Excel in Managing Spreadsheet Risk
2
Overview
Spreadsheet Risk: Real and Reality
What next?
The Solution: 4 stage approach to managing spreadsheet risk
Final Thought
Section 1:[Spreadsheet Risk: Real and Reality]
3
4
It is generally accepted that nine out of ten
spreadsheets suffer some error, and
consequences can be severe:
• A cut-and-paste error cost TransAlta $24 million when it underbid an electricity-supply contract.
• A missing minus sign caused Fidelity’s Magellan Fund to overstate projected earnings by $2.6 billion and miss a promised dividend.
• Falsely-linked spreadsheets permitted fraud totaling $700 million at Allied Irish Bank.
• Voting officials reported spreadsheet irregularities in New Mexico and South Africa.
(Source: Bewig, P. L (2005) How do you know your spreadsheet isright? Principles, Techniques and Practice of Spreadsheet Style).
Spreadsheet Risk is REAL
5
Spreadsheet use has become increasingly high profile:
●Impact Of Regulatory Compliance
… requires enterprise auditability and robust controls to ensure the integrity of data.
● Sarbanes Oxley Act 2002 (SOA) requirements include the creation of an inventory of spreadsheets deemed critical to the financial reporting process.
● Basel II – Spreadsheets are not only methods of controlling operational risk (a key pillar of Basel II) but also are themselves a source of operational risk. Effective operational risk controls equates to a reduction in the required regulatory capital under Basel II.
(Source: Croll, G. J. (2005) The importance and Criticality of Spreadsheets in the City of London)
● Also relevant are the ‘8th European Directive’ and ‘IAS 39’ as further examples of compliance applicable to European (and Global) corporations as of 2006.
Spreadsheet Risk: Today's REALITY
6
●Increasing Complexity
Modern corporate practices, coupled with increasingly stringent regulation, cause business functions and activities to continually increase in complexity.
Increasingly, spreadsheets are being used as tools to aid such functions and activities which in turn, have an inherent risk and impact associated to this complexity.
Risk assessment, and a clear understanding of the potential business, financial and operational impacts that can arise, in the face of such complexity, provides the starting point to consider ‘managing spreadsheet risk’.
Today's REALITY: continued
Spreadsheets, often used to source and manipulate material data, are inextricably integrated within all financial and operational layers of the
business.
Section 2:[What next?]
7
8
• - In search of practical solutions
Many companies have started to take preliminary steps:
• Risk assessment – consider company approach to risk management
• Answering such questions as:
‘What spreadsheets do we have?’
‘Where does the business place heavy reliance on spreadsheets?’
• Build an Inventory (… to comply with SOA).
• But without a clear structure and understanding of how and why we should manage our use of spreadsheets, many companies reach this stage and ask:
What do we do next?
What do we do next?
9
• - Tip of the iceberg
●Proving regulatory compliance, and building an inventory is a start. But to date, regulation is only about financial reporting risk.
●Whilst risk removal is not possible, management must seek to go beyond compliance to address the true nature and extent of risks that exist and surround the use of spreadsheets.
●Furthermore, a spreadsheet is a dynamic entity, often used by many individuals potentially spanning several business functions. This presents a huge challenge to audit and maintain, given its continually evolving state.
What do we do next? - In search of practical solutions
Spreadsheet risk is pervasive across the business as a whole.
Section 3:[The Solution]
10
11
• 4 Key Stages to managing spreadsheet risk:
Solution?
A Risk Management Methodology to help a firm initiate, analyze and structure the management of spreadsheets.
12
Key Stage 1
Identify potentially critical spreadsheets.
Can typically include spreadsheets that:
● Support analysis on which decisions are made
● Are used for presentation and reporting purposes
● Drive assumptions that feed into other systems
● Support the control environment
● Monitor processes with a view to detecting errors
● Are used for data capture or process adjustments
Additional useful information includes capturing the owner and designer of the spreadsheet; key data maintained within the spreadsheet; frequency and purpose of use; interfaces to/from the spreadsheet.
13
Key Stage 2
Understand the risk profile.
Consider from two perspectives:
●Criticality
●Complexity
Assessment should include, but not exclusively,
●financial loss resulting from error in the spreadsheet.
