|Title||Sarbanes-Oxley: What about all the spreadsheets?|
|Authors||Raymond R. Panko & Nicholas Ordway|
The Sarbanes-Oxley Act of 2002 has finally forced corporations to examine the validity of their spreadsheets. They are beginning to understand the spreadsheet error literature, including what it tells them about the need for comprehensive spreadsheet testing.
However, controlling for fraud will require a completely new set of capabilities, and a great deal of new research will be needed to develop fraud control capabilities.
This paper discusses the riskiness of spreadsheets, which can now be quantified to a considerable degree. It then discusses how to use control frameworks to reduce the dangers created by spreadsheets. It focuses especially on testing, which appears to be the most crucial element in spreadsheet controls.
|Also see||Spreadsheets and Sarbanes-Oxley: Regulations, risks, and control frameworks|
How do real-world companies do testing?
73% of the respondents said that when their firms test spreadsheets of material importance, they test only some cells. In other words, they consider "looking the spreadsheet over" to be testing.
Only 12% said that their firm tested all cells in the spreadsheet, and only 2% said that their firm used both multiple testers and cell-by-cell testing.