SlideShare a Scribd company logo

Excel In Managing Spreadsheet Risk

G
greghawes

This document discusses managing risks associated with spreadsheet use. It outlines four key stages: 1) Identify areas of highest risk by considering what keeps senior management awake at night and what decisions could impact shareholder value; 2) Prepare an inventory of spreadsheets, including attributes to identify important ones; 3) Assess the importance of each spreadsheet based on its criticality and complexity; 4) Implement control solutions for high-risk spreadsheets. The risks go beyond just financial reporting to the business as a whole. Automated tools can help with the inventory and risk assessment.

TechnologyBusiness
1 of 4
Download to read offline
0300 IA&BR February 06 9/1/06 20:34 Page 32 FEATURE Excel in managing spreadsheet risk Finance would be virtually unthinkable without the humble spreadsheet. Jonathan Wyatt and Scott Bolderson offer advice on how to minimise the risks of using this ubiquitous business tool T HE RISK ASSOCIATED only about financial reporting management requires and where with the use of Risk. Spreadsheet risk is pervasive spreadsheets are as a result spreadsheets has become across the business as a whole. widely used. A simple self- increasingly high profile assessment survey can generate Attitude over the last couple of years. very useful results. Businesses that are required to There are four key stages to Having identified high-risk comply with the Sarbanes Oxley managing spreadsheet risk (See Key areas, the next stage is to prepare Act are likely to have created an stages). A good place to start is the an inventory or register of the inventory of spreadsheets deemed areas of highest risk, which entails spreadsheets in use. Once again, critical to the financial reporting considering the business’s attitude there are many ways of putting process. The number of to risk. What is it that keeps senior together the inventory and how the spreadsheets identified has been a inventory is surprise to many businesses. For prepared is not “Automated solutions can help fine tune those who have not been through important. security and enforce change management this process, they may not have a However, in our and data retention policies” clue about how many spreadsheets experience a exist in their organisation. walkthrough of Unfortunately, having key business prepared the inventories, and management awake at night? What processes is one of the best ways of assessed this risk, many decisions do we take that could ensuring that all critical businesses have not been able to have a significant impact on spreadsheets are identified. identify practical solutions and shareholder value? What could Automated tools can also be used have found themselves asking the seriously damage our reputation? to scan networks for important question, what do we do next? Work should be prioritised on spreadsheets. Key attributes such The good news is that there are those areas of highest risk. as File Size and Last Modified date solutions out there. But the bad Whilst an inherent risk can be used to identify potentially news is that for many businesses assessment can be helpful, another current and complex spreadsheets. the spreadsheets identified to date key question to ask is where does Sequential filenames can also be a are only the tip of the iceberg. the business place heavy reliance give away of regular analysis. Whilst an inventory prepared for on spreadsheets? The middle It is important to pick up the Sarbanes Oxley Act is a good management team is usually very spreadsheets supporting analyses start, it is important to remember aware of which core applications on which decisions are made, that the Sarbanes Oxley Act is do not provide the information that spreadsheets used for 32 Internal Auditing & Business Risk | February 2006
0300 IA&BR February 06 9/1/06 20:34 Page 33 FEATURE presentation and reporting purposes, spreadsheets that drive assumptions that feed into other systems (or other spreadsheets), spreadsheets that support the control environment, that monitor processes with a view to detecting errors, and spreadsheets that are used for data capture or to process adjustments. For each spreadsheet, it is important to capture who is deemed the spreadsheet owner(s); who designed and built the spreadsheet; key data maintained in the spreadsheet; frequency with which the analysis is prepared; what the spreadsheet is used for; and details of interfaces to/from the spreadsheet. This information is important in making an assessment of the significance of the spreadsheet. Priorities The next stage is to assess the importance of each spreadsheet, which will enable the business to prioritise on the spreadsheets that matter. Each spreadsheet should be considered from two perspectives: criticality and complexity. By understanding the functions performed by the spreadsheet and the overall control environment in which it operates we can make an assessment of the criticality of the spreadsheet to the organisation. A common mistake is to assess criticality only in terms of direct Key stages • Identify potentially critical spreadsheets • Understand the risk profile • Assess spreadsheet controls • Implement control solutions financial loss resulting from an error in the spreadsheet. Whilst potential for direct financial loss as a result of error is clearly important, there are other factors to take into account. For example, organisations may wish to consider the sensitivity of the information contained in the spreadsheet and the impact of information in the spreadsheet getting into the wrong hands. Or the opportunity to use the spreadsheet to perpetrate ➲ 33 February 2006 | Internal Auditing & Business Risk
0300 IA&BR February 06 9/1/06 20:34 Page 34 FEATURE is also helpful to have an appropriate location on the ➲ fraud, for example by inflating understanding of the complexity network and it may be appropriate budgets, covering up poor when evaluating the type and to use passwords to control access performance, manipulating key level of control to implement to the spreadsheet. Design information on which bonus around the spreadsheet. methods could be important: for a payments are based. Or the reliance Assessing a spreadsheet’s relatively complex spreadsheet it is on the spreadsheet as a key control complexity can be based on a important to design the over a business critical process. number of criteria. For example, the spreadsheet so as to reduce the risk When considering the criticality size or scale of the spreadsheet; the of errors arising. And integrity of a spreadsheet it is important to spreadsheet layout and design; the checks: check totals should be built not only consider the functions that formulae design; and logical into the spreadsheet to highlight the spreadsheet is performing but complexity. There are a number of errors arising from incomplete or other controls that operate which relatively cheap automated inaccurate data capture. may mitigate any risk associated solutions in the market place that At this stage the question with the spreadsheet. When will perform this calculation based should arise, should we really be performing the assessment, it is on specific criteria defined by the using a spreadsheet at all? If the rarely practical to use a linear scale user. A manual approach is often spreadsheet has high complexity of 1 to 5 for this, so more subjective less efficient and can lead to and high criticality and is used on a descriptions are needed. inconsistencies. frequent basis over