Equally useful assessment criteria include,
●Consideration for the sensitivity of the information contained within the spreadsheet
●Impact of information in the spreadsheet getting into the wrong hands
●Opportunity to use spreadsheet to perpetuate fraud
●Reliance on the spreadsheet as a key control over a business critical process
14
Key Stage 2 (cont.)
Understand the risk profile.
Having performed the analysis, we usually use some form of risk map to determine if further action was required and to prioritize our work. An illustrative spreadsheet risk map may take the following form:
5
4
3
2
1
1 2 3 4 5Complexity
Cri
tica
lity
Figure 2: Illustrative Spreadsheet Risk
15
Key Stage 2 (cont.)
Understand the risk profile.
Those spreadsheets falling in the area shaded in red require immediate attention.
Spreadsheets falling into the boxes shaded yellow, however, should not be overlooked. A common mistake is to ignore spreadsheets of high criticality but low complexity. It is important to remember that even the simplest of spreadsheets can contain errors, and often do.
Some of the spreadsheets in the green area may also require consideration. Particularly those that have been classified as level 3 criticality, on privacy grounds.
5
4
3
2
1
1 2 3 4 5Complexity
Critic
alit
y
Figure 2: Illustrative Spreadsheet Risk
16
Transition to Stage 3
Understand the risk profile before you can assess spreadsheet controls.
When approaching stage 3, thorough completion of stage 2 is crucial to understand:
● the scale of complexity of the spreadsheet and,
● the level of criticality of the function of the spreadsheet
… to enable a complete and comprehensive assessment of the spreadsheet environment and the required surrounding controls.
17
Key Stage 3
Assess spreadsheet controls.
What Exists?
Analyse and document what controls currently operate that may mitigate any risk associated with the spreadsheet.
What is required?
Evaluate the type and level of control to implement around the spreadsheet necessary to mitigate risks satisfactorily.
Gap analysis
The residual required controls to align what controls currently exist with the required level.
18
Key Stage 3 (cont.)
Assess spreadsheet controls.
Typical Controls:
Access, change and input controls
Design methods and version control
Security of data
Data retention
Testing/review
Documentation
Integrity checks and logic inspection
Archiving and Back-ups
Segregation of duties, roles and responsibilities
19
Key Stage 4
Implement control solutions.
First Priority
– to ensure the spreadsheet is doing what it was designed to do, through an independent review to test the:
●logical security,
●internal consistency and,
●arithmetic accuracy of formulae, algorithms and calculations within all cells of the selected spreadsheet.
However, the review alone represents a snapshot. Having established the integrity of the spreadsheet, it is important to implement controls that provide reasonable assurance going forward.
20
Key Stage 4 (cont.)
Implement control solutions.
Secondly
Defining a Spreadsheet Control Framework, such as that illustrated in figure 3, will ensure that all aspects of spreadsheet management are addressed.
21
Key Stage 4 (cont.)- Spreadsheet Control Framework
Spreadsheet policy ensures senior management’s expectations are clearly communicated throughout the business and establishes ground
rules governing spreadsheet use.
22
Key Stage 4 (cont.)- Spreadsheet Control Framework
Roles and responsibilities define requirements for identifying and outlining expectations of spreadsheet owners and other key personnel.
23
Key Stage 4 (cont.)- Spreadsheet Control Framework
Control processes clarify key steps around security, change, monitoring and release management given the nature and risk classification of a
particular spreadsheet.
24
Key Stage 4 (cont.)- Spreadsheet Control Framework
Minimum standards communicate the baseline standards that any spreadsheet, whatever the classification, is required to comply with.
Section 3:[Final Thought]
25
26
Final Thought
Like it or not, it seems that spreadsheets are here to stay.
●User-managed databases
Reviews should also be looking to pick up any user-managed databases. In most cases, analysis performed in databases is of high complexity. In our experience, if databases have been implemented by the business and are not managed by IT, then the likelihood of error is high.
●During the review, it is important to ask
Should you really be using a spreadsheet at all?
If it is of high complexity and criticality the answer is almost certainly No.
Whatever the conclusion you reach on whether or not you should be using the spreadsheet, the likelihood is that it is here to stay, at least in the short term, and hence you need to look for ways and means of improving the level of control.