requesting changes to a spreadsheet, making changes and then testing the spreadsheet and obtaining formal sign-off. This would also apply to new developments that would fall within the act. By clicking on this section you will learn
- Thoughts on change control
- Passwords to control who can view and who can change a spreadsheet
- Manual process to authorize change
Implement a process to back up spreadsheets on a regular basis so that complete and accurate information is available for financial reporting. Then maintain historical files no longer available for update in a secure location so that it can be found, and viewed but not changed at a later date.
By clicking on this section you will learn
- Thoughts on the back up process
- Using Microsoft Windows Briefcase feature for back up
- Thoughts on the archiving issue