150 likes | 269 Views
Spreadsheet Management. Sarbanes-Oxley Act (SOX, 2002). Requires “an effective system of internal control” for financial reporting in publicly-held companies Effective management of spreadsheet risk is required to satisfy the regulation requirements
E N D
Sarbanes-Oxley Act (SOX, 2002) • Requires “an effective system of internal control” for financial reporting in publicly-held companies • Effective management of spreadsheet risk is required to satisfy the regulation requirements • Similar requirements have been made by other regulating agencies (AICPA, NACUBO, FDA)
External audit firms and regulatory bodies over the last five years… • Have become aware of organizations’ exposure to spreadsheet risk • Provided documented guidance that spreadsheet risk management is an area they will be specifically focusing on • Documented that “spreadsheet risk was an issue for which no one in the organization was taking accountability”
Accountability for Spreadsheet Deficiencies • Why is accountability important? • Standard approach to accounting and auditing processes • Who is accountable? • Senior management • A spreadsheet risk management policy that defines effective processes and enacts appropriate monitoring is needed • An operating model that defines further accountability, roles & responsibilities, processes, controls and control standards
Types of Deficiencies • Internal control deficiencies • Significant deficiency • There is more than a remote likelihood that the financial statement will be impacted but not in a material manner • Material deficiency • There are one or more significant deficiencies that results in more than a remote likelihood that a material financial misstatement will not be prevented or detected • 5% misstatement in revenues is the usual threshold for labeling a deficiency as material
Sources of Misstatements • Errors vs. Fraud • Taxonomy of spreadsheet errors (Rajalingham, 2001) • Quantitative vs. Qualitative • Accidental errors • Distinguished by level of intent • Developer vs. User committed errors
Spreadsheet Risk Management • PricewaterhouseCoopers and the IT Governance Institute have suggested a 3 stage process • Create an inventory of spreadsheets • Perform a risk assessment of financial misstatement (potential impact and likelihood) • Implement and assess spreadsheet controls for different parties
Panko, 2005 Types of Controls Required for Accountability Panko (2006) proposed a control framework to help organizations produce accurate financial reports
Examples of Spreadsheet Controls • Change Control • Maintain a process for requesting changes to a spreadsheet, making changes, testing and obtaining formal sign-off from an independent individual that the change is functioning appropriately • Version Control • Ensure only current and approved versions of spreadsheets are being used by creating naming conventions, directory structures and access control • Input Control • Ensure that data is input completely and accurately and that it is current and secure • Documentation • Require that it is up-to-date and communicates the business objective and specific functions of the spreadsheet
Organizational Parties in the Operating Model • Spreadsheet owners • Developers • End-users • Information Technology division • Business users • Internal Auditors • Spreadsheet review groups
Examples of Preventive Controls to Minimize Duplication Errors: • Developers: • Training on design principles • Preplanning requirements • Testing protocol • Users: • Ensure correct data inputs • Excel’s Data Validation menu option • ActiveX controls • Standardize documentation for organization • Train to test for reasonableness
Testing for Reasonableness • Use cross-footing techniques (different sum logics that should come to same total) • Apply your domain knowledge of the problem (e.g. if a discount rate is changed, the NPV result should change) • Enter test cases with known outcomes to verify accuracy (e.g. copy the homework solution for the decision variables into your model to see if you get the same results)
Further Research on Preventive Controls • What type of training should be offered to developers and users by organizations? • What design principles and best practices reduce errors created by developers? • How does the cognitive load associated with formal spreadsheet design differ between developers and users? • How does the design method impact the type of training that needs to be implemented? • Raffensperger (2003) • Panko & Ordway (2005) • Edward, Finlay & Wilson (2000) • Bewig (2003)