0300 IA&BR February 06           9/1/06      20:34        Page 32


      Excel in managing
0300 IA&BR February 06   9/1/06   20:34   Page 33

0300 IA&BR February 06           9/1/06        20:34      Page 34


p35xx   13/1/06         12:27 PM         Page 1

Upcoming SlideShare
Loading in …5

Excel In Managing Spreadsheet Risk


Published on

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Excel In Managing Spreadsheet Risk

  1. 1. 0300 IA&BR February 06 9/1/06 20:34 Page 32 FEATURE Excel in managing spreadsheet risk Finance would be virtually unthinkable without the humble spreadsheet. Jonathan Wyatt and Scott Bolderson offer advice on how to minimise the risks of using this ubiquitous business tool T HE RISK ASSOCIATED only about financial reporting management requires and where with the use of Risk. Spreadsheet risk is pervasive spreadsheets are as a result spreadsheets has become across the business as a whole. widely used. A simple self- increasingly high profile assessment survey can generate Attitude over the last couple of years. very useful results. Businesses that are required to There are four key stages to Having identified high-risk comply with the Sarbanes Oxley managing spreadsheet risk (See Key areas, the next stage is to prepare Act are likely to have created an stages). A good place to start is the an inventory or register of the inventory of spreadsheets deemed areas of highest risk, which entails spreadsheets in use. Once again, critical to the financial reporting considering the business’s attitude there are many ways of putting process. The number of to risk. What is it that keeps senior together the inventory and how the spreadsheets identified has been a inventory is surprise to many businesses. For prepared is not “Automated solutions can help fine tune those who have not been through important. security and enforce change management this process, they may not have a However, in our and data retention policies” clue about how many spreadsheets experience a exist in their organisation. walkthrough of Unfortunately, having key business prepared the inventories, and management awake at night? What processes is one of the best ways of assessed this risk, many decisions do we take that could ensuring that all critical businesses have not been able to have a significant impact on spreadsheets are identified. identify practical solutions and shareholder value? What could Automated tools can also be used have found themselves asking the seriously damage our reputation? to scan networks for important question, what do we do next? Work should be prioritised on spreadsheets. Key attributes such The good news is that there are those areas of highest risk. as File Size and Last Modified date solutions out there. But the bad Whilst an inherent risk can be used to identify potentially news is that for many businesses assessment can be helpful, another current and complex spreadsheets. the spreadsheets identified to date key question to ask is where does Sequential filenames can also be a are only the tip of the iceberg. the business place heavy reliance give away of regular analysis. Whilst an inventory prepared for on spreadsheets? The middle It is important to pick up the Sarbanes Oxley Act is a good management team is usually very spreadsheets supporting analyses start, it is important to remember aware of which core applications on which decisions are made, that the Sarbanes Oxley Act is do not provide the information that spreadsheets used for 32 Internal Auditing & Business Risk | February 2006
  2. 2. 0300 IA&BR February 06 9/1/06 20:34 Page 33 FEATURE presentation and reporting purposes, spreadsheets that drive assumptions that feed into other systems (or other spreadsheets), spreadsheets that support the control environment, that monitor processes with a view to detecting errors, and spreadsheets that are used for data capture or to process adjustments. For each spreadsheet, it is important to capture who is deemed the spreadsheet owner(s); who designed and built the spreadsheet; key data maintained in the spreadsheet; frequency with which the analysis is prepared; what the spreadsheet is used for; and details of interfaces to/from the spreadsheet. This information is important in making an assessment of the significance of the spreadsheet. Priorities The next stage is to assess the importance of each spreadsheet, which will enable the business to prioritise on the spreadsheets that matter. Each spreadsheet should be considered from two perspectives: criticality and complexity. By understanding the functions performed by the spreadsheet and the overall control environment in which it operates we can make an assessment of the criticality of the spreadsheet to the organisation. A common mistake is to assess criticality only in terms of direct Key stages • Identify potentially critical spreadsheets • Understand the risk profile • Assess spreadsheet controls • Implement control solutions financial loss resulting from an error in the spreadsheet. Whilst potential for direct financial loss as a result of error is clearly important, there are other factors to take into account. For example, organisations may wish to consider the sensitivity of the information contained in the spreadsheet and the impact of information in the spreadsheet getting into the wrong hands. Or the opportunity to use the spreadsheet to perpetrate ➲ 33 February 2006 | Internal Auditing & Business Risk