a prolonged For example, one may indicate period, the answer is almost that no key business decisions are certainly ‘no’. Whatever the made based on the information. Figure 1 conclusion we reach on whether or The risk materialising would be of Spreadsheet control not we should be using the embarrassment to those directly spreadsheet, the likelihood is that it associated with the spreadsheet, but framework is here to stay, at least in the short would have no real long term term, and hence we need to look for impact on the business. Three may ways and means of improving the indicate that an error in the level of control. spreadsheet or a delay in preparation of the spreadsheet may Spreadsheet Policy Solutions result a significant loss to the Stage four entails implementing business. Information contained in control solutions. The first priority the spreadsheet is sensitive and for a high-risk spreadsheet is employees could exploit the usually to ensure that it is doing information if they had access to it. what is was designed to do, which And, five may mean that an error in is usually achieved through a the spreadsheet or a delay in Roles and Control Minimum spreadsheet review. A spreadsheet preparation of the spreadsheet may responsibilities Processes Standards review tests the logical security, result a material loss to the internal consistency and arithmetic business. Information contained in accuracy of the formulae, the spreadsheet is highly sensitive When assessing complexity, it is algorithms and calculations within and inappropriate disclosure may important to also consider the all cells of the selected spreadsheets. be exploited by markets or complexity of the subject matter, Consideration would also often be competitors or could be in breach of not just the form of the spreadsheet. given to the reasonableness of key legislation (such as data protection Some form of judgement is assumptions, and the accuracy of legislation). The spreadsheet could required. Having performed the data capture. This independent be used to perpetrate senior analysis, some form of risk map review is designed to provide management fraud. should determine if further action is reasonable assurance that the Scale required and to prioritise the work. spreadsheet does not contain Assessing spreadsheet material or logical errors. The scale does not usually start at 0. controls is often the simplest Unfortunately, a spreadsheet This is for the simple reason that if stage as it is usually the case that review only represents a point in internal audit identifies a no controls, or at best inadequate time assessment. Having spreadsheet in which an error controls, exist. It is as a result established the integrity of the would have no impact on the usually a relatively quick process spreadsheet, it is important to business, then the spreadsheet is to assess the existing controls. implement controls that provide probably not needed. The type of controls required us with reasonable assurance Assessing the complexity of a would be dependent on the nature going forward. spreadsheet is relatively of the risk identified in stage two. Defining a Spreadsheet straightforward and once again The key controls in a spreadsheet to Control Framework, such as that we tend to adopt a 5-point scale. provide assurance over its integrity illustrated in figure 1, will ensure Spreadsheets range in complexity would typically include such issues that all aspects of spreadsheet from simple worksheets to large as access controls. For example, the management are addressed. and complex models with many spreadsheet should be stored in an The diagram shows that there worksheets, links and formulae. It 34 Internal Auditing & Business Risk | February 2006
p35xx 13/1/06 12:27 PM Page 1 FEATURE are four key aspects to such a tune security and enforce change then care should be taken with the framework. Spreadsheet policy management and data retention software selection process to ensures that senior management’s policies. Some also provide very ensure the business gets the expectations are clearly powerful tools for audit and review. solutions it needs. communicated to the businesses However, such tools vary For most businesses and set down the ground rules significantly in terms of price, spreadsheets are prepared using governing the use of spreadsheets. quality and practicality. A solution Microsoft Excel. Another very Roles and responsibilities define that might be appropriate for a powerful and useful, but the requirements for identifying large multinational may not be occasionally dangerous tool, is spreadsheet owners and setting Microsoft Access. When performing out what is expected of the owner a review of spreadsheets internal “Spreadsheet policy ensures that senior and other key individuals. Control auditors should also be looking to processes make clear the key steps pick up any user-managed management's expectations are clearly around security, change, release databases. In most cases, analysis communicated to the businesses and set management and monitoring of performed in databases is of high down the ground rules governing the use spreadsheets given the nature of a complexity. In our experience, if particular spreadsheet and given databases have been implemented of spreadsheets” its risk classification. Finally, by the business and are not minimum standards to managed by IT, then the likelihood communicate the baseline appropriate for a much smaller of error is high. The principles set standards that any spreadsheet, organisation. Many organisations out above apply equally well to whatever the classification, is will in practice require a mixture databases or other user managed required to comply with. of guidance, policies, and one or data analysis tools. Currently there are a number of more tools, to cost effectively commercial solutions to assist with manage the risk. Jonathan Wyatt is the operation of key control If automated solutions for managing director of technology risk and Scott processes within the Spreadsheet spreadsheet management are Bolderson is associate director Control Framework, some of which desirable, and for any organisation of technology risk at the are extremely powerful. These with a significant number of high- consultant Protiviti automated solutions can help fine risk spreadsheets they should be, Business and technology cannot Protiviti be separated. As businesses have www.isaca.org/eurocacs is a Gold Sponsor become more reliant on technology, IT risk. at this year’s ISACA so the associated risks have grown. EuroCACS event. Visit Now more than ever it is essential to us from 19-22 March address the challenges around new 2006 at the Hilton technologies, escalating costs and London Metropole Hotel. compliance with regulations. ADVERT Seen clearly, Protiviti specialists ensure that your technology delivers more results and fewer regrets. controlled effect vely. Call +44 (0)20 7930 8808 or visit protiviti.co.uk Page 35 Technology Risk Internal Audit Business Risk - Application Controls Effectiveness - Audit Committee Advisory - Integrity Risk Services (including - Information Security - Start-up and Development Advice fraud, computer forensics and - IT Operations and Service Delivery - Outsourcing and Co-sourcing anti-money laundering) - End User Computing including IT Audit Services - Regulatory Compliance and - Internal Audit Quality Corporate Governance Assurance Review - Enterprise Risk Management - Supply Chain and Revenue Assurance © 2006 Protiviti Ltd. 35 February 2006 | Internal Auditing & Business Risk

