Internal Auditing & Business Risk | February 200632

F E A T U R E

THE RISK ASSOCIATEDwith the use ofspreadsheets has becomeincreasingly high profile

over the last couple of years.Businesses that are required tocomply with the Sarbanes OxleyAct are likely to have created aninventory of spreadsheets deemedcritical to the financial reportingprocess. The number ofspreadsheets identified has been asurprise to many businesses. Forthose who have not been throughthis process, they may not have aclue about how many spreadsheetsexist in their organisation.

Unfortunately, havingprepared the inventories, andassessed this risk, manybusinesses have not been able toidentify practical solutions andhave found themselves asking thequestion, what do we do next?The good news is that there aresolutions out there. But the badnews is that for many businessesthe spreadsheets identified to dateare only the tip of the iceberg.Whilst an inventory prepared forthe Sarbanes Oxley Act is a goodstart, it is important to rememberthat the Sarbanes Oxley Act is

only about financial reportingRisk. Spreadsheet risk is pervasiveacross the business as a whole.

AttitudeThere are four key stages tomanaging spreadsheet risk (See Keystages). A good place to start is theareas of highest risk, which entailsconsidering the business’s attitudeto risk. What is it that keeps senior

management awake at night? Whatdecisions do we take that couldhave a significant impact onshareholder value? What couldseriously damage our reputation?Work should be prioritised onthose areas of highest risk.

Whilst an inherent riskassessment can be helpful, anotherkey question to ask is where doesthe business place heavy relianceon spreadsheets? The middlemanagement team is usually veryaware of which core applicationsdo not provide the information that

management requires and wherespreadsheets are as a resultwidely used. A simple self-assessment survey can generatevery useful results.

Having identified high-riskareas, the next stage is to preparean inventory or register of thespreadsheets in use. Once again,there are many ways of puttingtogether the inventory and how the

inventory isprepared is notimportant.However, in ourexperience awalkthrough ofkey business

processes is one of the best ways ofensuring that all criticalspreadsheets are identified.Automated tools can also be usedto scan networks for importantspreadsheets. Key attributes suchas File Size and Last Modified datecan be used to identify potentiallycurrent and complex spreadsheets.Sequential filenames can also be agive away of regular analysis.

It is important to pick upspreadsheets supporting analyseson which decisions are made,spreadsheets used for

Excel in managingspreadsheet riskFinance would be virtually unthinkable without the humble spreadsheet.Jonathan Wyatt and Scott Bolderson offer advice on how to minimise therisks of using this ubiquitous business tool

“Automated solutions can help fine tunesecurity and enforce change managementand data retention policies”

0300 IA&BR February 06 9/1/06 20:34 Page 32

February 2006 | Internal Auditing & Business Risk 33

F E A T U R E

presentation and reportingpurposes, spreadsheets that driveassumptions that feed into othersystems (or other spreadsheets),spreadsheets that support thecontrol environment, that monitorprocesses with a view to detectingerrors, and spreadsheets that areused for data capture or toprocess adjustments.

For each spreadsheet, it isimportant to capture who isdeemed the spreadsheet owner(s);who designed and built thespreadsheet; key data maintainedin the spreadsheet; frequency withwhich the analysis is prepared;what the spreadsheet is used for;and details of interfaces to/fromthe spreadsheet. This informationis important in making anassessment of the significance ofthe spreadsheet.

PrioritiesThe next stage is to assess theimportance of each spreadsheet,which will enable the business toprioritise on the spreadsheets thatmatter. Each spreadsheet should beconsidered from two perspectives:criticality and complexity.

By understanding the functionsperformed by the spreadsheet andthe overall control environment inwhich it operates we can make anassessment of the criticality of thespreadsheet to the organisation. Acommon mistake is to assesscriticality only in terms of direct

financial loss resulting from anerror in the spreadsheet. Whilstpotential for direct financial loss asa result of error is clearlyimportant, there are other factors totake into account.

