excel in managing spreadsheet risk presentation

Click here to load reader

Post on 15-Jul-2015




2 download

Embed Size (px)


  • Excel in Managing Spreadsheet Risk

  • *OverviewSpreadsheet Risk: Real and RealityWhat next?The Solution: 4 stage approach to managing spreadsheet riskFinal Thought

  • Section 1:[Spreadsheet Risk: Real and Reality]*

  • *It is generally accepted that nine out of ten spreadsheets suffer some error, andconsequences can be severe:

    A cut-and-paste error cost TransAlta $24 million when it underbid an electricity-supply contract.A missing minus sign caused Fidelitys Magellan Fund to overstate projected earnings by $2.6 billion and miss a promised dividend.Falsely-linked spreadsheets permitted fraud totaling $700 million at Allied Irish Bank.Voting officials reported spreadsheet irregularities in New Mexico and South Africa.

    (Source: Bewig, P. L (2005) How do you know your spreadsheet isright? Principles, Techniques and Practice of Spreadsheet Style).Spreadsheet Risk is REAL

  • * Spreadsheet use has become increasingly high profile:Impact Of Regulatory Compliance requires enterprise auditability and robust controls to ensure the integrity of data. Sarbanes Oxley Act 2002 (SOA) requirements include the creation of an inventory of spreadsheets deemed critical to the financial reporting process.

    Basel II Spreadsheets are not only methods of controlling operational risk (a key pillar of Basel II) but also are themselves a source of operational risk. Effective operational risk controls equates to a reduction in the required regulatory capital under Basel II.

    (Source: Croll, G. J. (2005) The importance and Criticality of Spreadsheets in the City of London)

    Also relevant are the 8th European Directive and IAS 39 as further examples of compliance applicable to European (and Global) corporations as of 2006.

    Spreadsheet Risk: Today's REALITY

  • *Increasing Complexity

    Modern corporate practices, coupled with increasingly stringent regulation, cause business functions and activities to continually increase in complexity.

    Increasingly, spreadsheets are being used as tools to aid such functions and activities which in turn, have an inherent risk and impact associated to this complexity.

    Risk assessment, and a clear understanding of the potential business, financial and operational impacts that can arise, in the face of such complexity, provides the starting point to consider managing spreadsheet risk.

    Today's REALITY: continuedSpreadsheets, often used to source and manipulate material data, are inextricably integrated within all financial and operational layers of the business.

  • Section 2:[What next?]*

  • *

    - In search of practical solutions

    Many companies have started to take preliminary steps:Risk assessment consider company approach to risk managementAnswering such questions as:What spreadsheets do we have?Where does the business place heavy reliance on spreadsheets?Build an Inventory ( to comply with SOA).

    But without a clear structure and understanding of how and why we should manage our use of spreadsheets, many companies reach this stage and ask:What do we do next? What do we do next?

  • *- Tip of the iceberg

    Proving regulatory compliance, and building an inventory is a start. But to date, regulation is only about financial reporting risk.

    Whilst risk removal is not possible, management must seek to go beyond compliance to address the true nature and extent of risks that exist and surround the use of spreadsheets.

    Furthermore, a spreadsheet is a dynamic entity, often used by many individuals potentially spanning several business functions. This presents a huge challenge to audit and maintain, given its continually evolving state.

    What do we do next? - In search of practical solutionsSpreadsheet risk is pervasive across the business as a whole.

  • Section 3:[The Solution]


  • *

    4 Key Stages to managing spreadsheet risk:

    Solution? A Risk Management Methodology to help a firm initiate, analyze and structure the management of spreadsheets.

  • *

    Key Stage 1 Identify potentially critical spreadsheets.Can typically include spreadsheets that:

    Support analysis on which decisions are made Are used for presentation and reporting purposes Drive assumptions that feed into other systems Support the control environment Monitor processes with a view to detecting errors Are used for data capture or process adjustments

    Additional useful information includes capturing the owner and designer of the spreadsheet; key data maintained within the spreadsheet; frequency and purpose of use; interfaces to/from the spreadsheet.

