SOX and Internal Controls Over Excel Spreadsheets
Marc Engel, CPA, CISA, CFE
Many companies not previously subject to SOX are required to comply in their current fiscal year. This includes non-accelerated filers and smaller reporting companies. Existing companies that are SOX compliant should now be compliant for their primary computer systems and applications. However, many of these companies may need to tighten controls over applications such as Excel. These are often used in accounting and finance departments to generate calculations or support for journal entries or business decisions.
Risks involving the use of Excel need to be considered. For example, a controller might use an uncontrolled Excel spreadsheet to control fixed assets. Formulas are not locked, because each new purchase adds a line to the list of fixed assets. Approvals consist of a signature on the hard copy. Or Excel may be used to prepare financial statements and for variance analyses; but lack of control over input cells, output cells, formula results, and different versions of the spreadsheet may cause errors which may then appear in the financial statements and the MD&A. Consequently, lack of proper controls over such applications could result in a finding of a significant deficiency or even a material weakness. If not corrected prior to year end, this might have to be reported as an exception in the annual report.
The good news is – COSO compliant, effective controls are easily implemented. Five basic areas are: Risk Assessment, Limited Access, Design and Documentation, Change Controls, and Monitoring.