• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Excel In Managing Spreadsheet Risk Presentation
 

Excel In Managing Spreadsheet Risk Presentation

on

  • 4,291 views

 

Statistics

Views

Total Views
4,291
Views on SlideShare
4,254
Embed Views
37

Actions

Likes
2
Downloads
72
Comments
0

3 Embeds 37

http://strengtheningexcel.wordpress.com 21
http://www.slideshare.net 14
http://translate.googleusercontent.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Excel In Managing Spreadsheet Risk Presentation Excel In Managing Spreadsheet Risk Presentation Presentation Transcript

    • Excel in Managing Spreadsheet Risk
    • Overview
      • Spreadsheet Risk: Real and Reality
      • What next?
      • The Solution: 4 stage approach to managing spreadsheet risk
      • Final Thought
    • Section 1: [Spreadsheet Risk: Real and Reality]
    • Spreadsheet Risk is REAL
      • It is generally accepted that nine out of ten
      • spreadsheets suffer some error, and
      • consequences can be severe:
      • A cut-and-paste error cost TransAlta $24 million when it underbid an electricity-supply contract.
      • A missing minus sign caused Fidelity’s Magellan Fund to overstate projected earnings by $2.6 billion and miss a promised dividend.
      • Falsely-linked spreadsheets permitted fraud totaling $700 million at Allied Irish Bank .
      • Voting officials reported spreadsheet irregularities in New Mexico and South Africa.
      • (Source: Bewig, P. L (2005) How do you know your spreadsheet is
      • right? Principles, Techniques and Practice of Spreadsheet Style).
    • Spreadsheet Risk: Today's REALITY
      • Spreadsheet use has become increasingly high profile :
        • Impact Of Regulatory Compliance
        • … requires enterprise auditability and robust controls to ensure the integrity of data.
        • Sarbanes Oxley Act 2002 (SOA) requirements include the creation of an inventory of spreadsheets deemed critical to the financial reporting process.
        • Basel II – Spreadsheets are not only methods of controlling operational risk (a key pillar of Basel II) but also are themselves a source of operational risk. Effective operational risk controls equates to a reduction in the required regulatory capital under Basel II.
      • (Source: Croll, G. J. (2005) The importance and
      • Criticality of Spreadsheets in the City of London)
        • Also relevant are the ‘8th European Directive’ and ‘IAS 39’ as further examples of compliance applicable to European (and Global) corporations as of 2006.
        • Increasing Complexity
        • Modern corporate practices, coupled with increasingly stringent regulation, cause business functions and activities to continually increase in complexity.
        • Increasingly, spreadsheets are being used as tools to aid such functions and activities which in turn, have an inherent risk and impact associated to this complexity.
        • Risk assessment, and a clear understanding of the potential business, financial and operational impacts that can arise, in the face of such complexity, provides the starting point to consider ‘managing spreadsheet risk’.
      Today's REALITY: continued Spreadsheets, often used to source and manipulate material data, are inextricably integrated within all financial and operational layers of the business.
    • Section 2: [What next?]
    • What do we do next?
      • - In search of practical solutions
      • Many companies have started to take preliminary steps:
      • Risk assessment – consider company approach to risk management
      • Answering such questions as:
      • ‘ What spreadsheets do we have?’
      • ‘ Where does the business place heavy reliance on spreadsheets?’
      • Build an Inventory (… to comply with SOA).
      • But without a clear structure and understanding of how and why we should manage our use of spreadsheets, many companies reach this stage and ask:
      What do we do next?
    • What do we do next? - In search of practical solutions
      • - Tip of the iceberg
        • Proving regulatory compliance, and building an inventory is a start. But to date, regulation is only about financial reporting risk.
        • Whilst risk removal is not possible, management must seek to go beyond compliance to address the true nature and extent of risks that exist and surround the use of spreadsheets.
        • Furthermore, a spreadsheet is a dynamic entity, often used by many individuals potentially spanning several business functions. This presents a huge challenge to audit and maintain, given its continually evolving state.
      Spreadsheet risk is pervasive across the business as a whole.
    • Section 3: [ The Solution]
    • Solution?
      • 4 Key Stages to managing spreadsheet risk:
      A Risk Management Methodology to help a firm initiate, analyze and structure the management of spreadsheets.
    • Key Stage 1 Identify potentially critical spreadsheets.
        • Can typically include spreadsheets that:
          • Support analysis on which decisions are made
          • Are used for presentation and reporting purposes
          • Drive assumptions that feed into other systems
          • Support the control environment
          • Monitor processes with a view to detecting errors
          • Are used for data capture or process adjustments
        • Additional useful information includes capturing the owner and designer of the spreadsheet; key data maintained within the spreadsheet; frequency and purpose of use; interfaces to/from the spreadsheet.
