The Office of the Inspector General audited the controls for key Sarbanes-Oxley (SOX) spreadsheets to determine if the controls are sufficiently defined, appropriately designed, and operating effectively. The audit’s scope was information technology general controls for the SOX critical spreadsheets within TVA. We identified several issues that could provide a stronger control environment for critical spreadsheets. Specifically, we found (1) shared passwords used to modify critical spreadsheets are not appropriately managed, (2) one spreadsheet was accessible using a shared account with no known business need, (3) TVA’s SOX Control Environment group’s inventory controls over critical spreadsheets are ineffective, (4) critical spreadsheets are not documented consistently in SOX control narratives maintained by TVA’s SOX Control Environment group, (5) naming convention controls are not being enforced which limits TVA’s ability to quickly assess if critical spreadsheets are properly stored for access control and backup purposes, and (6) TVA’s SOX Control Environment group’s spreadsheet policy could be strengthened by adding controls for user training, baselining, templates, and testing. TVA management agreed with our findings and recommendations.
Report File
Date Issued
Submitting OIG
Tennessee Valley Authority OIG
Other Participating OIGs
Tennessee Valley Authority OIG
Agencies Reviewed/Investigated
Tennessee Valley Authority
Report Number
2017-15451
Report Description
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
6
Questioned Costs
$0
Funds for Better Use
$0