SlideShare a Scribd company logo

Internal controls over excel and other user directed aps[feb4.10

Download as PPTX, PDF
M
Marc Engel

Presented February 4, 2010 to the Litigation Services Committee of the NYSSCPA by Marc Engel, CPA It provides guidance for dealing with the risks that Excel introduces to the modern workplace.

Investor Relations
1 of 20
Internal Controls over Excel and other User Directed Applications in a SOX Environment Marc Engel, CPA, CISA, CBA, CFE Director, CFO Consulting Partners LLC mengel@cfoconsultingpartners.com Marc.engelcpa@gmail.com 973-953-8569 Presented February 4, 2010 to the Litigation Services Committee of the NYSSCPA
Key Discussion Points • Topics: • (1)_Overview of Excel risks as part of the risk assessment • (2)_Risks of fraud and errors; best practices to prevent and detect them • (3)_Applying Change controls to Excel Objective: Consider the risks involved in controlling spreadsheets and other user directed applications. Discuss controls that can be easily implemented to meet SOX requirements for risk analysis, and establishing effective controls.
Excel Risks as Part of the Risk Analysis • Background • Many companies not previously subject to SOX are required to comply in their current fiscal year. • This includes non-accelerated filers and smaller reporting companies. Existing companies that are SOX compliant should now be compliant for their primary computer systems and applications. • However, many of these companies may need to tighten controls over applications such as Excel. • These are often used in accounting and finance departments to generate calculations or support for • journal entries or business decisions.
The Problem: Inherently Weak Controls • Can anyone give some personal observations of incorrect information caused by Excel use? • Some of my observations: – a formula for a financial statement number using a random number generator; no documentation – budget equaled actual exactly because the preparer copied the budget numbers – New accountant changed an allocation; Regulator gave MoU.
Risks involving the use of Excel Consider these examples: • An Excel spreadsheet to control fixed assets. • Some Risks: – Formulas are not locked, because each new purchase adds a line to the list of fixed assets. – Approvals consist of a signature on the hard copy. • Excel may be used to prepare financial statements and for variance analyses; • Some Risks of inaccurate information: – Lack of control over input cells, output cells, formula results, and – different versions of the spreadsheet – Consolidation worksheets – information downloaded to standardized workbook then consolidated at corporate offices
Need for Controls • Could such errors appear in the financial statements and the MD&A? Even if totally innocent, whose responsibility? Consequently, lack of proper controls over such applications could result in a finding of a significant deficiency or even a material weakness. If not corrected prior to year end, this might have to be reported as an exception in the annual report.
Solution Overview • COSO compliant, effective controls are easily implemented. Five basic areas to consider are: – Risk Assessment, – Limited Access, – Design and Documentation, – Change Controls, and – Monitoring.
Risk Assessment • Formalized risk assessment is a required element of internal control under COSO. A company could • generate a risk threshold for spreadsheets, based on a percentage of its total assets or gross revenue. • Any spreadsheet generating aggregate entries over that percentage would be deemed critical. So if the • gross revenue is $500m and the threshold is .1% of that, any spreadsheet generating entries of $500k in aggregate over the year would be deemed “critical” and subject to additional controls.
Risk Assessment • Key steps: – Inventory all spreadsheets used to generate journal entries and supporting work papers for published financial information, and – measure them in aggregate by type of entry. In the above fixed asset example, all fixed asset entries would be aggregated to include the spreadsheet in the critical spreadsheet group, rather than excluding it based on many small individual entries it would generate.
Spreadsheet Inventory • Spreadsheet inventory should have: • List of all spreadsheets used for production of financial statements and numbers that support JEs. Include location, owner, main user, frequency of use. (Keep current by requiring all new spreadsheets to be registered.) • Security inventory with all passwords for all sheets; Kept by IT Security.
Control Attributes • Each spreadsheet’s purpose, frequency of being run, and formulas should be documented and explained on a separate tab in the workbook. • Passwords should be backed up separately so if the password keeper leaves or forgets, the company still can unlock the spreadsheet. • All superseded versions should be removed from the production folders.
Design and Documentation Good spreadsheet design makes a spreadsheet reliable, without constant testing or risk of error. Keypoints are: • Range control, Formula control, and Password protection. • Range control entails – setting up input areas, so that formulas do not need to be revised whenever data is added. This is done by – putting formulas on a separate sheet in the workbook; – putting them at the top of the page and adding data underneath. – Controling input via Excel’s excellent Forms functionality
Design and Documentation Formula controls: • Formulas are locked and password protected so the user cannot change them. Only specific input areas are unlocked for the user. • Formulas should be color coded to be easily recognizable. Color coding conventions (standards) should be included in the company’s procedures for designing spreadsheets. – Excel 2007 provides formats for different cell types, such as calculated cell, input, output, and others, on the Home ribbon. • Best practice designs – Use one spreadsheet for a particular purpose so a new version each month (or quarter) is not needed.
Limited Access • The company should set up a secure directory or folder. The network administrator limits access to – specific profiles of staff needing access to perform their duties. – Other staff members are excluded.
Limited Access • Quick connections to external data • In Office Excel 2007, you no longer need to know the server or database names of corporate data sources. Instead, you can use Quicklaunch to select from a list of data sources that your administrator or workgroup expert has made available for you. A connection manager in Excel allows you to view all connections in a workbook and makes it easier to reuse a connection or to substitute a connection with another one. (Excel online documentation). Using these features makes enforcing a secure download process straightforward; (documenting it as well).
Monitoring • Enforcing segregation of duties – i.e. a single individual should not have rights to both prepare and enter an entire transaction. • There must be an audit trail to document the review of entries. A checklist should be used and approved, to prove that all needed spreadsheets were updated timely. • Off premises vacation rules to prevent override of controls > Spreadsheets are updated by other staff.
Monitoring • Management can monitor spreadsheet activity since: – All spreadsheets to prepare FS or supporting info are inventoried, aggregated as to FS impact, risk rated, and all critical spreadsheets are secured. – Mid management knows which are the key spreadsheets and can enforce controls over spreadsheets. – Spreadsheets are password protected and the passwords are kept by IT security.
Change Controls Possibly contentious but consider: How would you feel about the IT staff revising your software just on the programmer’s approval? Same concept applies to your finance dept staff changing critical spreadsheets with no approval.
Change Controls Change controls block unauthorized changes, verify accuracy of changes to the spreadsheet, and enforce version control. Naming conventions lower the risk of using a superseded version. Granted that most spreadsheets will most likely be initially designed by the owner / user. Nevertheless, after a spreadsheet is designed properly, it should be password protected so the designer/ user cannot make changes. Changes should be performed in a test folder set up for this purpose and kept out of the production folders. A second person tests the spreadsheet with a pre-approved test set. The final version is forwarded to the approver who password protects it and posts it to the secure folder.
Questions? Any questions can be addressed to: • Marc Engel, CPA, CISA, CFE Director, CFO Consulting Partners LLC mengel@cfoconsultingpartners.com • Marc.engelcpa@gmail.com 973-953-8569