  3. 3. 0300 IA&BR February 06 9/1/06 20:34 Page 34 FEATURE is also helpful to have an appropriate location on the ➲ fraud, for example by inflating understanding of the complexity network and it may be appropriate budgets, covering up poor when evaluating the type and to use passwords to control access performance, manipulating key level of control to implement to the spreadsheet. Design information on which bonus around the spreadsheet. methods could be important: for a payments are based. Or the reliance Assessing a spreadsheet’s relatively complex spreadsheet it is on the spreadsheet as a key control complexity can be based on a important to design the over a business critical process. number of criteria. For example, the spreadsheet so as to reduce the risk When considering the criticality size or scale of the spreadsheet; the of errors arising. And integrity of a spreadsheet it is important to spreadsheet layout and design; the checks: check totals should be built not only consider the functions that formulae design; and logical into the spreadsheet to highlight the spreadsheet is performing but complexity. There are a number of errors arising from incomplete or other controls that operate which relatively cheap automated inaccurate data capture. may mitigate any risk associated solutions in the market place that At this stage the question with the spreadsheet. When will perform this calculation based should arise, should we really be performing the assessment, it is on specific criteria defined by the using a spreadsheet at all? If the rarely practical to use a linear scale user. A manual approach is often spreadsheet has high complexity of 1 to 5 for this, so more subjective less efficient and can lead to and high criticality and is used on a descriptions are needed. inconsistencies. frequent basis over a prolonged For example, one may indicate period, the answer is almost that no key business decisions are certainly ‘no’. Whatever the made based on the information. Figure 1 conclusion we reach on whether or The risk materialising would be of Spreadsheet control not we should be using the embarrassment to those directly spreadsheet, the likelihood is that it associated with the spreadsheet, but framework is here to stay, at least in the short would have no real long term term, and hence we need to look for impact on the business. Three may ways and means of improving the indicate that an error in the level of control. spreadsheet or a delay in preparation of the spreadsheet may Spreadsheet Policy Solutions result a significant loss to the Stage four entails implementing business. Information contained in control solutions. The first priority the spreadsheet is sensitive and for a high-risk spreadsheet is employees could exploit the usually to ensure that it is doing information if they had access to it. what is was designed to do, which And, five may mean that an error in is usually achieved through a the spreadsheet or a delay in Roles and Control Minimum spreadsheet review. A spreadsheet preparation of the spreadsheet may responsibilities Processes Standards review tests the logical security, result a material loss to the internal consistency and arithmetic business. Information contained in accuracy of the formulae, the spreadsheet is highly sensitive When assessing complexity, it is algorithms and calculations within and inappropriate disclosure may important to also consider the all cells of the selected spreadsheets. be exploited by markets or complexity of the subject matter, Consideration would also often be competitors or could be in breach of not just the form of the spreadsheet. given to the reasonableness of key legislation (such as data protection Some form of judgement is assumptions, and the accuracy of legislation). The spreadsheet could required. Having performed the data capture. This independent be used to perpetrate senior analysis, some form of risk map review is designed to provide management fraud. should determine if further action is reasonable assurance that the Scale required and to prioritise the work. spreadsheet does not contain Assessing spreadsheet material or logical errors. The scale does not usually start at 0. controls is often the simplest Unfortunately, a spreadsheet This is for the simple reason that if stage as it is usually the case that review only represents a point in internal audit identifies a no controls, or at best inadequate time assessment. Having