How to Validate Excel for SOX (Sarbanes & Oxley)

[Guest]

I'm in the middle of a SOX audit and one of the issues that came up was Excel
reports used for journal entries in our ERP. We were told that we will need
to validate Excel in order to use our spreadsheets and also be in compliance
with SOX. I can think of a few things to do, but any help would be greatly
appreciated.
Can Excel be validated?
My thoughts:
1. lock the formulas
2. Restrict Access to cells
3. Password protect
4. Turn tracking on - will this track any changes that is done with formulas
& macros?

Anything anyone can contribute to this would be appreciated.

Dan

 

[Harlan Grove]

I'm in the middle of a SOX audit and one of the issues that came up
was Excel reports used for journal entries in our ERP. We were told
that we will need to validate Excel in order to use our spreadsheets
and also be in compliance with SOX. . . .

....

Shouldn't your auditors be able to provide you with (1) precise
guidance on what validation entails and (2) some practical advice on
what they expect you to do?

From my perspective, validation is NOT the same as protection. I'd

have thought validation means PROVE the workbook(s) produce CORRECT
results by verifying that ALL formulas do what they're supposed to do,
and it wouldn't hurt to document where input data comes from.

 

[JE McGimpsey]

In my (admittedly limited) experience with SOX and XL, I would strongly
recommend getting professional help rather than relying on newsgroup
posts (including this one). You may get some great advice, but
validation will likely be *very* implementation specific.

Many, if not most, of my clients have gone away from using XL for *any*
financial reporting (other than internal management reports), just
because the vulnerabilities are too great, and the penalties for
non-compliance too severe.

Since XL protection is so easily bypassed, you need to have strong
server-level access control for those journal reports to ensure only
those that need access to the workbooks actually have access (and that
there is documentation that they are trained in how to operate them).

 

[Guest]

Thanks JE for the advice. We are considering getting professional help, but
I needed to do some research first on this subject, hence the post. We are
accepting the fact that the vulnerabilities might be too great, but again I'm
researching to make sure I get as much info as possible and not assume
anything.

Thanks again.