Spreadsheet Policies and Procedures

advertisement
Example Spreadsheet Policy
Purpose:
This policy pertains to the entire population of desktop financial applications (Excel, Access
databases, Lotus, etc.) and any other user developed/maintained financial applications or tools
outside of the Company's general information technology control environment. These financial
applications and tools will collectively be referred to as "Spreadsheets" in this policy document.
This policy requires the user of Spreadsheets to implement and maintain internal controls over
Spreadsheets commensurate with their specific use, financial significance of the account or
process with which the Spreadsheet is associated and its complexity. Each Significant
Spreadsheet (defined below) must be assigned an owner accountable for the control standards.
Overview:
Spreadsheets are integral components of the Company’s information and decision-making
framework currently supporting financial and business operations. This has come about due to the
ease, flexibility and efficiency with which spreadsheets have empowered end-users to meet a
broad array of business requirements without requiring involvement of the traditional IT
organizations.
The uses of Spreadsheets can generally be split into the following three categories:
 Financial Reporting--Spreadsheets used to directly determine financial statement
transaction amounts or balances which are subsequently posted to the general ledger,
create or support the financial reports and disclosures, or act as a key control within the
financial reporting process, e.g. balancing and or reconciliation of significant accounts.
 Analytical--Spreadsheets used to support Management's decision making process.
 Operational-- Spreadsheets used to facilitate tracking and monitoring of workflow to
support operational processes, such as listing of open claims, unpaid invoices or other
information.
The Control Standards defined in this policy will be required for all significant Spreadsheets
(defined below) and are strongly recommended for all other Spreadsheets.
Identification of Significant Spreadsheets:
Determining significance requires management's judgment and typically involves a risk
assessment of both quantitative and qualitative factors. A significant Spreadsheet is a key
spreadsheet within the financial reporting process with a heightened level of complexity. Key
Spreadsheets are those Spreadsheets that:
A) Directly impact or provide support in the initiation, authorization, recording, processing
and reporting of financial transactions and disclosures; and
B) Directly impact or provide support in those financial reporting processes that are in scope; and
C) Control break-downs within the Spreadsheet could give rise to a greater than remote
likelihood of a misstatement in financial statements that is more than inconsequential.
Spreadsheets with a heightened level of complexity are those spreadsheets that are:
Example Spreadsheet Policy
A) Complex Computational Models used to calculate financial statement amounts using formulas
and based upon a number of inputs (e.g., reserves, valuations, etc); or
B) Systems of record used as an ‘application’ system to record and process transactions; or
C) Transporters of Data used as a type of ‘middleware’ to transport transactional or financial data
between systems, between individuals, or between systems and individuals (e.g., used to ‘upload’
transaction data into the General Ledger). [If the sub-systems are independently reconciled to the
general ledger then this may be viewed as lower/moderate risk].
Examples of Spreadsheets where a heightened level of complexity is not present:




Summation/Basic Mathematics. Used to perform basic add-ups and calculations of
numbers as part of a process.
Presentation. Used to display information, graphically or in various reporting formats, for
management review and analysis (e.g., to facilitate tracking, reporting and monitoring of
results of financial or operational activity);
Data Repository. Used as a type of ‘database’ to store data (e.g., used to store customer
details, name, address, etc.); and
Decision Support. Used to support analytical review and management decision-making
(e.g., to calculate rates and determine if a rate is above or below fair market value).
Example Spreadsheet Policy
Spreadsheet Controls:
This policy addresses two categories of controls for Spreadsheets, depending on the use,
significance, complexity and management's overall risk assessment of the Spreadsheet:
1. Control Standards - these controls, similar to those in place within our general information
system control environment are encouraged for all Spreadsheets and are required for all
Significant Spreadsheets based on management's overall assessment as follows:
Management's Overall Risk Assessment of
Material Error
High
Low
Minimal
Control Standards Required
1. Input/Output Validation Controls
2. Version/Logic Documentation
3. Restricted Access
4. Data/Security Integrity Controls
5. Change Controls & Testing
1,2, & 3 Above
N/A - Significant Spreadsheets are considered
at least low risk.
2. Best Practice Guidelines - encouraged for Significant Spreadsheets and all other Spreadsheets.
Controls Standards:
1. Input/Output Validation --Spreadsheets should have built-in, documented controls for
ensuring that data is input completely and accurately, either manually or by system
interfaces, by performing tests such as reconciliations, batch totals, and using formulas to
foot and cross foot totals. Printing out the Spreadsheets input cells and reviewing for
accuracy can effectively validate data. A Spreadsheet user's output validation controls
may include multi-period comparative analytical reviews of account balances generated
from the Spreadsheet with any unusual or unexpected fluctuations investigated,
corroborated and documented.
2. Version/Logic Documentation -- Spreadsheets should include a documentation sheet
that identifies its purpose, name, location, owner, version, date last modified, description
of its logic and fundamental calculations/results, operating instructions and summary
description of built in controls. For each hard copy printing, standard headers and footers
should be used that identify the current name, version, date and time.
3. Restricted Access--Spreadsheets should be placed on a secured corporate server, as
opposed to a personal hard drive, and access to the Spreadsheet should be restricted to
only those individuals with a legitimate business need to access the file. Spreadsheets
may also be password protected to provide additional security for high risk or sensitive
contents.
4. Data/Security Integrity -- Spreadsheets should lock and protect all key cells that
calculate, summarize or contain a formula that should not change. This also applies to
any standard data that is utilized in the current calculations.
5. Change Controls and Testing -- Changes to Spreadsheet logic should be separately
logged, described, tested and documented. The change log should describe why it was
changed, what was changed, and it should reference the version number of the current
Example Spreadsheet Policy
Spreadsheet. With each significant logic or formula change, the Spreadsheet should be
tested and a formal sign-off by an independent individual documenting that the change in
logic is functioning as intended before moving it into production.
Additional Spreadsheet Guidelines:
Structure/Design
1. Separate inputs from calculations and results. Separating inputs, calculations and results, either
on the same Spreadsheet, or on multiple Spreadsheets makes it easier to understand and reduces
the risk that inputs are overlooked or that calculations are over-written with data.
2. Separate the data input areas into two sections: data you change regularly and data you change
irregularly. Use colors or shading cells that contain data input. Input area should not contain
formulas.
3. When using the sum function ensure that the range to be summed always contains a blank cell
at either end of the range. This ensures that when rows or columns are added, the formula
maintains its integrity.
4. When a critical value is contained in a formula in one or more cells (e.g. interest or tax rate),
put it in a separate cell and refer to this cell in the formula.
5. Try to avoid complex formulae. Break complex formulae into smaller components to make it
easier to understand, change or edit.
6. Use each column for the same purpose throughout the Spreadsheet. Spreadsheets should have
a consistent layout.
7. Use only one formula for each row or column. This will result in quicker development, more
effective testing and better documentation.
Training
8. Mangers should ensure that all Spreadsheet users attend a training course covering both the
basic and moderately advanced control functions addressed in the Standards and Additional
Guidelines set forth in this policy.
Example Spreadsheet Policy
General
9. Keep a catalog of Spreadsheets in use in your department. At a minimum, a catalog of
Significant Spreadsheets should be kept and updated regularly.
10. Develop a consistent Spreadsheet naming convention for each department. Every time you
change the logic of a Spreadsheet, change the name to reflect the change and remember to keep a
copy of at least the prior two versions for backup.
11. Prior to using a Spreadsheet to develop a new highly complex financial calculation
application, engage the IT department to discuss and evaluate the merits of developing your new
tool in an application system with a more formalized information technology control
environment.
Download