Recommended

Bse 3105 lecture 5-evolution of legacy systems
Bse 3105 lecture 5-evolution of legacy systemsBse 3105 lecture 5-evolution of legacy systems
Bse 3105 lecture 5-evolution of legacy systems
Alonzee Tash
 
James hall ch 13
James hall ch 13James hall ch 13
James hall ch 13
David Julian
 
James hall ch 14
James hall ch 14James hall ch 14
James hall ch 14
David Julian
 
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validationXybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Corporation
 
Financial reporting compliance cloud service presentation
Financial reporting compliance cloud service presentationFinancial reporting compliance cloud service presentation
Financial reporting compliance cloud service presentation
Feras Ahmad
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-software
kzoe1996
 
Setting up audits and audit reports Fusion Cloud
Setting up audits and audit reports Fusion Cloud Setting up audits and audit reports Fusion Cloud
Setting up audits and audit reports Fusion Cloud
Feras Ahmad
 
Validation of excel spreadsheets
Validation of excel spreadsheetsValidation of excel spreadsheets
Validation of excel spreadsheets
Digital-360
 

Recommended

Bse 3105 lecture 5-evolution of legacy systems
Bse 3105 lecture 5-evolution of legacy systemsBse 3105 lecture 5-evolution of legacy systems
Bse 3105 lecture 5-evolution of legacy systems
Alonzee Tash
 
