excel in managing spreadsheet risk

Click here to load reader

Post on 10-May-2015




1 download

Embed Size (px)


  • 1.0300 IA&BR February 06 9/1/0620:34Page 32 FEATURE Excel in managing spreadsheet risk Finance would be virtually unthinkable without the humble spreadsheet. Jonathan Wyatt and Scott Bolderson offer advice on how to minimise the risks of using this ubiquitous business tool THE RISK ASSOCIATED only about financial reportingmanagement requires and wherewith the use ofRisk. Spreadsheet risk is pervasive spreadsheets are as a resultspreadsheets has becomeacross the business as a whole. widely used. A simple self-increasingly high profileassessment survey can generate Attitude over the last couple of years.very useful results. Businesses that are required to There are four key stages to Having identified high-risk comply with the Sarbanes Oxleymanaging spreadsheet risk (See Keyareas, the next stage is to prepare Act are likely to have created an stages). A good place to start is the an inventory or register of the inventory of spreadsheets deemedareas of highest risk, which entailsspreadsheets in use. Once again, critical to the financial reporting considering the businesss attitude there are many ways of putting process. The number ofto risk. What is it that keeps senior together the inventory and how the spreadsheets identified has been a inventory is surprise to many businesses. For prepared is not Automated solutions can help fine tune those who have not been throughimportant. security and enforce change management this process, they may not have aHowever, in our and data retention policies clue about how many spreadsheets experience a exist in their organisation. walkthrough ofUnfortunately, having key business prepared the inventories, and management awake at night? What processes is one of the best ways of assessed this risk, manydecisions do we take that could ensuring that all critical businesses have not been able tohave a significant impact onspreadsheets are identified. identify practical solutions andshareholder value? What could Automated tools can also be used have found themselves asking theseriously damage our reputation?to scan networks for important question, what do we do next? Work should be prioritised on spreadsheets. Key attributes such The good news is that there are those areas of highest risk.as File Size and Last Modified date solutions out there. But the bad Whilst an inherent riskcan be used to identify potentially news is that for many businessesassessment can be helpful, anothercurrent and complex spreadsheets. the spreadsheets identified to date key question to ask is where does Sequential filenames can also be a are only the tip of the iceberg.the business place heavy reliance give away of regular analysis. Whilst an inventory prepared foron spreadsheets? The middleIt is important to pick up the Sarbanes Oxley Act is a goodmanagement team is usually very spreadsheets supporting analyses start, it is important to rememberaware of which core applicationson which decisions are made, that the Sarbanes Oxley Act isdo not provide the information that spreadsheets used for 32 Internal Auditing & Business Risk | February 2006