spreadsheet in which an error controls, exist. It is as a result established the integrity of the would have no impact on the usually a relatively quick process spreadsheet, it is important to business, then the spreadsheet is to assess the existing controls. implement controls that provide probably not needed. The type of controls required us with reasonable assurance Assessing the complexity of a would be dependent on the nature going forward. spreadsheet is relatively of the risk identified in stage two. Defining a Spreadsheet straightforward and once again The key controls in a spreadsheet to Control Framework, such as that we tend to adopt a 5-point scale. provide assurance over its integrity illustrated in figure 1, will ensure Spreadsheets range in complexity would typically include such issues that all aspects of spreadsheet from simple worksheets to large as access controls. For example, the management are addressed. and complex models with many spreadsheet should be stored in an The diagram shows that there worksheets, links and formulae. It 34 Internal Auditing & Business Risk | February 2006
  4. 4. p35xx 13/1/06 12:27 PM Page 1 FEATURE are four key aspects to such a tune security and enforce change then care should be taken with the framework. Spreadsheet policy management and data retention software selection process to ensures that senior management’s policies. Some also provide very ensure the business gets the expectations are clearly powerful tools for audit and review. solutions it needs. communicated to the businesses However, such tools vary For most businesses and set down the ground rules significantly in terms of price, spreadsheets are prepared using governing the use of spreadsheets. quality and practicality. A solution Microsoft Excel. Another very Roles and responsibilities define that might be appropriate for a powerful and useful, but the requirements for identifying large multinational may not be occasionally dangerous tool, is spreadsheet owners and setting Microsoft Access. When performing out what is expected of the owner a review of spreadsheets internal “Spreadsheet policy ensures that senior and other key individuals. Control auditors should also be looking to processes make clear the key steps pick up any user-managed management's expectations are clearly around security, change, release databases. In most cases, analysis communicated to the businesses and set management and monitoring of performed in databases is of high down the ground rules governing the use spreadsheets given the nature of a complexity. In our experience, if particular spreadsheet and given databases have been implemented of spreadsheets” its risk classification. Finally, by the business and are not minimum standards to managed by IT, then the likelihood communicate the baseline appropriate for a much smaller of error is high. The principles set standards that any spreadsheet, organisation. Many organisations out above apply equally well to whatever the classification, is will in practice require a mixture databases or other user managed required to comply with. of guidance, policies, and one or data analysis tools. Currently there are a number of more tools, to cost effectively commercial solutions to assist with manage the risk. Jonathan Wyatt is the operation of key control If automated solutions for managing director of technology risk and Scott processes within the Spreadsheet spreadsheet management are Bolderson is associate director Control Framework, some of which desirable, and for any organisation of technology risk at the are extremely powerful. These with a significant number of high- consultant Protiviti automated solutions can help fine risk spreadsheets they should be, Business and technology cannot Protiviti be separated. As businesses have www.isaca.org/eurocacs is a Gold Sponsor become more reliant on technology, IT risk. at this year’s ISACA so the associated risks have grown. EuroCACS event. Visit Now more than ever it is essential to us from 19-22 March address the challenges around new 2006 at the Hilton technologies, escalating costs and London Metropole Hotel. compliance with regulations. ADVERT Seen clearly, Protiviti specialists ensure that your technology delivers more results and fewer regrets. controlled effect vely. Call +44 (0)20 7930 8808 or visit protiviti.co.uk Page 35 Technology Risk Internal Audit Business Risk - Application Controls Effectiveness - Audit Committee Advisory - Integrity Risk Services (including - Information Security - Start-up and Development Advice fraud, computer forensics and - IT Operations and Service Delivery - Outsourcing and Co-sourcing anti-money laundering) - End User Computing including IT Audit Services - Regulatory Compliance and - Internal Audit Quality Corporate Governance Assurance Review - Enterprise Risk Management - Supply Chain and Revenue Assurance © 2006 Protiviti Ltd. 35 February 2006 | Internal Auditing & Business Risk