i-nth logo


Clifford Coon


With the prevalence of spreadsheets in the workplace, internal auditors can help organizations identify the controls available in spreadsheet applications to facilitate data accuracy and compliance with Sarbanes-Oxley's Section 404.


Internal auditors need to work with IT staff to ensure spreadsheet processing is performed by applications that are subject to IT control processes, such as:

  • Establishing a spreadsheet inventory. This creates a starting point for auditors to know which spreadsheets are in use so they can start to evaluate the effectiveness of the application's built-in controls.
  • Assessing and classifying a spreadsheet's use and complexity. This identifies the effect spreadsheets have on financial reports.
  • Documenting spreadsheet relationships to specific risks and key controls. This step is necessary to link specific spreadsheets to significant financial statements per Sarbanes-Oxley Section 404 requirements.
  • Documenting internal spreadsheet standards. This involves setting, communicating, and monitoring the spreadsheet's use policy for financial reports.
  • Using control features built into the spreadsheet software.
  • Monitoring the spreadsheet's level of internal controls. This includes reconciling the spreadsheet's transaction activities, such as spreadsheet data entries in final spreadsheets, to ensure accuracy.
  • Retaining final spreadsheet copies used in quarterly and annual financial statements for record retention requirements.


2005, IT Audit, Volume 8, 1 July

Full article

Ensuring spreadsheet accuracy in the Sarbanes-Oxley era