Your Ask Joey ™ Answer

What are spreadsheet controls?

The BEC section of the CPA exam will test you on the key spreadsheet controls. If a business process relies on spreadsheets (e.g. Microsoft Excel or Google Sheets), then certain preventive and detective controls should be in place to ensure the accuracy and integrity of data and financial information. 

What are preventive spreadsheet controls that should be implemented?

Preventive controls that should be implemented by a company include:

1) Formula cells are locked: Key cells in a spreadsheet, such as formulas, should be locked so that users can’t purposefully or accidentally modify cells.

2) Access is restricted: Only authorized individuals should be able to access the spreadsheet from the drive on the network. Additionally, specific individuals should receive read, write, or edit access based on their role. Access should require login credentials (username and password).

3) Backup on the network: Spreadsheets should be stored on the network and included in any regular/routine backups the company would perform for any key information that the company maintains.

4) Track spreadsheet changes: Any changes made to the spreadsheet should be tracked. This includes changes in access, changes to key formulas, etc.

What are detective spreadsheet controls that should be implemented?

Detective controls that should be implemented by a company includ

1) Review of access rights: The appropriate manager of the business process should review the access rights to each spreadsheet and determine the appropriateness. Job roles change and as employees move laterally or horizontally through an organization, their access rights may need to change.

2) Review of spreadsheet formulas: The appropriate employee (spreadsheet owner) should thoroughly review the spreadsheet formulas to ensure the desired calculations and output are being properly performed.

Spreadsheet controls are key controls that every company should have implemented in a business process. Other key controls include segregation of duties, account reconciliationsdata entry input controls, controls over standing data, data processing controls, and supervisory controls.


Back To All Questions

You might also be interested in...

  • What are data processing controls?

    The BEC section of the CPA exam will test you on the key data processing controls. The purpose of processing controls is to verify that data was properly processed through the system. Processing controls will identify if the data was processed incorrectly. The company would have data entry input controls to verify data is inputted properly into the system, but then it would need data processing controls to maintain high integrity and quality in the data. The main data processing controls include: 1) Run-to-run totals (sum checks): Ensures that the cumulative totals of records from one data processing run to another are consistent. 2) Data matching: When the data across various sources is compared, does it all match or agree? For example, does the date on the PO agree to the date on the corresponding invoice? 3) Data sequence checks: If data is supposed to be in sequential order, is the sequence complete, or is data missing? For example, if there should be invoices numbered 1 through 10, are all 10 listed in the system data? Data processing controls are key controls that every company should have implemented in a business process. Other key controls include  segregation of duties, data entry input controls, controls over standing data, account reconciliation controls, spreadsheet controls and supervisory controls.

  • What are controls over standing data?

    Standing data is data that is held in the system for long-term use and is not expected to change frequently (hence the term standing data). Another term for standing data is “master list” or “master data” Standing data can consist of customer information, product information, employee information, pay rates, tax codes, sales tax rates, etc. Preventive controls that should be implemented by a company include: 1) Access is restricted: Only authorized individuals should be able to access the master data on the network. Additionally, specific individuals should receive read, write, or edit access based on their role. Access should require login credentials (username and password). 2) Routine backup to network: Standing data should be stored on the network and included in the regular/routine backups the company would perform for any key information that the company maintains. 3) Track changes: Any changes made to standing data and master files should be tracked. Detective controls that should be implemented by a company include: 1) Review of access rights: The appropriate manager of the business process should review the access rights to standing data sets and determine the appropriateness. Job roles change and as employees move laterally or horizontally through an organization, their access rights may need to change. Controls over standing data are key controls that every company should have implemented in a business process. Other key controls include segregation of duties, account reconciliations, data entry input controls, data processing controls, spreadsheet controls, and supervisory controls.

  • What are supervisory controls in a business process?

    A supervisory control means exactly what you think it would mean. Supervisory controls are used to “monitor” a business process and are designed to prevent or detect issues. Supervisory controls are typically performed by the manager of a business process or executive team members. What are some types of preventive supervisory controls? Examples of preventive controls include: 1) Hiring requirements: Hiring employees that are qualified, capable, and competent to perform the role is critical. Implementing minimum experience requirements, interview processes, and hiring decision committees can ensure the right individual is hired. 2) Proper hierarchy: Ensuring that the organizational hierarchy in a business is adequate ensures that employees are properly supervised and that a clear chain of command exists. 3) Segregation of duties: Proper segregation of duties in a business process reduces the risk of fraud or error. 4) Approval requirements: Requiring approval for certain business activities can prevent issues. Examples including hiring decisions, writing checks, executing agreements, etc. What are some types of detective supervisory controls in a business process? Detective controls are often referred to as “the last line of defense”. Examples of detective controls include: 1) Audits or inspections: Audits can be used to evaluate a company’s business processes and ensure that proper controls are in place. This could be a financial audit, environmental audit, SOC audit, regulatory compliance, or other audits or inspections. 2) Employee performance reviews: Each employee should have an annual performance review to determine if the employee is adequately performing the job they were hired to perform. 3) Budget vs actual analysis: A key financial reporting control is to compare the actual financial results to the budgeted results. Most companies use a threshold ($ or %) and investigate if the difference exceeds the predetermined threshold. 4) Tracking of KPI’s: Every business will have key performance indicators (KPIs) that are considered critical to their business. By tracking these KPIs on a monthly or annual basis, a company can evaluate the performance of each business process. Example KPIs include new customers signed, average revenue per customer, market share, net promoter score, order fulfillment time, etc. Supervisory controls are key controls that every company should have implemented in a business process. Other key controls include segregation of duties, data entry input controls, controls over standing data, data processing controls, spreadsheet controls and account reconciliation controls.