Spreadsheet risk has got the attention of the regulators, although specific requirements are often buried in more general regulations. This table provides a summary of the current regulatory and good practice requirements.

Legislation Scope Description Spreadsheet Requirement
Sarbanes Oxley (SOX) US listed companies Attestation and internal control regime for all listed companies in the USA. The Sarbanes Oxley Act 2002 – S303 Principal officers are responsible for the financial statements and must attest as to their accuracy. S404 requires management and the external auditor to report on the adequacy of the company’s internal control on financial reporting (ICFR). As most companies make extensive use of spreadsheets for financial reporting, this implies that they need effective controls over spreadsheets and other end user computing software.
SR11-7 OCC Supervisory Guidance on model risk management US Banking Supervisory guidance by the OCC on handling model risk. Around 60% of models are implemented on spreadsheets, so spreadsheet and model risk overlap.
BAIT German Financial Institutions Supervisory Requirements for IT in Financial Institutions issued by BAFIN the German Regulator BAIT covers a wide range of IT requirements for financial institutions including specific requirements for end user computing including spreadsheets.
S36 requires: “Appropriate processes shall be defined for application development which contain specifications for identifying requirements, for the development objective, for (technical) implementation (including coding guidelines), for quality assurance, and for testing, approval and release.
Application development includes spreadsheets and end user computing.S43 requires: An appropriate procedure shall be defined for the classification/categorisation (protection requirements category) and handling of the applications developed or run by the business unit’s end users. Compliance with coding standards will also be ensured for the applications developed by end users in the organisational units (e.g. EUC application).
UK SOX UK Listed companies UK SOX is part of the Department for Business, Energy and Strategy (BEIS) consultation on “Restoring trust in audit and corporate governance” Proposed reporting and attestation requirements on internal controls is one of the areas designed to “sharpen directors’ accountability”. Likely to require effective spreadsheet controls with larger penalties.
JSOX Japanese Listed companies J-SOX is an abbreviation for The Financial Instruments and Exchange Act. The Japanese equivalent to U.S. SOX in relation to Sections 302 “Corporate Responsibility for Financial Reports” and 404 “Management Assessment of Internal Controls.” As for SOX internal control should include controls over spreadsheets and other end user computing requirements.
CSOX Canadian Listed companies CSOX is an abbreviation for Bill 198 covering similar regulatons to SOX. Under MI52-109 chief executive officers and chief financial officers would need to verify their filings (both annual and interim) are accurate representations of their company’s current financial status. This is similar to SOX
BCBS 239 Global Banking Banking Supervision’s Principles for Effective Risk Data Aggregation and Reporting Mandatory principles for SIFIs defining how to aggregate and report risk data
DFAST US Banking Dodd-Frank Act Stress Testing Stress testing for banks requires extensive documentation on risk models many of which are spreadsheets
Stress testing – rest of world Global Banking PRA, Finma, ECB, etc. As above
FDA 21 CFR Part 11 Life Sciences Life sciences companies have must validated electronic records, which includes spreadsheets. This includes audit trails, electronic signatures and role based security. All spreadsheet processes to be controlled and validated. Life science companies make extensive use of spreadsheets in R&D and manufacturing, so this can be an important requirement.
FINRA US Securities Trading 2010 priorities Big focus on spreadsheets
ICAEW Good Practice Twenty Principles of Good Spreadsheet Practice Best practice recommendations for spreadsheet control
COSO General Control Rules Internal controls framework Adopted by many organisations as a standard to comply with Sarbanes Oxley
NAIC model rule US Insurance Companies A financial reporting regulation applicable to insurance companies Borrows heavily from Sarbanes Oxley and requires similar levels of controls
Solvency II European Insurance Companies Insurance industry solvency and risk management requirements All data used in solvency calculations to be complete, accurate and appropriate.  As spreadsheets are used widely used in the actuarial function this means there need to be effective controls and audit trails.
TAS M Actuarial Standards Technical Actuarial Standard relating to models Applies to spreadsheet models



Details are correct at time of publishing