Scribd
Upload
42 views11 pages

SOX Spreadsheet Testing Guide

Spreadsheet Testing

Uploaded by

Tejal Mamtora
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views11 pages

SOX Spreadsheet Testing Guide

Spreadsheet Testing

Uploaded by

Tejal Mamtora
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

KEY REPORTS TESTING (HTTPS://A2Q2.

COM/CATEGORY/KEY-REPORTS-TESTING/)

#40 | Spreadsheet Testing for SOX


KIM LE (HTTPS://A2Q2.COM/AUTHOR/KIMLE/) ON JUNE 21, 2016

(https://a2q2.com/)
(https://a2q2.com/sox-system-report- Menu
(https://a2q2.com/netsuite-data-migration-
Share
testing/) process/)
Welcome to spreadsheet testing for SOX. We previously discussed report testing for SOX
(https://www.a2q2.com/blog/sox/sox-system-report-testing/). There’s a difference between
spreadsheets and system reports. We will go over that today and how to scope key
spreadsheets. We will also tell you some other criteria to help you prioritize them. Next we
will show you the steps to test, the sample size and roll forward testing.

Spreadsheet vs. Reports


Scope Key Spreadsheets
Testing Key Spreadsheets
Sample Size & Roll Forward Testing

I suggest you watch the video. It’s easier to understand if you are a visual/audio
learner. The content below is the same as the video. It’s for those who learn by
reading.(https://a2q2.com/)
(https://a2q2.com/sox-system-report- Menu
(https://a2q2.com/netsuite-data-migration-
Share
testing/) process/)
#40 | Spreadsheet Testing for SOX

Spreadsheet vs. Reports

What’s the difference between a spreadsheet and a report for SOX purposes? System
generated reports that are exported into spreadsheets are not considered spreadsheets.
Those are “reports” and they’re treated differently.

Spreadsheets are actual excel sheets that finance and accounting teams build with
assumptions and often linked to multiple tabs in a workbook. Sometimes, parts of the
spreadsheet come from a report. Then the users build in more criteria by adding in
calculations and link them. That’s what makes spreadsheets often more complex and riskier
than system reports.

(https://a2q2.com/)
(https://a2q2.com/sox-system-report- Menu
(https://a2q2.com/netsuite-data-migration-
Share
testing/) process/)
System generated report exported to excel is not considered a spreadsheet

Scope Key Spreadsheets

We use spreadsheets for so many things but for SOX purposes I want to give you four
criteria to identify only key spreadsheets and focus your efforts.

1. Materiality of the spreadsheet – How key and how much does this spreadsheet impact
the financial statements?

2. Complexity – I know one company that had a workbook with over 60 tabs linked together
that they used for budgeting and forecasting. That’s complex.

3. Spreadsheet is associated with the key control – If it’s not associated with a key
control, likely it’s an important spreadsheet but it’s not considered key for SOX

4. Spreadsheet is used for financial reporting purposes – Some reports are important to
operations, but not financial reports. Here’s an example.

(https://a2q2.com/)
(https://a2q2.com/sox-system-report- Menu
(https://a2q2.com/netsuite-data-migration-
Share
testing/) process/)
We have a spreadsheet that calculates attendance for head count. It may be good to know
how many people are coming and how many people are on time but it doesn’t really impact
your financial statements directly. If you’re tracking attendance, it’s an operational metric that
is excluded for SOX purposes.

Scope key spreadsheet and testing

Testing Key Spreadsheets

The amount of testing that we do depends on whether the spreadsheets are high, medium or
low risk. So if it’s high risk, we test more. If it’s low risk, we test less.

(https://a2q2.com/)
(https://a2q2.com/sox-system-report- Menu
(https://a2q2.com/netsuite-data-migration-
Share
testing/) process/)
Degree of Testing key spreadsheet

High / Tier 1 Key Spreadsheet Testing

Let’s talk about the high risk spreadsheets. If it’s high risk, we would want to test:

1. inputs – agree the spreadsheet inputs to the source documents on a sample basis

2. outputs – look at the formula logic, identify on a sample basis hardcoded, links to the
desktop files, and links to temporary files

3. access – who has access to the spreadsheet? Is it password protected?

4. backup – verify that the spreadsheet is included in the company’s back up of key data.

(https://a2q2.com/)
(https://a2q2.com/sox-system-report- Menu
(https://a2q2.com/netsuite-data-migration-
Share
testing/) process/)
High Tier 1 key spreadsheet testing

Medium / Tier 2 Key Spreadsheet Testing

If you have a medium risk spreadsheet, now we reduce the amount of work which makes
sense. We’re going to test:

1. output

2. access

3. back up

Low / Tier 3 Key Spreadsheet Testing

For low risk spreadsheets, look at who has access to the spreadsheet and back up.

