Beyond Regulatory Compliance for Spreadsheet Controls: A Tutorial to Assist Practitioners and a Call for Research

  title={Beyond Regulatory Compliance for Spreadsheet Controls: A Tutorial to Assist Practitioners and a Call for Research},
  author={Linda A. Leon and Dolphy M. Abraham and Lawrence Kalbers},
  journal={Commun. Assoc. Inf. Syst.},
In the past decade, accounting scandals and financial reporting errors have led to heightened awareness of the need for IT controls and legislation of control regimes. In the United States, the Sarbanes–Oxley Act of 2002 (SOX) was one of the early initiatives to legislate internal controls over financial reporting. Many countries and regions have followed with similar legislation. In this tutorial we present an analysis of the prior work on error prevention and detection in spreadsheets as it… 

Figures and Tables from this paper

Controls over Spreadsheets for Financial Reporting in Practice

It is indicated that there are problems in all stages of a spreadsheet’s life cycle and several important areas for future research are suggested.

Improving Efficiency in Budgeting – An Interventionist Approach to Spreadsheet Accuracy Testing

It is shown that later spreadsheet error in budgeting is already rooted in a poor conceptualization of the budget template, in non-workflow-oriented imputation of data and poor documentation of data requirements, and illustrated how the accuracy of spreadsheets substantially improves by introducing even simplistic VBA.

Accountants’ Perceptions of the Use of Excel Spreadsheet in Financial Reporting: A Survey of Accounts Personnel in Manufacturing Firms

Spreadsheet, a widely accepted critical business application tool with its benefits and unavoidable inadequacies is relied on by many accountants for financial reporting and operational processes

Managing Information Security Risk Using Integrated Governance Risk and Compliance

This paper aims to demonstrate the building blocks of an IT Governance Risk and Compliance (IT GRC) model as well the phased stages of the optimal integration of IT GRC frameworks, standards and

Organizational Violations of Externally Governed Privacy and Security Rules: Explaining and Predicting Selective Violations Under Conditions of Strain and Excess

A theoretical model, the selective organizational information privacy and security violations model (SOIPSVM), explains organizational rule-violating behavior as an attempt to protect core organizational values from external entities that pressure organizations to change their values to comply with rules.

Shadow Systems, Risk, and Shifting Power Relations in Organizations

New theory is built to understand the persistence of shadow systems in organizations from a single case study in a mid-sized savings bank and derives two feedback cycles that concern shifting power relations between business units and central IT associated with shadow systems.

IT controls in the public cloud: Success factors for allocation of roles and responsibilities

The research suggested that the most significant competency and skill for a person allocated to IT controls is to be able to evaluate and manage a cloud service provider, especially in terms of risks, compliance, and security issues related to public cloud technology.

A Role Allocation Model For IT Controls In A Cloud Environment

The purpose of this paper is to propose a theoretical model for assigning roles and responsibilities for IT controls for an organization operating in a cloud environment based on a strong theoretical grounding and can be used to inform good practice.

The 'lish': a data model for grid free spreadsheets

A “lish calculus” is developed, an extension to vector arithmetic for hierarchical structures that provides a concise notation for calculations with lishes that simplifies the usual spreadsheet formula expressions, and enables the machine to interpret them consistently with the context in which they are located.



Spreadsheets and Sarbanes-Oxley: Regulations, Risks, and Control Frameworks

  • R. Panko
  • Economics
    Commun. Assoc. Inf. Syst.
  • 2006
This paper examines spreadsheet risks for Sarbanes-Oxley (and other regulations) and discusses how general and IT-specific control frameworks can be used to address the control risks created by spreadsheets.

Risk Assessment For Spreadsheet Developments: Choosing Which Models to Audit

Risk assessment based on the "SpACE" audit methodology used by H M Customs & Excise's tax inspectors is described, which allows the auditor to target resources on the spreadsheets posing the highest risk of error, and justify the deployment of those resources to managers and clients.

The effect of IT controls on financial reporting

Purpose - The purpose of this paper is to examine information technology (IT) control deficiencies and their affect on financial reporting. Design/methodology/approach - This study examines 278

The impact of training in financial modelling principles on the incidence of spreadsheet errors

The findings show that spreadsheet errors and, in particular, spreadsheet design errors are prolific even for a simple domain-free exercise, and support the contention that accounting educators should include a course in spreadsheet design principles and problem-solving techniques as part of an undergraduate accounting program.

Applying the CobiT Control Framework to Spreadsheet Developments

This paper illustrates how spreadsheet risk and control issues can be mapped onto the CobiT framework and thus brought to managers attention in a familiar format.

Spreadsheet Errors and Decision Making: Evidence from Field Interviews

Interviewing executives and senior managers/analysts in the private, public, and non-profit sectors about their experiences with spreadsheet errors and quality control procedures found that opinions differ as to whether the consequences of spreadsheet errors are severe.

The Effect of SOX Internal Control Deficiencies on Firm Risk and Cost of Equity

ABSTRACT The Sarbanes-Oxley Act (SOX) mandates management evaluation and independent audits of internal control effectiveness. The mandate is costly to firms but may yield benefits through lower

Categorisation of Spreadsheet Use within Organisations, Incorporating Risk: A Progress Report

The authors present and analyse three proposed models for categorisation of spreadsheet use and the level of risks involved and the models are analysed in the light of current knowledge and the general risks associated with organisations.

Is this spreadsheet a tax evader? How HM Customs and Excise test spreadsheet applications

  • Raymond J. Butler
  • Business
    Proceedings of the 33rd Annual Hawaii International Conference on System Sciences
  • 2000
The audit experience is briefly summarised, the methodology is described and the results to date of a campaign of spreadsheet testing that started in July 1999 are outlined.