For example, organisationsmay wish to consider thesensitivity of the informationcontained in the spreadsheet andthe impact of information in thespreadsheet getting into the wronghands. Or the opportunity to usethe spreadsheet to perpetrate ➲

Key stages• Identify potentially critical spreadsheets• Understand the risk profile• Assess spreadsheet controls• Implement control solutions

0300 IA&BR February 06 9/1/06 20:34 Page 33

Internal Auditing & Business Risk | February 200634

F E A T U R E

➲ fraud, for example by inflatingbudgets, covering up poorperformance, manipulating keyinformation on which bonuspayments are based. Or the relianceon the spreadsheet as a key controlover a business critical process.

When considering the criticalityof a spreadsheet it is important tonot only consider the functions thatthe spreadsheet is performing butother controls that operate whichmay mitigate any risk associatedwith the spreadsheet. Whenperforming the assessment, it israrely practical to use a linear scaleof 1 to 5 for this, so more subjectivedescriptions are needed.

For example, one may indicatethat no key business decisions aremade based on the information.The risk materialising would be ofembarrassment to those directlyassociated with the spreadsheet, butwould have no real long termimpact on the business. Three mayindicate that an error in thespreadsheet or a delay inpreparation of the spreadsheet mayresult a significant loss to thebusiness. Information contained inthe spreadsheet is sensitive andemployees could exploit theinformation if they had access to it.And, five may mean that an error inthe spreadsheet or a delay inpreparation of the spreadsheet mayresult a material loss to thebusiness. Information contained inthe spreadsheet is highly sensitiveand inappropriate disclosure maybe exploited by markets orcompetitors or could be in breach oflegislation (such as data protectionlegislation). The spreadsheet couldbe used to perpetrate seniormanagement fraud.

ScaleThe scale does not usually start at 0.This is for the simple reason that ifinternal audit identifies aspreadsheet in which an errorwould have no impact on thebusiness, then the spreadsheet isprobably not needed.

Assessing the complexity of aspreadsheet is relativelystraightforward and once againwe tend to adopt a 5-point scale.Spreadsheets range in complexityfrom simple worksheets to largeand complex models with manyworksheets, links and formulae. It

is also helpful to have anunderstanding of the complexitywhen evaluating the type andlevel of control to implementaround the spreadsheet.

Assessing a spreadsheet’scomplexity can be based on anumber of criteria. For example, thesize or scale of the spreadsheet; thespreadsheet layout and design; theformulae design; and logicalcomplexity. There are a number ofrelatively cheap automatedsolutions in the market place thatwill perform this calculation basedon specific criteria defined by theuser. A manual approach is oftenless efficient and can lead toinconsistencies.

When assessing complexity, it isimportant to also consider thecomplexity of the subject matter,not just the form of the spreadsheet.Some form of judgement isrequired. Having performed theanalysis, some form of risk mapshould determine if further action isrequired and to prioritise the work.

Assessing spreadsheetcontrols is often the simpleststage as it is usually the case thatno controls, or at best inadequatecontrols, exist. It is as a resultusually a relatively quick processto assess the existing controls.

The type of controls requiredwould be dependent on the natureof the risk identified in stage two.The key controls in a spreadsheet toprovide assurance over its integritywould typically include such issuesas access controls. For example, thespreadsheet should be stored in an

appropriate location on thenetwork and it may be appropriateto use passwords to control accessto the spreadsheet. Designmethods could be important: for arelatively complex spreadsheet it isimportant to design thespreadsheet so as to reduce the riskof errors arising. And integritychecks: check totals should be builtinto the spreadsheet to highlighterrors arising from incomplete orinaccurate data capture.

At this stage the questionshould arise, should we really beusing a spreadsheet at all? If thespreadsheet has high complexityand high criticality and is used on afrequent basis over a prolongedperiod, the answer is almostcertainly ‘no’. Whatever theconclusion we reach on whether ornot we should be using thespreadsheet, the likelihood is that itis here to stay, at least in the shortterm, and hence we need to look forways and means of improving thelevel of control.

SolutionsStage four entails implementingcontrol solutions. The first priorityfor a high-risk spreadsheet isusually to ensure that it is doingwhat is was designed to do, whichis usually achieved through aspreadsheet review. A spreadsheetreview tests the logical security,internal consistency and arithmeticaccuracy of the formulae,algorithms and calculations withinall cells of the selected spreadsheets.Consideration would also often begiven to the reasonableness of keyassumptions, and the accuracy ofdata capture. This independentreview is designed to providereasonable assurance that thespreadsheet does not containmaterial or logical errors.