Sample Size and Roll Forward Testing


(https://a2q2.com/)
(https://a2q2.com/sox-system-report- Menu
(https://a2q2.com/netsuite-data-migration-
Share
testing/) process/)
Because spreadsheets are manual and people-dependent, testing follows the same sample
size guidelines as manual controls. So if the manual control is a high risk process like order-
to-cash or financial close, it may require 25 to 45 samples.

We follow the same roll forward test procedures as manual key controls because of the
same logic. Spreadsheets are people-dependent.

SOX Spreadsheet sample Size and Roll Forward testing

To recap, in this session we covered the following for spreadsheet testing:

Spreadsheet vs. Reports


Scope Key Spreadsheets
Testing Key Spreadsheets
Sample Size & Roll Forward Testing

(https://a2q2.com/)
(https://a2q2.com/sox-system-report- Menu
(https://a2q2.com/netsuite-data-migration-
Share
testing/) process/)
(https://youtu.be/bB_44T6Gbng)

SOX (Https://A2q2.Com/Tag/Sox/)

Latest Posts

#119 | ITGC Shared


Folder Access Review –
Good Documentation

1
(https://a2q2.com/itgc-shared-folder-access-review-good-documentation/)
(https://a2q2.com/itgc-
shared-folder-access-
review-good-
documentation/)
November 28, 2017

#118 | ITGC- System Change (Audit) Log

2
(https://a2q2.com/itgc-system-change-audit-log-review/)
Review (https://a2q2.com/itgc-system-
change-audit-log-review/)
November 21, 2017

#117 | Top 5 Ways to Spend


MORE Time with Auditors

3
(https://a2q2.com/top-5-ways-to-spend-more-time-with-auditors/)
(https://a2q2.com/top-5-ways-to-
November 14, 2017
spend-more-time-with-auditors/)

#116 | ITGC User


Acceptance Testing
(UAT) Approval –

4
Good Documentation
(https://a2q2.com/itgc-user-acceptance-testing-uat-approval-good-
(https://a2q2.com/itgc-
user-acceptance-
testing-uat-approval-
good-documentation/)
documentation/)
(https://a2q2.com/) November 7, 2017
(https://a2q2.com/sox-system-report- Menu
(https://a2q2.com/netsuite-data-migration-
Share
testing/) process/)
#115 | Deferred Revenue
Reclassification Report in
NetSuite
5
NetSuite
(https://a2q2.com/deferred-revenue-reclassification-report-netsuite/) (https://a2q2.com/deferred-
revenue-reclassification-report-
netsuite/)
October 31, 2017

Auditing Standard 5 (Https://A2q2.Com/Tag/Auditing-Standard-5/)

CEO & CFO Certifications (Https://A2q2.Com/Tag/Ceo-Cfo-Certifications/)

Data Migration (Https://A2q2.Com/Tag/Data-Migration/) ERP Implementation (Https://A2q2.Com/Tag/Erp-Implementation/)

Internal Controls (Https://A2q2.Com/Tag/Internal-Controls/) Journal Entries (Https://A2q2.Com/Tag/Journal-Entries/)

NetSuite (Https://A2q2.Com/Tag/Netsuite/) SOX (Https://A2q2.Com/Tag/Sox/)

Leave a Reply
Your email address will not be published.
Related News

Your Comment

(https://a2q2.com (https://a2q2.com (https://a2q2.co


5-ways-to- user- 2013-part-3-
spend-more- acceptance- mapping-
time-with- testing-uat- process/)
auditors/) approval-good-
documentation/) #93 | COSO 2013
#117 | Top 5 Ways Part 3 – Mapping
Name * E-mail *
to Spend MORE #116 | ITGC User Process
Time with Auditors Acceptance (https://a2q2.com/c
Name
(https://a2q2.com/t Testing (UAT) E-mail oso-2013-part-3-
op-5-ways-to- Approval – Good mapping-process/)
spend-more-time- Documentation
with-auditors/)
Website * (https://a2q2.com/it
gc-user-
acceptance-
(https://a2q2.com/) Website
(https://a2q2.com/sox-system-report- testing-uat- Menu
(https://a2q2.com/netsuite-data-migration-
Share
approval-good-
testing/) process/)
documentation/)
Save my name, email, and website in this browser for the next
time I comment.

Submit Comment

youtube.com/channel/UCF_0Qcp7LwNwbvGz_IbkY-
w.linkedin.com/company/a2q2)

About Useful Links Services Legal

A2Q2 is the Special Ops Home SOX Readiness Terms of Use


team for accounting and
Our Mission SOX 404A Compliance Privacy Policy
finance departments. We
are fearless problem Meet the Team SOX 404B Compliance A2Q2 © 2022
solvers. We specialize in
All rights reserved.
accounting systems and Careers SOX 302 Disclosure
Crafted by Magic On Tap
processes, data analytics, Committee
Contact Us
NetSuite consulting,
Segregation of Duties
internal controls, SOX SOX Glossary
readiness, and SOX Transaction Matching &
compliance. Data Analytics

(https://a2q2.com/sox-system-report- (https://a2q2.com/netsuite-data-migration-
Share
testing/) process/)

You might also like