James hall ch 13
James hall ch 13James hall ch 13
James hall ch 13
David Julian
 
James hall ch 14
James hall ch 14James hall ch 14
James hall ch 14
David Julian
 
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validationXybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Corporation
 
Financial reporting compliance cloud service presentation
Financial reporting compliance cloud service presentationFinancial reporting compliance cloud service presentation
Financial reporting compliance cloud service presentation
Feras Ahmad
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-software
kzoe1996
 
Setting up audits and audit reports Fusion Cloud
Setting up audits and audit reports Fusion Cloud Setting up audits and audit reports Fusion Cloud
Setting up audits and audit reports Fusion Cloud
Feras Ahmad
 
Validation of excel spreadsheets
Validation of excel spreadsheetsValidation of excel spreadsheets
Validation of excel spreadsheets
Digital-360
 
Parallel simulation
Parallel simulationParallel simulation
Parallel simulation
kzoe1996
 
Integrated Test Facility
Integrated Test FacilityIntegrated Test Facility
Integrated Test Facility
kzoe1996
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approach
kzoe1996
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
guestc1bca2
 
Excel sox 404
Excel sox 404Excel sox 404
Excel sox 404
m t
 
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
Rikesh Chaurasia
 
415 quiz1 answers
415 quiz1 answers415 quiz1 answers
415 quiz1 answers
IIUM
 
Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17
koolkampus
 
05.2 auditing procedure application controls
05.2 auditing procedure application controls05.2 auditing procedure application controls
05.2 auditing procedure application controls
Mulyadi Yusuf
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
Ahmad Tariq Bhatti
 
Systems request
Systems requestSystems request
Systems request
Fajar Baskoro
 
Icai seminar kolkata
Icai seminar kolkataIcai seminar kolkata
Icai seminar kolkata
sunil patro
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
Donald E. Hester
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
_supriadi
 
Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques
Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques
Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques
Jim Kaplan CIA CFE
 
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDITComputer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Shahzeb Pirzada
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaire
Nicholas Kaptingei
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
kinjalmkothari92
 
Df14 Maintaining your orgs setup for optimal efficiency for dist
Df14 Maintaining your orgs setup for optimal efficiency for distDf14 Maintaining your orgs setup for optimal efficiency for dist
Df14 Maintaining your orgs setup for optimal efficiency for dist
jayvinarora
 
AXUG Summit 2016 Budget planning session
AXUG Summit 2016 Budget planning sessionAXUG Summit 2016 Budget planning session
AXUG Summit 2016 Budget planning session
yrkasat2k
 
Financial Crime Projects
Financial Crime ProjectsFinancial Crime Projects
Financial Crime Projects
David Allsop
 
Ahcs best practice_white_paper_1.5 (1)
Ahcs best practice_white_paper_1.5 (1)Ahcs best practice_white_paper_1.5 (1)
Ahcs best practice_white_paper_1.5 (1)
HamadaAsmrAladham1
 

More Related Content

What's hot

COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
Rikesh Chaurasia
 
Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17
koolkampus
 
05.2 auditing procedure application controls
05.2 auditing procedure application controls05.2 auditing procedure application controls
05.2 auditing procedure application controls
Mulyadi Yusuf
 
Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques
Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques
Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques
Jim Kaplan CIA CFE
 

What's hot (18)

Parallel simulation
Parallel simulationParallel simulation
Parallel simulation
 
Integrated Test Facility
Integrated Test FacilityIntegrated Test Facility
Integrated Test Facility
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approach
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 
Excel sox 404
Excel sox 404Excel sox 404
Excel sox 404
 
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
COMPUTERIZED ACCOUNTING AND AUDITING TECHNIQUES (CAAT)
 
415 quiz1 answers
415 quiz1 answers415 quiz1 answers
415 quiz1 answers
 
Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17
 
05.2 auditing procedure application controls
05.2 auditing procedure application controls05.2 auditing procedure application controls
05.2 auditing procedure application controls
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
 
Systems request
Systems requestSystems request
Systems request
 
Icai seminar kolkata
Icai seminar kolkataIcai seminar kolkata
Icai seminar kolkata
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques
Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques
Using MS Excel In Your Next Audit - Top Basic & Intermediate Techniques
 