  • *

    Key Stage 2Understand the risk profile.Consider from two perspectives:Criticality ComplexityAssessment should include, but not exclusively, financial loss resulting from error in the spreadsheet. Equally useful assessment criteria include,Consideration for the sensitivity of the information contained within the spreadsheetImpact of information in the spreadsheet getting into the wrong handsOpportunity to use spreadsheet to perpetuate fraudReliance on the spreadsheet as a key control over a business critical process

  • *

    Key Stage 2 (cont.)Understand the risk profile.Having performed the analysis, we usually use some form of risk map to determine if further action was required and to prioritize our work. An illustrative spreadsheet risk map may take the following form:

  • *

    Key Stage 2 (cont.)Understand the risk profile.Those spreadsheets falling in the area shaded in red require immediate attention.

    Spreadsheets falling into the boxes shaded yellow, however, should not be overlooked. A common mistake is to ignore spreadsheets of high criticality but low complexity. It is important to remember that even the simplest of spreadsheets can contain errors, and often do.

    Some of the spreadsheets in the green area may also require consideration. Particularly those that have been classified as level 3 criticality, on privacy grounds.

  • *

    Transition to Stage 3Understand the risk profile before you can assess spreadsheet controls.When approaching stage 3, thorough completion of stage 2 is crucial to understand: the scale of complexity of the spreadsheet and, the level of criticality of the function of the spreadsheet to enable a complete and comprehensive assessment of the spreadsheet environment and the required surrounding controls.

  • *

    Key Stage 3Assess spreadsheet controls.What Exists?Analyse and document what controls currently operate that may mitigate any risk associated with the spreadsheet.

    What is required?Evaluate the type and level of control to implement around the spreadsheet necessary to mitigate risks satisfactorily.

    Gap analysis The residual required controls to align what controls currently exist with the required level.

  • *

    Key Stage 3 (cont.)Assess spreadsheet controls.Typical Controls:Access, change and input controlsDesign methods and version controlSecurity of dataData retentionTesting/reviewDocumentationIntegrity checks and logic inspectionArchiving and Back-upsSegregation of duties, roles and responsibilities

  • *Key Stage 4Implement control solutions.First Priority to ensure the spreadsheet is doing what it was designed to do, through an independent review to test the:logical security, internal consistency and, arithmetic accuracy of formulae, algorithms and calculations within all cells of the selected spreadsheet.However, the review alone represents a snapshot. Having established the integrity of the spreadsheet, it is important to implement controls that provide reasonable assurance going forward.

  • *Key Stage 4 (cont.)Implement control solutions.SecondlyDefining a Spreadsheet Control Framework, such as that illustrated in figure 3, will ensure that all aspects of spreadsheet management are addressed.

  • *Key Stage 4 (cont.)- Spreadsheet Control FrameworkSpreadsheet policy ensures senior managements expectations are clearly communicated throughout the business and establishes ground rules governing spreadsheet use.

  • *Key Stage 4 (cont.)- Spreadsheet Control FrameworkRoles and responsibilities define requirements for identifying and outlining expectations of spreadsheet owners and other key personnel.

  • *Key Stage 4 (cont.)- Spreadsheet Control FrameworkControl processes clarify key steps around security, change, monitoring and release management given the nature and risk classification of a particular spreadsheet.

  • *Key Stage 4 (cont.)- Spreadsheet Control FrameworkMinimum standards communicate the baseline standards that any spreadsheet, whatever the classification, is required to comply with.

  • Section 3:[Final Thought]


  • *Final ThoughtLike it or not, it seems that spreadsheets are here to stay.User-managed databasesReviews should also be looking to pick up any user-managed databases. In most cases, analysis performed in databases is of high complexity. In our experience, if databases have been implemented by the business and are not managed by IT, then the likelihood of error is high.

    During the review, it is important to askShould you really be using a spreadsheet at all?If it is of high complexity and criticality the answer is almost certainly No.Whatever the conclusion you reach on whether or not you should be using the spreadsheet, the likelihood is that it is here to stay, at least in the short term, and hence you need to look for ways and means of improving the level of control.

View more