Recommended

Excel In Managing Spreadsheet Risk Presentation
Excel In Managing Spreadsheet Risk PresentationExcel In Managing Spreadsheet Risk Presentation
Excel In Managing Spreadsheet Risk Presentation
greghawes
 
The Use of Spreadsheets in Commodity Trading – 2015
The Use of Spreadsheets in Commodity Trading – 2015The Use of Spreadsheets in Commodity Trading – 2015
The Use of Spreadsheets in Commodity Trading – 2015
CTRM Center
 
Ontonix Complexity Measurement and Predictive Analytics WP Oct 2013
Ontonix Complexity Measurement and Predictive Analytics WP Oct 2013Ontonix Complexity Measurement and Predictive Analytics WP Oct 2013
Ontonix Complexity Measurement and Predictive Analytics WP Oct 2013
Datonix.it
 
5 reasons why spreadsheet based risk management systems don’t work
5 reasons why spreadsheet based risk management systems don’t work5 reasons why spreadsheet based risk management systems don’t work
5 reasons why spreadsheet based risk management systems don’t work
Risk Edge Solutions
 
Review the five signs that you need a new Segregation of Duties compliance st...
Review the five signs that you need a new Segregation of Duties compliance st...Review the five signs that you need a new Segregation of Duties compliance st...
Review the five signs that you need a new Segregation of Duties compliance st...
Symmetry™
 
Conquer Process Improvement With These 9 Lean Six Sigma Tools
Conquer Process Improvement With These 9 Lean Six Sigma ToolsConquer Process Improvement With These 9 Lean Six Sigma Tools
Conquer Process Improvement With These 9 Lean Six Sigma Tools
QuekelsBaro
 