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDITComputer Assisted Audit Techniques (CAATS) - IS AUDIT
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaire
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 

Similar to Internal controls over excel and other user directed aps[feb4.10

Financial Crime Projects
Financial Crime ProjectsFinancial Crime Projects
Financial Crime Projects
David Allsop
 
What is the relationship between Accounting and an Accounting inform.pdf
What is the relationship between Accounting and an Accounting inform.pdfWhat is the relationship between Accounting and an Accounting inform.pdf
What is the relationship between Accounting and an Accounting inform.pdf
annikasarees
 

Similar to Internal controls over excel and other user directed aps[feb4.10 (20)

Df14 Maintaining your orgs setup for optimal efficiency for dist
Df14 Maintaining your orgs setup for optimal efficiency for distDf14 Maintaining your orgs setup for optimal efficiency for dist
Df14 Maintaining your orgs setup for optimal efficiency for dist
 
AXUG Summit 2016 Budget planning session
AXUG Summit 2016 Budget planning sessionAXUG Summit 2016 Budget planning session
AXUG Summit 2016 Budget planning session
 
Financial Crime Projects
Financial Crime ProjectsFinancial Crime Projects
Financial Crime Projects
 
Ahcs best practice_white_paper_1.5 (1)
Ahcs best practice_white_paper_1.5 (1)Ahcs best practice_white_paper_1.5 (1)
Ahcs best practice_white_paper_1.5 (1)
 
UNIT V ACCOUNTING IN COMPUTERISED ENVIRONMENT
UNIT V ACCOUNTING IN COMPUTERISED ENVIRONMENTUNIT V ACCOUNTING IN COMPUTERISED ENVIRONMENT
UNIT V ACCOUNTING IN COMPUTERISED ENVIRONMENT
 
Development Best Practices
Development Best PracticesDevelopment Best Practices
Development Best Practices
 
Shorten Your Development Time with an Extensible Design for Apex
Shorten Your Development Time with an Extensible Design for ApexShorten Your Development Time with an Extensible Design for Apex
Shorten Your Development Time with an Extensible Design for Apex
 
GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
 
Alliance session 4373 risk management from on premise to the cloud – a foc...
Alliance session 4373 risk management from on premise to the cloud – a foc...Alliance session 4373 risk management from on premise to the cloud – a foc...
Alliance session 4373 risk management from on premise to the cloud – a foc...
 
Practical tips for implementing corporate performance management system
Practical tips for implementing corporate performance management systemPractical tips for implementing corporate performance management system
Practical tips for implementing corporate performance management system
 
Release and Enviromental Management
Release and Enviromental ManagementRelease and Enviromental Management
Release and Enviromental Management
 
What is the relationship between Accounting and an Accounting inform.pdf
What is the relationship between Accounting and an Accounting inform.pdfWhat is the relationship between Accounting and an Accounting inform.pdf
What is the relationship between Accounting and an Accounting inform.pdf
 
Xolution - An Introduction
Xolution - An IntroductionXolution - An Introduction
Xolution - An Introduction
 
Record to report (1)
Record to report (1)Record to report (1)
Record to report (1)
 
Understanding saa s
Understanding saa sUnderstanding saa s
Understanding saa s
 
Infor SunSystems FMS
Infor SunSystems FMSInfor SunSystems FMS
Infor SunSystems FMS
 
Trend Line Guide
Trend Line GuideTrend Line Guide
Trend Line Guide
 
Whitepaper:Barriers to Effective and Strategic SPM Compensation
Whitepaper:Barriers to Effective and Strategic SPM CompensationWhitepaper:Barriers to Effective and Strategic SPM Compensation
Whitepaper:Barriers to Effective and Strategic SPM Compensation
 
Auditing Oracle Applications Primer For Internal Auditors
Auditing Oracle Applications Primer For Internal AuditorsAuditing Oracle Applications Primer For Internal Auditors
Auditing Oracle Applications Primer For Internal Auditors
 
Anil Kumar_SQL_Developer
Anil Kumar_SQL_DeveloperAnil Kumar_SQL_Developer
Anil Kumar_SQL_Developer
 

