Our Spreadsheet Controls Policy includes two samples that serve as a comprehensive guide for managing and controlling the use, storage and modification of spreadsheets and databases critical to the financial reporting process. It ensures compliance with Sarbanes-Oxley (SOX) guidelines by establishing appropriate policies that mitigate risks associated with financial data management. It also outlines the roles and responsibilities of various stakeholders, including the IT department, users and developers, and provides detailed procedures for assessing the risk level of spreadsheets, defining financially significant desktop tools, and implementing minimum control standards.

Additionally, this document specifies controls such as change management, access restrictions, backup procedures and documentation requirements. It mandates regular reviews and audits to ensure the effectiveness of these controls and enforces a structured approach to handling routine updates and significant changes to spreadsheets. By adhering to this policy, organizations can safeguard the integrity and accuracy of their financial data, thereby supporting reliable financial reporting and informed decision-making by management.

Sample procedures include:

• Management conducts a semiannual review/audit of all functionality changes made during the period, as they were documented in the change management folder. 
• The department manager of each group (e.g., accounting) must ensure that network drives and folders that pertain to their group can only be accessed by members of their group. 
• All spreadsheets and databases used daily must also be saved on a designated shared network drive to ensure that they are backed up according to IT schedules.