Tutorial 1.3: SOA Spreadsheet Controls

Source: http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/Web+Content/ChecklistsGuidesSOASpreadsheetControlsProceduresandChecklist!OpenDocument

SOA Spreadsheet Controls: Procedures

Financial Statement Impacting Spreadsheets
Spreadsheets and other user-developed programs are often relied upon in the financial reporting process. These end-user computing tools must have additional control procedures applied to them to protect the integrity of the data used in determining financial statement transaction amounts or balances.

The following procedures apply to spreadsheet applications identified in SOA process documentation that are relied upon in determining financial statement transaction amounts or balances. These procedures should be applied to transactions or journal entries having a financial statement impact of $X or more.

Complexity Determination
The complexity level of the spreadsheet determines the appropriate level of controls that should be applied to ensure data integrity.

Low: Spreadsheets lists which are more operational in nature and are used to log or track information.

Moderate: Spreadsheets that perform simple calculations to determine totals or calculate values via simple calculations. These spreadsheets may be used to translate or reformat information for analytical review and analysis that are used in determining journal entry amounts.

High: Spreadsheets containing complex calculations, macros and multiple supporting spreadsheets where cells, values and spreadsheets are linked. These spreadsheets may be used in modeling as well as for analytical review and analysis that are used in determining journal entry amounts.

Access and Change Controls

Access Controls: All spreadsheets should be protected from outside access by standard access controls. Low and Moderate complexity spreadsheets that can be easily recreated can be kept on an individual’s local drive. High complexity spreadsheets should be saved in secure directory on a file server that is backed up daily.

Change Controls: Changes over data and design logic should be controlled to protect the integrity of the data used in determining financial statement transaction amounts or balances. The level of the controls will vary based on the spreadsheet’s complexity. Change controls include data input controls, recomputing and testing changes.

Data Input Controls: To ensure data is input correctly and completely, the source of the data should be re-verified by both by the preparer and reviewer of the spreadsheet.

Recomputing: The logic for Low and Moderate complexity spreadsheets should be evaluated each time new data or changes are made to the spreadsheet. This involves building check totals into the spreadsheet to validate calculations and totals. It also involves reviewing the ranges set up for the calculations and performing reasonableness checks on the calculations

Testing Changes: Changes to High-rated complex spreadsheets should be appropriately tested with the test procedures documented for later independent review

SOA Spreadsheet Controls:  Checklist

Spreadsheet Name: ________________________________________________________________

Purpose of Spreadsheet: _____________________________________________________________

Spreadsheet Developed By:  ___________________________________________________________

Logic Last Updated Date: __XX/XX/XXXX________________________________________________

Data Sources: __G/L report (name) or sources run XX/XX/XXXX_______________________________

Data Input Accuracy Verified: ___XX/XX/XXXX____________________________________________

Complexity Determination: ____________________________________________________________

(low, medium, or high) – See procedures above for classification.

Access Control: ___Access to this spreadsheet is limited to (various named people or departments) via access control on (drive and directory name)._______________________________________________

Change Control Recomputing: __The logic in this spreadsheet is limited to (various named people or departments) via access control on (drive & directory name).____________________________________

Change Control – Documented Testing: “Not applicable” or “These tests are documented in X location”. See SOA Spreadsheet Procedures (above) for classification.___________________________

Review & Approval: The calculation logic and data input to this spreadsheet has been reviewed and is determined to be materially correct._______________________________________________________

Reviewer Name: _____________________________________________________________________

Review Date: _______________________________________________________________________