Example Spreadsheet Policy Purpose: This policy pertains to the entire population of desktop financial applications (Excel, Access databases, Lotus, etc.) and any other user developed/maintained financial applications or tools outside of the Company's general information technology control environment. These financial applications and tools will collectively be referred to as "Spreadsheets" in this policy document. This policy requires the user of Spreadsheets to implement and maintain internal controls over Spreadsheets commensurate with their specific use, financial significance of the account or process with which the Spreadsheet is associated and its complexity. Each Significant Spreadsheet (defined below) must be assigned an owner accountable for the control standards. Overview: Spreadsheets are integral components of the Company’s information and decision-making framework currently supporting financial and business operations. This has come about due to the ease, flexibility and efficiency with which spreadsheets have empowered end-users to meet a broad array of business requirements without requiring involvement of the traditional IT organizations. The uses of Spreadsheets can generally be split into the following three categories: Financial Reporting--Spreadsheets used to directly determine financial statement transaction amounts or balances which are subsequently posted to the general ledger, create or support the financial reports and disclosures, or act as a key control within the financial reporting process, e.g. balancing and or reconciliation of significant accounts. Analytical--Spreadsheets used to support Management's decision making process. Operational-- Spreadsheets used to facilitate tracking and monitoring of workflow to support operational processes, such as listing of open claims, unpaid invoices or other information. The Control Standards defined in this policy will be required for all significant Spreadsheets (defined below) and are strongly recommended for all other Spreadsheets. Identification of Significant Spreadsheets: Determining significance requires management's judgment and typically involves a risk assessment of both quantitative and qualitative factors. A significant Spreadsheet is a key spreadsheet within the financial reporting process with a heightened level of complexity. Key Spreadsheets are those Spreadsheets that: A) Directly impact or provide support in the initiation, authorization, recording, processing and reporting of financial transactions and disclosures; and B) Directly impact or provide support in those financial reporting processes that are in scope; and C) Control break-downs within the Spreadsheet could give rise to a greater than remote likelihood of a misstatement in financial statements that is more than inconsequential. Spreadsheets with a heightened level of complexity are those spreadsheets that are: Example Spreadsheet Policy A) Complex Computational Models used to calculate financial statement amounts using formulas and based upon a number of inputs (e.g., reserves, valuations, etc); or B) Systems of record used as an ‘application’ system to record and process transactions; or C) Transporters of Data used as a type of ‘middleware’ to transport transactional or financial data between systems, between individuals, or between systems and individuals (e.g., used to ‘upload’ transaction data into the General Ledger). [If the sub-systems are independently reconciled to the general ledger then this may be viewed as lower/moderate risk]. Examples of Spreadsheets where a heightened level of complexity is not present: Summation/Basic Mathematics. Used to perform basic add-ups and calculations of numbers as part of a process. Presentation. Used to display information, graphically or in various reporting formats, for management review and analysis (e.g., to facilitate tracking, reporting and monitoring of results of financial or operational activity); Data Repository. Used as a type of ‘database’ to store data (e.g., used to store customer details, name, address, etc.); and Decision Support. Used to support analytical review and management decision-making (e.g., to calculate rates and determine if a rate is above or below fair market value). Example Spreadsheet Policy Spreadsheet Controls: This policy addresses two categories of controls for Spreadsheets, depending on the use, significance, complexity and management's overall risk assessment of the Spreadsheet: 1. Control Standards - these controls, similar to those in place within our general information system control environment are encouraged for all Spreadsheets and are required for all Significant Spreadsheets based on management's overall assessment as follows: Management's Overall Risk Assessment of Material Error High Low Minimal Control Standards Required 1. Input/Output Validation Controls 2. Version/Logic Documentation 3. Restricted Access 4. Data/Security Integrity Controls 5. Change Controls & Testing 1,2, & 3 Above N/A - Significant Spreadsheets are considered at least low risk. 2. Best Practice Guidelines - encouraged for Significant Spreadsheets and all other Spreadsheets. Controls Standards: 1. Input/Output Validation --Spreadsheets should have built-in, documented controls for ensuring that data is input completely and accurately, either manually or by system interfaces, by performing tests such as reconciliations, batch totals, and using formulas to foot and cross foot totals. Printing out the Spreadsheets input cells and reviewing for accuracy can effectively validate data. A Spreadsheet user's output validation controls may include multi-period comparative analytical reviews of account balances generated from the Spreadsheet with any unusual or unexpected fluctuations investigated, corroborated and documented. 2. Version/Logic Documentation -- Spreadsheets should include a documentation sheet that identifies its purpose, name, location, owner, version, date last modified, description of its logic and fundamental calculations/results, operating instructions and summary description of built in controls. For each hard copy printing, standard headers and footers should be used that identify the current name, version, date and time. 3. Restricted Access--Spreadsheets should be placed on a secured corporate server, as opposed to a personal hard drive, and access to the Spreadsheet should be restricted to only those individuals with a legitimate business need to access the file. Spreadsheets may also be password protected to provide additional security for high risk or sensitive contents. 4. Data/Security Integrity -- Spreadsheets should lock and protect all key cells that calculate, summarize or contain a formula that should not change. This also applies to any standard data that is utilized in the current calculations. 5. Change Controls and Testing -- Changes to Spreadsheet logic should be separately logged, described, tested and documented. The change log should describe why it was changed, what was changed, and it should reference the version number of the current Example Spreadsheet Policy Spreadsheet. With each significant logic or formula change, the Spreadsheet should be tested and a formal sign-off by an independent individual documenting that the change in logic is functioning as intended before moving it into production. Additional Spreadsheet Guidelines: Structure/Design 1. Separate inputs from calculations and results. Separating inputs, calculations and results, either on the same Spreadsheet, or on multiple Spreadsheets makes it easier to understand and reduces the risk that inputs are overlooked or that calculations are over-written with data. 2. Separate the data input areas into two sections: data you change regularly and data you change irregularly. Use colors or shading cells that contain data input. Input area should not contain formulas. 3. When using the sum function ensure that the range to be summed always contains a blank cell at either end of the range. This ensures that when rows or columns are added, the formula maintains its integrity. 4. When a critical value is contained in a formula in one or more cells (e.g. interest or tax rate), put it in a separate cell and refer to this cell in the formula. 5. Try to avoid complex formulae. Break complex formulae into smaller components to make it easier to understand, change or edit. 6. Use each column for the same purpose throughout the Spreadsheet. Spreadsheets should have a consistent layout. 7. Use only one formula for each row or column. This will result in quicker development, more effective testing and better documentation. Training 8. Mangers should ensure that all Spreadsheet users attend a training course covering both the basic and moderately advanced control functions addressed in the Standards and Additional Guidelines set forth in this policy. Example Spreadsheet Policy General 9. Keep a catalog of Spreadsheets in use in your department. At a minimum, a catalog of Significant Spreadsheets should be kept and updated regularly. 10. Develop a consistent Spreadsheet naming convention for each department. Every time you change the logic of a Spreadsheet, change the name to reflect the change and remember to keep a copy of at least the prior two versions for backup. 11. Prior to using a Spreadsheet to develop a new highly complex financial calculation application, engage the IT department to discuss and evaluate the merits of developing your new tool in an application system with a more formalized information technology control environment.