Recently uploaded

一比一原版(UofT毕业证书)多伦多大学毕业证成绩单原件一模一样
一比一原版(UofT毕业证书)多伦多大学毕业证成绩单原件一模一样一比一原版(UofT毕业证书)多伦多大学毕业证成绩单原件一模一样
一比一原版(UofT毕业证书)多伦多大学毕业证成绩单原件一模一样
dyuozua
 
一比一原版(MU毕业证书)梅努斯大学毕业证成绩单原件一模一样
一比一原版(MU毕业证书)梅努斯大学毕业证成绩单原件一模一样一比一原版(MU毕业证书)梅努斯大学毕业证成绩单原件一模一样
一比一原版(MU毕业证书)梅努斯大学毕业证成绩单原件一模一样
dyuozua
 
一比一原版(Massey毕业证书)梅西大学毕业证成绩单原件一模一样
一比一原版(Massey毕业证书)梅西大学毕业证成绩单原件一模一样一比一原版(Massey毕业证书)梅西大学毕业证成绩单原件一模一样
一比一原版(Massey毕业证书)梅西大学毕业证成绩单原件一模一样
dyuozua
 
一比一原版(UofG毕业证书)圭尔夫大学毕业证成绩单原件一模一样
一比一原版(UofG毕业证书)圭尔夫大学毕业证成绩单原件一模一样一比一原版(UofG毕业证书)圭尔夫大学毕业证成绩单原件一模一样
一比一原版(UofG毕业证书)圭尔夫大学毕业证成绩单原件一模一样
dyuozua
 
一比一原版(YU毕业证书)约克大学毕业证成绩单原件一模一样
一比一原版(YU毕业证书)约克大学毕业证成绩单原件一模一样一比一原版(YU毕业证书)约克大学毕业证成绩单原件一模一样
一比一原版(YU毕业证书)约克大学毕业证成绩单原件一模一样
dyuozua
 
皇后大学毕业证
皇后大学毕业证皇后大学毕业证
皇后大学毕业证
dyuozua
 
原件一样(USC毕业证)南加州大学毕业证成绩单留信学历认证可查
原件一样(USC毕业证)南加州大学毕业证成绩单留信学历认证可查原件一样(USC毕业证)南加州大学毕业证成绩单留信学历认证可查
原件一样(USC毕业证)南加州大学毕业证成绩单留信学历认证可查
lezegu21r
 
一比一原版(Mac毕业证书)麦克马斯特大学毕业证成绩单原件一模一样
一比一原版(Mac毕业证书)麦克马斯特大学毕业证成绩单原件一模一样一比一原版(Mac毕业证书)麦克马斯特大学毕业证成绩单原件一模一样
一比一原版(Mac毕业证书)麦克马斯特大学毕业证成绩单原件一模一样
dyuozua
 
一比一原版(UC毕业证书)坎特伯雷大学毕业证成绩单原件一模一样
一比一原版(UC毕业证书)坎特伯雷大学毕业证成绩单原件一模一样一比一原版(UC毕业证书)坎特伯雷大学毕业证成绩单原件一模一样
一比一原版(UC毕业证书)坎特伯雷大学毕业证成绩单原件一模一样
dyuozua
 
一比一原版(Waikato毕业证书)怀卡托大学毕业证成绩单原件一模一样
一比一原版(Waikato毕业证书)怀卡托大学毕业证成绩单原件一模一样一比一原版(Waikato毕业证书)怀卡托大学毕业证成绩单原件一模一样
一比一原版(Waikato毕业证书)怀卡托大学毕业证成绩单原件一模一样
dyuozua
 
一比一原版(AUT毕业证书)奥克兰理工大学毕业证成绩单原件一模一样
一比一原版(AUT毕业证书)奥克兰理工大学毕业证成绩单原件一模一样一比一原版(AUT毕业证书)奥克兰理工大学毕业证成绩单原件一模一样
一比一原版(AUT毕业证书)奥克兰理工大学毕业证成绩单原件一模一样
dyuozua
 
一比一原版(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
dyuozua
 
一比一原版(UNITEC毕业证书)UNITEC理工学院毕业证成绩单原件一模一样
一比一原版(UNITEC毕业证书)UNITEC理工学院毕业证成绩单原件一模一样一比一原版(UNITEC毕业证书)UNITEC理工学院毕业证成绩单原件一模一样
一比一原版(UNITEC毕业证书)UNITEC理工学院毕业证成绩单原件一模一样
dyuozua
 

