Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spreadsheet Management. Sarbanes-Oxley Act (SOX, 2002) Requires “an effective system of internal control” for financial reporting in publicly- held companies.

Published byAubrey Scot Dickerson Modified over 8 years ago

Similar presentations

Presentation on theme: "Spreadsheet Management. Sarbanes-Oxley Act (SOX, 2002) Requires “an effective system of internal control” for financial reporting in publicly- held companies."— Presentation transcript:

1 Spreadsheet Management

2 Sarbanes-Oxley Act (SOX, 2002) Requires “an effective system of internal control” for financial reporting in publicly- held companies Effective management of spreadsheet risk is required to satisfy the regulation requirements Similar requirements have been made by other regulating agencies (AICPA, NACUBO, FDA)

3 External audit firms and regulatory bodies over the last five years… Have become aware of organizations’ exposure to spreadsheet risk Provided documented guidance that spreadsheet risk management is an area they will be specifically focusing on Documented that “spreadsheet risk was an issue for which no one in the organization was taking accountability”

4 10-K Deficiency Filings 113 10-Ks reported SOX material weaknesses for inadequate internal control of spreadsheets between 2004 and mid-2008. 42 weaknesses associated with inadequate review processes 41 weaknesses with inadequate access controls 27 weaknesses with inadequate change management controls 22 weaknesses with lack of data integrity controls 9 weaknesses with inadequate spreadsheet testing 50 10-Ks cited with general lack of effective controls

5 Accountability for Spreadsheet Deficiencies Why is accountability important? Standard approach to accounting and auditing processes Who is accountable? Senior management A spreadsheet risk management policy that defines effective processes and enacts appropriate monitoring is needed An operating model that defines further accountability, roles & responsibilities, processes, controls and control standards

6 Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed in instances in which errors directly led to losses or bad decisions Most organizations only have informal spreadsheet quality control procedures Many feel that more formal quality controls would be beneficial but don’t know how to efficiently achieve this IT research can identify efficient and effective procedures for managing spreadsheet risk by analyzing how companies manage their financial reporting spreadsheets for SOX compliance

7 Sources of Misstatements Errors vs. Fraud Taxonomy of spreadsheet errors (Rajalingham, 2001) Quantitative vs. Qualitative Accidental errors Distinguished by level of intent Developer vs. User committed errors

8 Spreadsheet Risk Management PricewaterhouseCoopers and the IT Governance Institute have suggested a 3 stage process Create an inventory of spreadsheets Perform a risk assessment of financial misstatement (potential impact and likelihood) Implement and assess spreadsheet controls for different parties

9 Life Cycle Stages Where Controls Are Needed Panko, 2005 Examples Preventive ControlsDetective ControlsCorrective Controls Formal software engineering approaches such as SDLC- based methods Auditing protocols Change controls Version controls Panko (2006) proposed a control framework to help organizations produce accurate financial reports

10 Examples of Spreadsheet Controls Change Control Maintain a process for requesting changes to a spreadsheet, making changes, testing and obtaining formal sign-off from an independent individual that the change is functioning appropriately Version Control Ensure only current and approved versions of spreadsheets are being used by creating naming conventions, directory structures and access control Input Control Ensure that data is input completely and accurately and that it is current and secure Documentation Ensure that it is up-to-date and communicates the business objective and specific functions of the spreadsheet

11 Organizational Parties in the Operating Model Spreadsheet owners Developers End-users Information Technology division Business users Internal Auditors Spreadsheet review groups

12 Oveview of Spreadsheet Management Research Controls for Different Roles Preventive (Formal Development Approaches)Detective (Auditing)Correct- ive Designer End-user (self- designed) Developer (single/ multiple) End-user training; Best practices; Expert-novice differences; Surveys of spreadsheet issues and corporate policies; Effect of teaching design principles on prevention; Graphical approach for reducing errors; Algorithm to capture logic; Web service to manage models; Testing Spreadsheet Accuracy Theory; Risk and control; Applying SDLC to design; Quality control; Training specific design approaches; Testing vs. code review; Discovering spreadsheet structure, Tips for using Excel controls; Organizational quality control procedures; Design strategies to improve usability Framework of risks; Survey of Literature; Testing Spreadsheet Accuracy Theory Testing vs. code review User Organization End-user Heuristics for automatic identification of irregularitiesProposed visualization and auditing tools; Expert-novice differences; Impact of prominence of errors and electronic environment ; Quantifying risk; Factors influenc- ing error detection IT Error prevention techniques; Spreadsheet development life cycle; Review of commercial spreadsheet products; Business intelligence tools to share spreadsheets; Web service to manage models; Survey of spreadsheet issues and corporate policies Keeping track of changes in a spreadsheet Spreadsheet Review Group/Intern al Auditor Error prevention techniques; Spreadsheet development life cycle; Specific tips for Internal Auditors on using Excel controls; Detailed examples of controls and procedures; Broad recommendations for procedures and controls; Spreadsheet testing and Fraud Prevention Controls for Fraud; Auditing protocol; Specific tips for Internal Auditors on using Excel controls; Comprehensive survey of literature; Broad recommendations for procedures and controls; Keeping track of changes; Visualization tools; Visualization techniques for non-modular designs Keeping track of changes; Detailed controls

13 Example of Current IT Research Preventive Controls: Accountability Issue: What type of training is most effective and efficient for organizations? IT Research Question: What design principles and best practices reduce errors created by developers? By users? How does the cognitive load associated with formal spreadsheet design differ between formal system developers and end-users? How does the design method impact the type of training that needs to be implemented?

14 Preventing User Generated Errors Ensuring Correct Data Input Excel’s Data Validation menu option ActiveX controls Worksheet protection and Event handlers Documentation Specify business objective and specific functions and sections of spreadsheet model Label input assumptions and outputs clearly Use range names

15 Detective Controls Powell et. al. (2008): An Auditing Protocol for Spreadsheet Models. Information Management 5, pp.312-320 Testing known values (individually/group) Use Excel’s Formula Auditing tools Use cross-footing techniques Use visualization heuristics Use commercial auditing software such as Spreadsheet Advantage or Spreadsheet Professional Track changes to spreadsheet

Download ppt "Spreadsheet Management. Sarbanes-Oxley Act (SOX, 2002) Requires “an effective system of internal control” for financial reporting in publicly- held companies."

Similar presentations

Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Organizational Governance

Organizational Governance
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
QA Programs for Local Health Departments

QA Programs for Local Health Departments
Internal Audit Awareness

Internal Audit Awareness
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.

©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Environmental Management Systems An Overview With Practical Applications.

Environmental Management Systems An Overview With Practical Applications.
…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.

…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.

Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
ISO General Awareness Training

ISO General Awareness Training
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!

Similar presentations

Ads by Google