Data Center Critical Infrastructure Risk and Vulnerabilities- Impact to Capit...
Data Center Critical Infrastructure Risk and Vulnerabilities- Impact to Capit...Data Center Critical Infrastructure Risk and Vulnerabilities- Impact to Capit...
Data Center Critical Infrastructure Risk and Vulnerabilities- Impact to Capit...
Vincent Pelly
 
Disaster Recovery Planning: untapped Success Factor in an Organization
Disaster Recovery Planning: untapped Success Factor in an OrganizationDisaster Recovery Planning: untapped Success Factor in an Organization
Disaster Recovery Planning: untapped Success Factor in an Organization
vishal dineshkumar soni
 

Recommended

Excel In Managing Spreadsheet Risk Presentation
Excel In Managing Spreadsheet Risk PresentationExcel In Managing Spreadsheet Risk Presentation
Excel In Managing Spreadsheet Risk Presentation
greghawes
 
The Use of Spreadsheets in Commodity Trading – 2015
The Use of Spreadsheets in Commodity Trading – 2015The Use of Spreadsheets in Commodity Trading – 2015
The Use of Spreadsheets in Commodity Trading – 2015
CTRM Center
 
Ontonix Complexity Measurement and Predictive Analytics WP Oct 2013
Ontonix Complexity Measurement and Predictive Analytics WP Oct 2013Ontonix Complexity Measurement and Predictive Analytics WP Oct 2013
Ontonix Complexity Measurement and Predictive Analytics WP Oct 2013
Datonix.it
 
5 reasons why spreadsheet based risk management systems don’t work
5 reasons why spreadsheet based risk management systems don’t work5 reasons why spreadsheet based risk management systems don’t work
5 reasons why spreadsheet based risk management systems don’t work
Risk Edge Solutions
 
Review the five signs that you need a new Segregation of Duties compliance st...
Review the five signs that you need a new Segregation of Duties compliance st...Review the five signs that you need a new Segregation of Duties compliance st...
Review the five signs that you need a new Segregation of Duties compliance st...
Symmetry™
 
Conquer Process Improvement With These 9 Lean Six Sigma Tools
Conquer Process Improvement With These 9 Lean Six Sigma ToolsConquer Process Improvement With These 9 Lean Six Sigma Tools
Conquer Process Improvement With These 9 Lean Six Sigma Tools
QuekelsBaro
 
Data Center Critical Infrastructure Risk and Vulnerabilities- Impact to Capit...
Data Center Critical Infrastructure Risk and Vulnerabilities- Impact to Capit...Data Center Critical Infrastructure Risk and Vulnerabilities- Impact to Capit...
Data Center Critical Infrastructure Risk and Vulnerabilities- Impact to Capit...
Vincent Pelly
 
Disaster Recovery Planning: untapped Success Factor in an Organization
Disaster Recovery Planning: untapped Success Factor in an OrganizationDisaster Recovery Planning: untapped Success Factor in an Organization
Disaster Recovery Planning: untapped Success Factor in an Organization
vishal dineshkumar soni
 
Executive information sysytem
Executive information sysytemExecutive information sysytem
Executive information sysytem
Himanshu Sahu
 
Risk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivediRisk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivedi
Em Red
 
Disaster recovery white_paper
Disaster recovery white_paperDisaster recovery white_paper
Disaster recovery white_paper
CMR WORLD TECH
 
A Study of Automated Decision Making Systems
A Study of Automated Decision Making SystemsA Study of Automated Decision Making Systems
A Study of Automated Decision Making Systems
inventy
 
Executive Supportive System
Executive Supportive SystemExecutive Supportive System
Executive Supportive System
sadhish jain
 
Equipment Criticality Analysis
Equipment Criticality AnalysisEquipment Criticality Analysis
Equipment Criticality Analysis
Ricky Smith CMRP, CMRT
 
Implementing ERP In Public Sector
Implementing ERP In Public SectorImplementing ERP In Public Sector
Implementing ERP In Public Sector
ggauthority
 
Automated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data AmsterdamAutomated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data Amsterdam
Lars Trieloff
 
Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...
Alex Apostolou
 
Operational Risk Management System with Statistical Control
Operational Risk Management System with Statistical ControlOperational Risk Management System with Statistical Control
Operational Risk Management System with Statistical Control
Alex Liang
 