Recently uploaded (20)

BofA Securities GMM and Steel Conference
BofA Securities GMM and Steel ConferenceBofA Securities GMM and Steel Conference
BofA Securities GMM and Steel Conference
 
一比一原版(UofT毕业证书)多伦多大学毕业证成绩单原件一模一样
一比一原版(UofT毕业证书)多伦多大学毕业证成绩单原件一模一样一比一原版(UofT毕业证书)多伦多大学毕业证成绩单原件一模一样
一比一原版(UofT毕业证书)多伦多大学毕业证成绩单原件一模一样
 
一比一原版(MU毕业证书)梅努斯大学毕业证成绩单原件一模一样
一比一原版(MU毕业证书)梅努斯大学毕业证成绩单原件一模一样一比一原版(MU毕业证书)梅努斯大学毕业证成绩单原件一模一样
一比一原版(MU毕业证书)梅努斯大学毕业证成绩单原件一模一样
 
一比一原版(Massey毕业证书)梅西大学毕业证成绩单原件一模一样
一比一原版(Massey毕业证书)梅西大学毕业证成绩单原件一模一样一比一原版(Massey毕业证书)梅西大学毕业证成绩单原件一模一样
一比一原版(Massey毕业证书)梅西大学毕业证成绩单原件一模一样
 
一比一原版(UofG毕业证书)圭尔夫大学毕业证成绩单原件一模一样
一比一原版(UofG毕业证书)圭尔夫大学毕业证成绩单原件一模一样一比一原版(UofG毕业证书)圭尔夫大学毕业证成绩单原件一模一样
一比一原版(UofG毕业证书)圭尔夫大学毕业证成绩单原件一模一样
 
Teck Sustainability Leadership, April 26, 2024
Teck Sustainability Leadership, April 26, 2024Teck Sustainability Leadership, April 26, 2024
Teck Sustainability Leadership, April 26, 2024
 
Teck Supplemental Information, May 2, 2024
Teck Supplemental Information, May 2, 2024Teck Supplemental Information, May 2, 2024
Teck Supplemental Information, May 2, 2024
 
一比一原版(YU毕业证书)约克大学毕业证成绩单原件一模一样
一比一原版(YU毕业证书)约克大学毕业证成绩单原件一模一样一比一原版(YU毕业证书)约克大学毕业证成绩单原件一模一样
一比一原版(YU毕业证书)约克大学毕业证成绩单原件一模一样
 
Collective Mining | Corporate Presentation - May 2024
Collective Mining | Corporate Presentation - May 2024Collective Mining | Corporate Presentation - May 2024
Collective Mining | Corporate Presentation - May 2024
 
皇后大学毕业证
皇后大学毕业证皇后大学毕业证
皇后大学毕业证
 
Teck Investor Presentation, April 24, 2024
Teck Investor Presentation, April 24, 2024Teck Investor Presentation, April 24, 2024
Teck Investor Presentation, April 24, 2024
 
原件一样(USC毕业证)南加州大学毕业证成绩单留信学历认证可查
原件一样(USC毕业证)南加州大学毕业证成绩单留信学历认证可查原件一样(USC毕业证)南加州大学毕业证成绩单留信学历认证可查
原件一样(USC毕业证)南加州大学毕业证成绩单留信学历认证可查
 
一比一原版(Mac毕业证书)麦克马斯特大学毕业证成绩单原件一模一样
一比一原版(Mac毕业证书)麦克马斯特大学毕业证成绩单原件一模一样一比一原版(Mac毕业证书)麦克马斯特大学毕业证成绩单原件一模一样
一比一原版(Mac毕业证书)麦克马斯特大学毕业证成绩单原件一模一样
 
一比一原版(UC毕业证书)坎特伯雷大学毕业证成绩单原件一模一样
一比一原版(UC毕业证书)坎特伯雷大学毕业证成绩单原件一模一样一比一原版(UC毕业证书)坎特伯雷大学毕业证成绩单原件一模一样
一比一原版(UC毕业证书)坎特伯雷大学毕业证成绩单原件一模一样
 
一比一原版(Waikato毕业证书)怀卡托大学毕业证成绩单原件一模一样
一比一原版(Waikato毕业证书)怀卡托大学毕业证成绩单原件一模一样一比一原版(Waikato毕业证书)怀卡托大学毕业证成绩单原件一模一样
一比一原版(Waikato毕业证书)怀卡托大学毕业证成绩单原件一模一样
 
Camil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdfCamil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdf
 
Importance of financial management for managing financial resources effective...
Importance of financial management for managing financial resources effective...Importance of financial management for managing financial resources effective...
Importance of financial management for managing financial resources effective...
 
