#40 | Spreadsheet Testing for SOX

Welcome to spreadsheet testing for SOX. We previously discussed report testing for SOX. There’s a difference between spreadsheets and system reports. We will go over that today and how to scope key spreadsheets. We will also tell you some other criteria to help you prioritize them. Next we will show you the steps to test, the sample size and roll forward testing.
- Spreadsheet vs. Reports
- Scope Key Spreadsheets
- Testing Key Spreadsheets
- Sample Size & Roll Forward Testing
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
Spreadsheet vs. Reports
What’s the difference between a spreadsheet and a report for SOX purposes? System generated reports that are exported into spreadsheets are not considered spreadsheets. Those are “reports” and they’re treated differently.
Spreadsheets are actual excel sheets that finance and accounting teams build with assumptions and often linked to multiple tabs in a workbook. Sometimes, parts of the spreadsheet come from a report. Then the users build in more criteria by adding in calculations and link them. That’s what makes spreadsheets often more complex and riskier than system reports.

Scope Key Spreadsheets
We use spreadsheets for so many things but for SOX purposes I want to give you four criteria to identify only key spreadsheets and focus your efforts.
- Materiality of the spreadsheet – How key and how much does this spreadsheet impact the financial statements?
- Complexity – I know one company that had a workbook with over 60 tabs linked together that they used for budgeting and forecasting. That’s complex.
- Spreadsheet is associated with the key control – If it’s not associated with a key control, likely it’s an important spreadsheet but it’s not considered key for SOX
- Spreadsheet is used for financial reporting purposes – Some reports are important to operations, but not financial reports. Here’s an example.
We have a spreadsheet that calculates attendance for head count. It may be good to know how many people are coming and how many people are on time but it doesn’t really impact your financial statements directly. If you’re tracking attendance, it’s an operational metric that is excluded for SOX purposes.

Testing Key Spreadsheets
The amount of testing that we do depends on whether the spreadsheets are high, medium or low risk. So if it’s high risk, we test more. If it’s low risk, we test less.

High / Tier 1 Key Spreadsheet Testing
Let’s talk about the high risk spreadsheets. If it’s high risk, we would want to test:
- inputs – agree the spreadsheet inputs to the source documents on a sample basis
- outputs – look at the formula logic, identify on a sample basis hardcoded, links to the desktop files, and links to temporary files
- access – who has access to the spreadsheet? Is it password protected?
- backup – verify that the spreadsheet is included in the company’s back up of key data.

Medium / Tier 2 Key Spreadsheet Testing
If you have a medium risk spreadsheet, now we reduce the amount of work which makes sense. We’re going to test:
- output
- access
- back up
Low / Tier 3 Key Spreadsheet Testing
For low risk spreadsheets, look at who has access to the spreadsheet and back up.
Sample Size and Roll Forward Testing
Because spreadsheets are manual and people-dependent, testing follows the same sample size guidelines as manual controls. So if the manual control is a high risk process like order-to-cash or financial close, it may require 25 to 45 samples.
We follow the same roll forward test procedures as manual key controls because of the same logic. Spreadsheets are people-dependent.

To recap, in this session we covered the following for spreadsheet testing:
Leave a Reply