EuroSoxEuroSox
Nyheder About Us Corporate governance Risk Compliance Products Press Room Contact Us
From Risk Management to Risk Governance
To meet the popular demand, the current rule based compliance burden of SOX will probably be shifted to a more principle-based approach as in Europe and other countries. This relaxation places added focus on particular internal controls that are associated with the greatest material risk. In addition companies will be required to provide documentation and support of their high-risk controls. Read more here.
Spreadsheet Controls (Minimum Standards)

All spreadsheets used to calculate an activity or balances in the financial statements are within SOX scope.

There are two widely accepted approaches:

  • Identify particular spreadsheets directly linked to key controls
  • Identify all other spreadsheets used for FS, and evaluate their risk to determine documentation/testing approach.

The following types of controls should be considered for spreadsheets in scope for testing:

  • Change Control – maintaining a controlled process for requesting change to a spreadsheet. Making changes and then testing the spreadsheet and obtaining a formal sign-off from an independent individual, that the change is functioning as intended
  • Input Control – ensuring that reconciliations occur to make sure that data is inputted completely and accurately. Data may be inputted into spreadsheets manually or systematically through downloads. Users should be encouraged not to input data manually
  • Locking Control – implementing a process to ensure that data embedded in spreadsheets is current and secure. “Locking” or protecting cells to prevent inadvertent or intentional changes to historical data can achieve this. It is especially important to maintain previous quarterly or annual data so as to secure an audit trail. Additionally the spreadsheet cab be stored in protected directories.
  • Password Control – password protect spreadsheets to restrict access
  • Rights Control – limiting access at the file level to spreadsheets on a central server and assigning appropriate rights such as “Read-only”, “Create-only”, “Update-only”, “Delete-only”, etc.
  • Version Control - ensuring only current and approved versions of spreadsheets are being used by creating naming conventions and directory structures
    Word counting

    McCuaig, chief risk officer for governance, risk, and compliance software firm Paisley, did some word counting recently. In particular, he sought out the ratios of the words “risk” and “control” in Basel II, Australia New Zealand 4360, PCAOB Accounting Standard No. 2, and the PCAOB AS5 that supersedes it.

    Basel II says “risk” 1,500 times and “control” 67 times; in ANZ 4360, risk won 307 to 7. That’s they way it should be, McCuaig said.

    AS5, though an improvement over AS2, mentions risk 168 times, a number dwarfed by the 635 mentions of control.

    I want to reverse that ratio,” he said to the audience gathered at Compliance Week’s 2007 Conference. “I want to have three times as many risks as controls.”

    Despite AS5’s good intentions, he said, “We’re overmedicated on control. Maybe the medication will cure us, but we’re vastly overmedicated.