一比一原版(AUT毕业证书)奥克兰理工大学毕业证成绩单原件一模一样
一比一原版(AUT毕业证书)奥克兰理工大学毕业证成绩单原件一模一样一比一原版(AUT毕业证书)奥克兰理工大学毕业证成绩单原件一模一样
一比一原版(AUT毕业证书)奥克兰理工大学毕业证成绩单原件一模一样
 
一比一原版(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
 
一比一原版(UNITEC毕业证书)UNITEC理工学院毕业证成绩单原件一模一样
一比一原版(UNITEC毕业证书)UNITEC理工学院毕业证成绩单原件一模一样一比一原版(UNITEC毕业证书)UNITEC理工学院毕业证成绩单原件一模一样
一比一原版(UNITEC毕业证书)UNITEC理工学院毕业证成绩单原件一模一样
 

Internal controls over excel and other user directed aps[feb4.10

  • 1. Internal Controls over Excel and other User Directed Applications in a SOX Environment Marc Engel, CPA, CISA, CBA, CFE Director, CFO Consulting Partners LLC mengel@cfoconsultingpartners.com Marc.engelcpa@gmail.com 973-953-8569 Presented February 4, 2010 to the Litigation Services Committee of the NYSSCPA
  • 2. Key Discussion Points • Topics: • (1)_Overview of Excel risks as part of the risk assessment • (2)_Risks of fraud and errors; best practices to prevent and detect them • (3)_Applying Change controls to Excel Objective: Consider the risks involved in controlling spreadsheets and other user directed applications. Discuss controls that can be easily implemented to meet SOX requirements for risk analysis, and establishing effective controls.
  • 3. Excel Risks as Part of the Risk Analysis • Background • Many companies not previously subject to SOX are required to comply in their current fiscal year. • This includes non-accelerated filers and smaller reporting companies. Existing companies that are SOX compliant should now be compliant for their primary computer systems and applications. • However, many of these companies may need to tighten controls over applications such as Excel. • These are often used in accounting and finance departments to generate calculations or support for • journal entries or business decisions.
  • 4. The Problem: Inherently Weak Controls • Can anyone give some personal observations of incorrect information caused by Excel use? • Some of my observations: – a formula for a financial statement number using a random number generator; no documentation – budget equaled actual exactly because the preparer copied the budget numbers – New accountant changed an allocation; Regulator gave MoU.
  • 5. Risks involving the use of Excel Consider these examples: • An Excel spreadsheet to control fixed assets. • Some Risks: – Formulas are not locked, because each new purchase adds a line to the list of fixed assets. – Approvals consist of a signature on the hard copy. • Excel may be used to prepare financial statements and for variance analyses; • Some Risks of inaccurate information: – Lack of control over input cells, output cells, formula results, and – different versions of the spreadsheet – Consolidation worksheets – information downloaded to standardized workbook then consolidated at corporate offices
  • 6. Need for Controls • Could such errors appear in the financial statements and the MD&A? Even if totally innocent, whose responsibility? Consequently, lack of proper controls over such applications could result in a finding of a significant deficiency or even a material weakness. If not corrected prior to year end, this might have to be reported as an exception in the annual report.
  • 7. Solution Overview • COSO compliant, effective controls are easily implemented. Five basic areas to consider are: – Risk Assessment, – Limited Access, – Design and Documentation, – Change Controls, and – Monitoring.
  • 8. Risk Assessment • Formalized risk assessment is a required element of internal control under COSO. A company could • generate a risk threshold for spreadsheets, based on a percentage of its total assets or gross revenue. • Any spreadsheet generating aggregate entries over that percentage would be deemed critical. So if the • gross revenue is $500m and the threshold is .1% of that, any spreadsheet generating entries of $500k in aggregate over the year would be deemed “critical” and subject to additional controls.
  • 9. Risk Assessment • Key steps: – Inventory all spreadsheets used to generate journal entries and supporting work papers for published financial information, and – measure them in aggregate by type of entry. In the above fixed asset example, all fixed asset entries would be aggregated to include the spreadsheet in the critical spreadsheet group, rather than excluding it based on many small individual entries it would generate.
