Key Sarbanes-Oxley Financial Spreadsheets

The Office of the Inspector General audited the controls for key Sarbanes-Oxley (SOX) spreadsheets to determine if the controls are sufficiently defined, appropriately designed, and operating effectively. The audit’s scope was information technology general controls for the SOX critical spreadsheets within TVA. We identified several issues that could provide a stronger control environment for critical spreadsheets. Specifically, we found (1) shared passwords used to modify critical spreadsheets are not appropriately managed, (2) one spreadsheet was accessible using a shared account with no known business need, (3) TVA’s SOX Control Environment group’s inventory controls over critical spreadsheets are ineffective, (4) critical spreadsheets are not documented consistently in SOX control narratives maintained by TVA’s SOX Control Environment group, (5) naming convention controls are not being enforced which limits TVA’s ability to quickly assess if critical spreadsheets are properly stored for access control and backup purposes, and (6) TVA’s SOX Control Environment group’s spreadsheet policy could be strengthened by adding controls for user training, baselining, templates, and testing. TVA management agreed with our findings and recommendations.