This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act* July 2004 *connectedthinking Page 1 The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act Introduction Many companies rely on spreadsheets as a key tool in their fi nancial reporting and operational processes. As a result, the use of spreadsheets is an integral part of the information and decision-making framework for these companies. In developing and using spreadsheets, companies need to balance their ease and fl exibility against the importance of reliable information for management’s use. The requirements under Section 404 of the Sarbanes-Oxley Act increase the focus on controls related to the development and maintenance of spreadsheets. This paper discusses the evaluation of the control environment and specifi c control activities that should be considered by management in evaluating the use of signifi cant spreadsheets as part of their 404 process. As users of spreadsheet applications such as Microsoft Excel ® or Lotus 1-2-3 ® have become more sophisticated, so have spreadsheets. Once used to support simple functions such as logging, tracking and totaling information, spreadsheets with enhanced formulas and built-in advanced features are now used to support such business functions as complex valuation models. The use of macros and multiple spreadsheets which are linked together allows users to build very complicated—and sometimes convoluted—models and other business functions with minimal or no documentation. In addition, these complex spreadsheets are not normally supported by the same control environment as formally-developed, purchased applications. For example, the developers and users of spreadsheets are usually not trained in structured programming, testing, version control or systems development life cycles, and spreadsheets are rarely restricted from unauthorized access by security controls. Background Spreadsheets typically have a wide range of complexity and usage. It is important to separate the complexity and usage issues, as the control requirements may be different for a complex spreadsheet used by one person with specifi c expertise than for a spreadsheet used and modifi ed by many people. Whatever the situation, companies need to carefully evaluate if it is possible to implement adequate controls over the spreadsheets supporting signifi cant accounts and disclosures. As some companies have discovered, errors in relatively simple spreadsheets can result in potential material misstatements in their fi nancial results. Recently, several large companies have either publicly disclosed control defi ciencies or been publicly censured by regulators related to insuffi cient spreadsheet controls....
View Full Document
- Spring '08
- Sarbanes–Oxley Act, PricewaterhouseCoopers LLP