  • 10. Spreadsheet Inventory • Spreadsheet inventory should have: • List of all spreadsheets used for production of financial statements and numbers that support JEs. Include location, owner, main user, frequency of use. (Keep current by requiring all new spreadsheets to be registered.) • Security inventory with all passwords for all sheets; Kept by IT Security.
  • 11. Control Attributes • Each spreadsheet’s purpose, frequency of being run, and formulas should be documented and explained on a separate tab in the workbook. • Passwords should be backed up separately so if the password keeper leaves or forgets, the company still can unlock the spreadsheet. • All superseded versions should be removed from the production folders.
  • 12. Design and Documentation Good spreadsheet design makes a spreadsheet reliable, without constant testing or risk of error. Keypoints are: • Range control, Formula control, and Password protection. • Range control entails – setting up input areas, so that formulas do not need to be revised whenever data is added. This is done by – putting formulas on a separate sheet in the workbook; – putting them at the top of the page and adding data underneath. – Controling input via Excel’s excellent Forms functionality
  • 13. Design and Documentation Formula controls: • Formulas are locked and password protected so the user cannot change them. Only specific input areas are unlocked for the user. • Formulas should be color coded to be easily recognizable. Color coding conventions (standards) should be included in the company’s procedures for designing spreadsheets. – Excel 2007 provides formats for different cell types, such as calculated cell, input, output, and others, on the Home ribbon. • Best practice designs – Use one spreadsheet for a particular purpose so a new version each month (or quarter) is not needed.
  • 14. Limited Access • The company should set up a secure directory or folder. The network administrator limits access to – specific profiles of staff needing access to perform their duties. – Other staff members are excluded.
  • 15. Limited Access • Quick connections to external data • In Office Excel 2007, you no longer need to know the server or database names of corporate data sources. Instead, you can use Quicklaunch to select from a list of data sources that your administrator or workgroup expert has made available for you. A connection manager in Excel allows you to view all connections in a workbook and makes it easier to reuse a connection or to substitute a connection with another one. (Excel online documentation). Using these features makes enforcing a secure download process straightforward; (documenting it as well).
  • 16. Monitoring • Enforcing segregation of duties – i.e. a single individual should not have rights to both prepare and enter an entire transaction. • There must be an audit trail to document the review of entries. A checklist should be used and approved, to prove that all needed spreadsheets were updated timely. • Off premises vacation rules to prevent override of controls > Spreadsheets are updated by other staff.
  • 17. Monitoring • Management can monitor spreadsheet activity since: – All spreadsheets to prepare FS or supporting info are inventoried, aggregated as to FS impact, risk rated, and all critical spreadsheets are secured. – Mid management knows which are the key spreadsheets and can enforce controls over spreadsheets. – Spreadsheets are password protected and the passwords are kept by IT security.
  • 18. Change Controls Possibly contentious but consider: How would you feel about the IT staff revising your software just on the programmer’s approval? Same concept applies to your finance dept staff changing critical spreadsheets with no approval.
  • 19. Change Controls Change controls block unauthorized changes, verify accuracy of changes to the spreadsheet, and enforce version control. Naming conventions lower the risk of using a superseded version. Granted that most spreadsheets will most likely be initially designed by the owner / user. Nevertheless, after a spreadsheet is designed properly, it should be password protected so the designer/ user cannot make changes. Changes should be performed in a test folder set up for this purpose and kept out of the production folders. A second person tests the spreadsheet with a pre-approved test set. The final version is forwarded to the approver who password protects it and posts it to the secure folder.
  • 20. Questions? Any questions can be addressed to: • Marc Engel, CPA, CISA, CFE Director, CFO Consulting Partners LLC mengel@cfoconsultingpartners.com • Marc.engelcpa@gmail.com 973-953-8569