2. 0300 IA&BR February 06 9/1/06 20:34 Page 33FEATURE presentation and reporting purposes, spreadsheets that drive assumptions that feed into other systems (or other spreadsheets), spreadsheets that support the control environment, that monitor processes with a view to detecting errors, and spreadsheets that are used for data capture or to process adjustments.For each spreadsheet, it is important to capture who is deemed the spreadsheet owner(s); who designed and built the spreadsheet; key data maintained in the spreadsheet; frequency with which the analysis is prepared; what the spreadsheet is used for; and details of interfaces to/from the spreadsheet. This information is important in making an assessment of the significance of the spreadsheet.Priorities The next stage is to assess the importance of each spreadsheet, which will enable the business to prioritise on the spreadsheets that matter. Each spreadsheet should be considered from two perspectives: criticality and complexity.By understanding the functions performed by the spreadsheet and the overall control environment in which it operates we can make an assessment of the criticality of the spreadsheet to the organisation. A common mistake is to assess criticality only in terms of direct Key stages Identify potentially critical spreadsheets Understand the risk profile Assess spreadsheet controls Implement control solutions financial loss resulting from an error in the spreadsheet. Whilst potential for direct financial loss as a result of error is clearly important, there are other factors to take into account.For example, organisations may wish to consider the sensitivity of the information contained in the spreadsheet and the impact of information in the spreadsheet getting into the wrong hands. Or the opportunity to use the spreadsheet to perpetrate 33February 2006 | Internal Auditing & Business Risk 3. 0300 IA&BR February 06 9/1/0620:34Page 34 FEATURE is also helpful to have anappropriate location on the fraud, for example by inflating understanding of the complexity network and it may be appropriate budgets, covering up poor when evaluating the type andto use passwords to control access performance, manipulating key level of control to implement to the spreadsheet. Design information on which bonus around the spreadsheet. methods could be important: for a payments are based. Or the relianceAssessing a spreadsheetsrelatively complex spreadsheet it is on the spreadsheet as a key control complexity can be based on aimportant to design the over a business critical process. number of criteria. For example, thespreadsheet so as to reduce the riskWhen considering the criticality size or scale of the spreadsheet; the of errors arising. And integrity of a spreadsheet it is important to spreadsheet layout and design; thechecks: check totals should be built not only consider the functions that formulae design; and logicalinto the spreadsheet to highlight the spreadsheet is performing but complexity. There are a number of errors arising from incomplete or other controls that operate which relatively cheap automatedinaccurate data capture. may mitigate any risk associated solutions in the market place that At this stage the question with the spreadsheet. When will perform this calculation based should arise, should we really be performing the assessment, it is on specific criteria defined by the using a spreadsheet at all? If the rarely practical to use a linear scale user. A manual approach is oftenspreadsheet has high complexity of 1 to 5 for this, so more subjective less efficient and can lead toand high criticality and is used on a descriptions are needed. inconsistencies.frequent basis over a prolongedFor example, one may indicate period, the answer is almost that no key business decisions are certainly no. Whatever the made based on the information.Figure 1 conclusion we reach on whether or The risk materialising would be of Spreadsheet controlnot we should be using the embarrassment to those directly spreadsheet, the likelihood is that it associated with the spreadsheet, but frameworkis here to stay, at least in the short would have no real long term term, and hence we need to look for impact on the business. Three may ways and means of improving the indicate that an error in the level of control. spreadsheet or a delay in preparation of the spreadsheet maySpreadsheet Policy Solutions result a significant loss to the Stage four entails implementing business. Information contained in control solutions. The first priority the spreadsheet is sensitive and for a high-risk spreadsheet is employees could exploit the usually to ensure that it is doing information if they had access to it. what is was designed to do, which And, five may mean that an error in is usually achieved through a the spreadsheet or a delay in Roles andControl Minimum spreadsheet review. A spreadsheet preparation of the spreadsheet mayresponsibilitiesProcessesStandards review tests the logical security, result a material loss to the internal consistency and arithmetic business. Information contained in accuracy of the formulae, the spreadsheet is highly sensitiveWhen assessing complexity, it is algorithms and calculations within and inappropriate disclosure may important to also consider theall cells of the selected spreadsheets. be exploited by markets or complexity of the subject matter, Consideration would also often be competitors or could be in breach of not just the form of the spreadsheet. given to the reasonableness of key legislation (such as data protection Some form of judgement is assumptions, and the accuracy of legislation). The spreadsheet could required. Having performed thedata capture. This independent be used to perpetrate senior analysis, some form of risk map review is designed to provide management fraud. should determine if further action is reasonable assurance that the Scale required and to prioritise the work.spreadsheet does not containAssessing spreadsheetmaterial or logical errors. The scale does not usually start at 0. controls is often the simplest Unfortunately, a spreadsheet This is for the simple reason that if stage as it is usually the case thatreview only represents a point in internal audit identifies a no controls, or at best inadequatetime assessment. Having spreadsheet in which an error controls, exist. It is as a resultestablished the integrity of the would have no impact on the usually a relatively quick processspreadsheet, it is important to business, then the spreadsheet is to assess the existing controls.implement controls that provide probably not needed.The type of controls requiredus with reasonable assurance Assessing the complexity of a would be dependent on the naturegoing forward. spreadsheet is relatively of the risk identified in stage two. Defini