    • Key Stage 2 Understand the risk profile.
        • Consider from two perspectives:
              • Criticality
              • Complexity
        • Assessment should include, but not exclusively ,
        • financial loss resulting from error in the spreadsheet.
        • Equally useful assessment criteria include,
        • Consideration for the sensitivity of the information contained within the spreadsheet
        • Impact of information in the spreadsheet getting into the wrong hands
        • Opportunity to use spreadsheet to perpetuate fraud
        • Reliance on the spreadsheet as a key control over a business critical process
    • Key Stage 2 (cont.) Understand the risk profile.
        • Having performed the analysis, we usually use some form of risk map to determine if further action was required and to prioritize our work. An illustrative spreadsheet risk map may take the following form:
    • Key Stage 2 (cont.) Understand the risk profile.
        • Those spreadsheets falling in the area shaded in red require immediate attention.
        • Spreadsheets falling into the boxes shaded yellow, however, should not be overlooked. A common mistake is to ignore spreadsheets of high criticality but low complexity. It is important to remember that even the simplest of spreadsheets can contain errors, and often do.
        • Some of the spreadsheets in the green area may also require consideration. Particularly those that have been classified as level 3 criticality, on privacy grounds.
    • Transition to Stage 3 Understand the risk profile before you can assess spreadsheet controls.
        • When approaching stage 3, thorough completion of stage 2 is crucial to understand:
            • the scale of complexity of the spreadsheet and ,
            • the level of criticality of the function of the spreadsheet
        • … to enable a complete and comprehensive assessment of the spreadsheet environment and the required surrounding controls.
    • Key Stage 3 Assess spreadsheet controls.
        • What Exists?
        • Analyse and document what controls currently operate that may mitigate any risk associated with the spreadsheet.
        • What is required?
        • Evaluate the type and level of control to implement around the spreadsheet necessary to mitigate risks satisfactorily.
        • Gap analysis
        • The residual required controls to align what controls currently exist with the required level.
    • Key Stage 3 (cont.) Assess spreadsheet controls.
        • Typical Controls:
        • Access, change and input controls
        • Design methods and version control
        • Security of data
        • Data retention
        • Testing/review
        • Documentation
        • Integrity checks and logic inspection
        • Archiving and Back-ups
        • Segregation of duties, roles and responsibilities
    • Key Stage 4 Implement control solutions.
        • First Priority
        • – to ensure the spreadsheet is doing what it was designed to do , through an independent review to test the:
          • logical security,
          • internal consistency and,
          • arithmetic accuracy of formulae, algorithms and calculations within all cells of the selected spreadsheet.
        • However, the review alone represents a snapshot . Having established the integrity of the spreadsheet, it is important to implement controls that provide reasonable assurance going forward.
    • Key Stage 4 (cont.) Implement control solutions.
        • Secondly
        • Defining a Spreadsheet Control Framework, such as that illustrated in figure 3, will ensure that all aspects of spreadsheet management are addressed.
    • Key Stage 4 (cont.) - Spreadsheet Control Framework
        • Spreadsheet policy ensures senior management’s expectations are clearly communicated throughout the business and establishes ground rules governing spreadsheet use.
    • Key Stage 4 (cont.) - Spreadsheet Control Framework
        • Roles and responsibilities define requirements for identifying and outlining expectations of spreadsheet owners and other key personnel.
    • Key Stage 4 (cont.) - Spreadsheet Control Framework
        • Control processes clarify key steps around security, change, monitoring and release management given the nature and risk classification of a particular spreadsheet.
    • Key Stage 4 (cont.) - Spreadsheet Control Framework
        • Minimum standards communicate the baseline standards that any spreadsheet, whatever the classification, is required to comply with.
    • Section 3: [ Final Thought]
    • Final Thought Like it or not, it seems that spreadsheets are here to stay.
        • User-managed databases
        • Reviews should also be looking to pick up any user-managed databases. In most cases, analysis performed in databases is of high complexity. In our experience, if databases have been implemented by the business and are not managed by IT, then the likelihood of error is high.
        • During the review, it is important to ask
        • Should you really be using a spreadsheet at all?
        • If it is of high complexity and criticality the answer is almost certainly No.
        • Whatever the conclusion you reach on whether or not you should be using the spreadsheet, the likelihood is that it is here to stay, at least in the short term, and hence you need to look for ways and means of improving the level of control.