Authors
Raymond R. Panko
Abstract
The Sarbanes–Oxley Act of 2002 (SOX) forced corporations to examine their spreadsheet use in financial reporting.
Corporations do not like what they are seeing. Surveys conducted in response to SOX show that spreadsheets are used widely in corporate financial reporting. Spreadsheet error research, in turn, shows that nearly all large spreadsheets contain multiple errors and that errors of material size are quite common.
The first round of Sarbanes-Oxley assessments confirmed concerns about spreadsheet accuracy. Another concern is spreadsheet fraud, which also exists in practice and is easy to perpetrate. Unfortunately, few organizations maintain effective controls to deal with either errors or fraud.
This paper examines spreadsheet risks for Sarbanes-Oxley (and other regulations) and discusses how general and IT-specific control frameworks can be used to address the control risks created by spreadsheets.
Sample
In answer to the question, "For spreadsheets of material importance used in financial reporting, what percentage does your company test?", 17% of respondents said that their firm tests more than 25% of their material financial spreadsheets, and 16% said that their firm tests nearly all.
These results make it appear that many companies do test their spreadsheets. However, what most respondents call testing appears to be "looking over the spreadsheet," rather than comprehensive cell-by-cell testing.
Only 2% said that they both tested all cells and used multiperson testing - the only method that is likely to be an effective control for spreadsheet errors.
Publication
2006, Communications of the Association for Information Systems, Volume 17, Article 29, May, pages 647–676
Full article
Spreadsheets and Sarbanes-Oxley: Regulations, risks, and control frameworks