Spreadsheet management
1 / 15

- PowerPoint PPT Presentation

  • Updated On :

Spreadsheet Management. Sarbanes-Oxley Act (SOX, 2002). Requires “an effective system of internal control” for financial reporting in publicly-held companies Effective management of spreadsheet risk is required to satisfy the regulation requirements

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - melora

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Sarbanes oxley act sox 2002 l.jpg
Sarbanes-Oxley Act (SOX, 2002)

  • Requires “an effective system of internal control” for financial reporting in publicly-held companies

  • Effective management of spreadsheet risk is required to satisfy the regulation requirements

  • Similar requirements have been made by other regulating agencies (AICPA, NACUBO, FDA)

External audit firms and regulatory bodies over the last five years l.jpg
External audit firms and regulatory bodies over the last five years…

  • Have become aware of organizations’ exposure to spreadsheet risk

  • Provided documented guidance that spreadsheet risk management is an area they will be specifically focusing on

  • Documented that “spreadsheet risk was an issue for which no one in the organization was taking accountability”

10 k deficiency filings l.jpg
10-K Deficiency Filings five years…

  • 113 10-Ks reported SOX material weaknesses for inadequate internal control of spreadsheets between 2004 and mid-2008.

    • 42 weaknesses associated with inadequate review processes

    • 41 weaknesses with inadequate access controls

    • 27 weaknesses with inadequate change management controls

    • 22 weaknesses with lack of data integrity controls

    • 9 weaknesses with inadequate spreadsheet testing

    • 50 10-Ks cited with general lack of effective controls

Accountability for spreadsheet deficiencies l.jpg
Accountability for Spreadsheet Deficiencies five years…

  • Why is accountability important?

    • Standard approach to accounting and auditing processes

  • Who is accountable?

    • Senior management

    • A spreadsheet risk management policy that defines effective processes and enacts appropriate monitoring is needed

    • An operating model that defines further accountability, roles & responsibilities, processes, controls and control standards

Field interviews with senior managers by caulkins et al 2007 report that l.jpg
Field Interviews with Senior Managers five years…byCaulkins et. al. (2007) report that

  • Spreadsheet errors are common and have been observed in instances in which errors directly led to losses or bad decisions

  • Most organizations only have informal spreadsheet quality control procedures

  • Many feel that more formal quality controls would be beneficial but don’t know how to efficiently achieve this

    IT research can identify efficient and effective procedures for managing spreadsheet risk by analyzing how companies manage their financial reporting spreadsheets for SOX compliance

Sources of misstatements l.jpg
Sources of Misstatements five years…

  • Errors vs. Fraud

  • Taxonomy of spreadsheet errors (Rajalingham, 2001)

    • Quantitative vs. Qualitative

    • Accidental errors

      • Distinguished by level of intent

    • Developer vs. User committed errors

Spreadsheet risk management l.jpg
Spreadsheet Risk Management five years…

  • PricewaterhouseCoopers and the IT Governance Institute have suggested a 3 stage process

    • Create an inventory of spreadsheets

    • Perform a risk assessment of financial misstatement (potential impact and likelihood)

    • Implement and assess spreadsheet controls for different parties

Life cycle stages where controls are needed l.jpg

Panko, 2005 five years…

Life Cycle Stages Where Controls Are Needed

Panko (2006) proposed a control framework to help organizations produce accurate financial reports

Examples of spreadsheet controls l.jpg
Examples of Spreadsheet Controls five years…

  • Change Control

    • Maintain a process for requesting changes to a spreadsheet, making changes, testing and obtaining formal sign-off from an independent individual that the change is functioning appropriately

  • Version Control

    • Ensure only current and approved versions of spreadsheets are being used by creating naming conventions, directory structures and access control

  • Input Control

    • Ensure that data is input completely and accurately and that it is current and secure

  • Documentation

    • Ensure that it is up-to-date and communicates the business objective and specific functions of the spreadsheet

Organizational parties in the operating model l.jpg
Organizational Parties in the Operating Model five years…

  • Spreadsheet owners

    • Developers

    • End-users

  • Information Technology division

  • Business users

  • Internal Auditors

  • Spreadsheet review groups

Example of current it research l.jpg
Example of Current IT Research five years…

  • Preventive Controls:

    • Accountability Issue: What type of training is most effective and efficient for organizations?

    • IT Research Question:

      • What design principles and best practices reduce errors created by developers? By users?

      • How does the cognitive load associated with formal spreadsheet design differ between formal system developers and end-users?

      • How does the design method impact the type of training that needs to be implemented?

Preventing user generated errors l.jpg
Preventing User Generated Errors five years…

  • Ensuring Correct Data Input

    • Excel’s Data Validation menu option

    • ActiveX controls

    • Worksheet protection and Event handlers

  • Documentation

    • Specify business objective and specific functions and sections of spreadsheet model

    • Label input assumptions and outputs clearly

    • Use range names

Detective controls l.jpg
Detective Controls five years…

  • Powell et. al. (2008): An Auditing Protocol for Spreadsheet Models. Information Management 5, pp.312-320

  • Testing known values (individually/group)

  • Use Excel’s Formula Auditing tools

  • Use cross-footing techniques

  • Use visualization heuristics

  • Use commercial auditing software such as Spreadsheet Advantage or Spreadsheet Professional

  • Track changes to spreadsheet