Unfortunately, a spreadsheetreview only represents a point intime assessment. Havingestablished the integrity of thespreadsheet, it is important toimplement controls that provideus with reasonable assurancegoing forward.

Defining a SpreadsheetControl Framework, such as thatillustrated in figure 1, will ensurethat all aspects of spreadsheetmanagement are addressed.

The diagram shows that there

Figure 1

Spreadsheet controlframework

Spreadsheet Policy

Roles andresponsibilities

ControlProcesses

MinimumStandards

0300 IA&BR February 06 9/1/06 20:34 Page 34

February 2006 | Internal Auditing & Business Risk 35

F E A T U R E

ADVERTPage 35

are four key aspects to such aframework. Spreadsheet policyensures that senior management’sexpectations are clearlycommunicated to the businessesand set down the ground rulesgoverning the use of spreadsheets.Roles and responsibilities definethe requirements for identifyingspreadsheet owners and settingout what is expected of the ownerand other key individuals. Controlprocesses make clear the key stepsaround security, change, releasemanagement and monitoring ofspreadsheets given the nature of aparticular spreadsheet and givenits risk classification. Finally,minimum standards tocommunicate the baselinestandards that any spreadsheet,whatever the classification, isrequired to comply with.

Currently there are a number ofcommercial solutions to assist withthe operation of key controlprocesses within the SpreadsheetControl Framework, some of whichare extremely powerful. Theseautomated solutions can help fine

tune security and enforce changemanagement and data retentionpolicies. Some also provide verypowerful tools for audit and review.

However, such tools varysignificantly in terms of price,quality and practicality. A solutionthat might be appropriate for alarge multinational may not be

appropriate for a much smallerorganisation. Many organisationswill in practice require a mixtureof guidance, policies, and one ormore tools, to cost effectivelymanage the risk.

If automated solutions forspreadsheet management aredesirable, and for any organisationwith a significant number of high-risk spreadsheets they should be,

then care should be taken with thesoftware selection process toensure the business gets thesolutions it needs.

For most businessesspreadsheets are prepared usingMicrosoft Excel. Another verypowerful and useful, butoccasionally dangerous tool, isMicrosoft Access. When performinga review of spreadsheets internalauditors should also be looking topick up any user-manageddatabases. In most cases, analysisperformed in databases is of highcomplexity. In our experience, ifdatabases have been implementedby the business and are notmanaged by IT, then the likelihoodof error is high. The principles setout above apply equally well todatabases or other user manageddata analysis tools.

Jonathan Wyatt ismanaging director of

technology risk and ScottBolderson is associate directorof technology risk at theconsultant Protiviti

“Spreadsheet policy ensures that seniormanagement's expectations are clearlycommunicated to the businesses and setdown the ground rules governing the use of spreadsheets”

Technology Risk

- Application Controls Effectiveness- Information Security- IT Operations and Service Delivery- End User Computing

Internal Audit

- Audit Committee Advisory- Start-up and Development Advice- Outsourcing and Co-sourcing

including IT Audit Services- Internal Audit Quality

Assurance Review

IT risk.

Seen clearly, controlled effect vely.

Business and technology cannotbe separated. As businesses havebecome more reliant on technology,so the associated risks have grown.Now more than ever it is essential toaddress the challenges around newtechnologies, escalating costs andcompliance with regulations.

Protiviti specialists ensure that yourtechnology delivers more results andfewer regrets.

Call +44 (0)20 7930 8808 or visitprotiviti.co.uk

© 2006 Protiviti Ltd.

Protiviti is a Gold Sponsor

at this year’s ISACA EuroCACS event. Visitus from 19-22 March

2006 at the Hilton London Metropole

Hotel. ww

w.is

aca.

org/

euro

cacs

Business Risk

- Integrity Risk Services (includingfraud, computer forensics andanti-money laundering)

- Regulatory Compliance andCorporate Governance

- Enterprise Risk Management- Supply Chain and Revenue Assurance

p35xx 13/1/06 12:27 PM Page 1