Home / Regulatory Compliance / SOX Compliance & End User Applications
Spreadsheet Errors

SOX Compliance & End User Applications

August 12, 2022

What is SOX?

The Sarbanes-Oxley Act of 2002 (SOX or Sarbox) became public law on July 30th, 2002, as a result of the early 2000s financial scandals (Enron, Worldcom, etc). Its purpose is to protect investors through improving the veracity of disclosures from publicly traded companies.

SOX is comprised of 11 titles, or sections. They range from the creation of the Public Company Accounting Oversight Board (PCAOB) to corporate/criminal fraud accountability. In this post, we’ll be focusing on Title IV: Enhanced Financial Disclosures. Specifically, we’ll look at Section 404 and how it relates to end user computing (EUC) applications such as spreadsheets.

Sarbanes-Oxley (SOX) Section 404 basics

Section 404 requires firms to provide an internal control over financial reporting (ICFR) report with each annual filing. The report should include:

  1. Statement of management’s responsibilities in maintaining suitable ICFR control framework and processes
  2. An ICFR assessment attested by a registered public accounting firm

SOX Section 404 compliance

Aside from establishing management’s statement on ICFR, Section 404 doesn’t go into specifics on the “how.” Instead, we can examine guidance from the Securities and Exchange Commission (SEC) and specifically the PCAOB’s ICFR auditing standards.

Auditors look for any material weaknesses in the company’s ICFR. Even one material weakness means that the controls are ineffective.

Auditors will trace financial statements back through the flow of transactions, looking for any weak points within the financial reporting process. Any implemented controls that address these weaknesses will be identified. Auditors may also perform a walkthrough, following company processes (including IT systems) when looking for sources of misstatement.

While this explanation is far from comprehensive, it illustrates the idea that everything in your financial reporting process is under scrutiny. For most organizations, that also means their spreadsheets and other end user computing (EUC) applications are in scope.

Assess image

Management of public companies assess the effectiveness of ICFR

Attest image

Public companies’ auditors attest to & report on management’s assessment

Control image

Any spreadsheet directly or indirectly used in the financial reporting process falls under a company’s SOX compliance program

How SOX Section 404 applies to EUCs like spreadsheets.

The role of EUCs in financial reporting

EUCs are flexible, powerful tools that allow end users to create purpose-built applications and models. Common EUC applications include Excel spreadsheets, Access databases, Python scripts, and R scripts. Developing an EUC application doesn’t require IT resources, allowing end users to forecast and analyze data quickly.

These applications play a big role in companies’ financial close and regulatory reporting cycles. For example, they are often used for:

  • P&L
  • balance sheet
  • cash flow
  • financial modelling
  • budgeting
  • forecasting
  • account reconciliations
  • and more

While tech-forward orgs use dedicated software for these functions, EUCs are still frequently used somewhere in their financial reporting process. In fact, ninety-eight percent of companies consider spreadsheets critical to their financial reporting processes. It’s no wonder Microsoft Excel spreadsheets are ubiquitous in most organizations.

Yet, eighty-eight percent of all spreadsheets contain formula or data lineage errors. This leads to the inherent risk EUCs have due to:

  1. Lack of built-in controls
  2. Human- generated nature mean errors are inevitable

Public companies, or companies aiming to go public, are facing increasingly complex SOX environments. They must manage lawmakers, regulatory pressures, financial and reputational risks, and the company’s valuation. Financial reporting plays into all these factors and any issues can have far-reaching consequences.

Where things can go wrong with your EUCs

Errors and process deficiencies are often the key causes of an EUC-related significant deficiency or material weaknesses in ICFR.

Human errors can cause:

  • Material misstatements
  • Misinformed decision- making
  • Incorrect investments

Process- related deficiencies often result in:

  • Lack of defined EUC management policy
  • Failure to effectively apply controls specified within the policy
  • Failure to demonstrate year-over-year improvement

The repercussions of these errors and process deficiencies can be costly and damaging.

JPMorgan Chase logo

Errors within a value at risk (VaR) spreadsheet contributes to a $6B+ loss.

Conviviality Plc
Material spreadsheet arithmetic error leads to profits being exaggerated by over $5M. Conviviality collapses after losing over 60% of its stock value.
Marks and Spencer logo
Double counting in a spreadsheet leads Marks & Spencer to issue a correction in its quarterly trading statement after misreporting group sales figures.

SOX 404 compliance for spreadsheets & other EUCs

The first step in addressing SOX 404 compliance for EUCs is to establish a framework or policy. A SOX framework should be segmented into three key parts:

  1. Identify: Identification of critical EUC files
  2. Inventory: Build, maintain, and evidence a comprehensive EUC inventory
  3. Control: Manage EUC risk by applying file-level controls

Additionally, analytics on all three components should roll up into audit and management reporting.

Identifying EUCs

Governance teams must evidence that they have located each EUC application that supports the financial reporting process. Any EUC that directly feeds, supports, or validates a company’s financial reporting process are within scope. While user identification can be effective, it is not enough. You must be able to answer, “Are you sure you’ve found everything?”

Inventorying EUCs

Build and maintain a central inventory to track the lifecycle of key financial EUCs, e.g., where they are saved and managed. The inventory should associate key data elements against each file to understand and evidence ownership, supported business process, and risk profile.

You should utilize standard assessment metrics to define the risk profile of each EUC. This, in turn, helps dictate the internal controls that should be applied, and ownership of those controls. Furthermore, you must annually attest that the inventory is up-to-date and valid.

EUC Controls

Assess a file’s integrity & data lineage to ensure it’s fit for purpose and free from errors— including logic, data, and calculation errors. Then apply access, version, and change management controls— ensuring the controls are consistently applied to all critical files. If any significant changes are made to a file, ensure they are reviewed and approved.

  • Access Control: Track the individuals who open/ modify critical files to ensure only authorized users are making changes.
  • Version Control: View all historical versions of the file and access these files when necessary.
  • Change Management Control: Evidence effective review and approval controls around material change.

SOX compliance software

Once a SOX policy is established, you should consider enabling the policy through technology. Dedicated SOX compliance software helps to ensure that end users take responsibility for policy compliance. Good software should not get in the way of leveraging the ease and flexibility of EUC applications.

SOX compliance software should also be scalable across the enterprise. It should have the flexibility to meet the unique requirements of each company’s financial reporting process. For example, an organization with multiple subsidiaries may need a solution that works across different shared drive structures.

Next Steps

Learn how to create or enhance an existing SOX policy with our Best Practice Guide. It provides best practices for establishing or enhancing a SOX policy for spreadsheets and other applications that support financial reporting processes. Additionally, it provides details on how technology can be leveraged to enable and automate your policy.

SOX policy guide cover image

The Definitive SOX 404 Policy Guide

This guide provides best practices for establishing or enhancing a SOX policy for models and end user applications used in financial reporting processes.


Subscribe for Updates

Subscribe to our newsletter for exclusive content.

Subtle White Feathers

Apparity Staff

Apparity provides the smartest platform for banks and insurers looking to efficiently manage mission-critical end user computing application risk. Apparity helps control the entire lifecycle of applications like spreadsheets, databases and scripts.

Related Articles

What is SR 11-7 Guidance?

What is SR 11-7 Guidance?

SR 11-7 provides supervisory guidance on model risk management (MRM). Initially published in April 2011, the...


Submit a Comment

Your email address will not be published. Required fields are marked *

Share This