Systems analysis and design (abe)
Systems analysis and design (abe)Systems analysis and design (abe)
Systems analysis and design (abe)
International University of Management
 
Information and communication systems
Information and communication systemsInformation and communication systems
Information and communication systems
Yasmina Rayeh
 
Risk management(software engineering)
Risk management(software engineering)Risk management(software engineering)
Risk management(software engineering)
Priya Tomar
 
Risk_Technology
Risk_TechnologyRisk_Technology
Risk_Technology
Tom Patterson CPA CISA
 
Understanding Stratex Risk Events
Understanding Stratex Risk EventsUnderstanding Stratex Risk Events
Understanding Stratex Risk Events
Ascendore Limited
 
BCBS Information Article By Mike Gowlett
BCBS Information Article By Mike GowlettBCBS Information Article By Mike Gowlett
BCBS Information Article By Mike Gowlett
Michael Gowlett PMP, Prince 2 Practitioner
 
Know risk for mining industry 1
Know risk for mining industry 1Know risk for mining industry 1
Know risk for mining industry 1
Ozdocs
 
Risk assesment template
Risk assesment templateRisk assesment template
Risk assesment template
Glen Alleman
 
Pivotal CRM - Analytics
Pivotal CRM - Analytics Pivotal CRM - Analytics
Pivotal CRM - Analytics
Pivotal CRM
 
Genpact_IPIE_an_analytics_foundation_v2
Genpact_IPIE_an_analytics_foundation_v2Genpact_IPIE_an_analytics_foundation_v2
Genpact_IPIE_an_analytics_foundation_v2
Growth Strategy Services, LLC.
 
Business analytics for the CIO
Business analytics for the CIOBusiness analytics for the CIO
Business analytics for the CIO
Manish Nair
 
Kapanowski LEAN_VISUAL_MGT
Kapanowski LEAN_VISUAL_MGTKapanowski LEAN_VISUAL_MGT
Kapanowski LEAN_VISUAL_MGT
Gary Kapanowski
 

More Related Content

What's hot

Executive information sysytem
Executive information sysytemExecutive information sysytem
Executive information sysytem
Himanshu Sahu
 
Risk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivediRisk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivedi
Em Red
 
Disaster recovery white_paper
Disaster recovery white_paperDisaster recovery white_paper
Disaster recovery white_paper
CMR WORLD TECH
 
A Study of Automated Decision Making Systems
A Study of Automated Decision Making SystemsA Study of Automated Decision Making Systems
A Study of Automated Decision Making Systems
inventy
 
Executive Supportive System
Executive Supportive SystemExecutive Supportive System
Executive Supportive System
sadhish jain
 
Equipment Criticality Analysis
Equipment Criticality AnalysisEquipment Criticality Analysis
Equipment Criticality Analysis
Ricky Smith CMRP, CMRT
 
Implementing ERP In Public Sector
Implementing ERP In Public SectorImplementing ERP In Public Sector
Implementing ERP In Public Sector
ggauthority
 
Automated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data AmsterdamAutomated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data Amsterdam
Lars Trieloff
 
Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...
Alex Apostolou
 
Operational Risk Management System with Statistical Control
Operational Risk Management System with Statistical ControlOperational Risk Management System with Statistical Control
Operational Risk Management System with Statistical Control
Alex Liang
 
Systems analysis and design (abe)
Systems analysis and design (abe)Systems analysis and design (abe)
Systems analysis and design (abe)
International University of Management
 
Information and communication systems
Information and communication systemsInformation and communication systems
Information and communication systems
Yasmina Rayeh
 
Risk management(software engineering)
Risk management(software engineering)Risk management(software engineering)
Risk management(software engineering)
Priya Tomar
 
Risk_Technology
Risk_TechnologyRisk_Technology
Risk_Technology
Tom Patterson CPA CISA
 
Understanding Stratex Risk Events
Understanding Stratex Risk EventsUnderstanding Stratex Risk Events
Understanding Stratex Risk Events
Ascendore Limited
 
BCBS Information Article By Mike Gowlett
BCBS Information Article By Mike GowlettBCBS Information Article By Mike Gowlett
BCBS Information Article By Mike Gowlett
Michael Gowlett PMP, Prince 2 Practitioner
 
Know risk for mining industry 1
Know risk for mining industry 1Know risk for mining industry 1
Know risk for mining industry 1
Ozdocs
 
Risk assesment template
Risk assesment templateRisk assesment template
Risk assesment template
Glen Alleman
 

What's hot (18)

Executive information sysytem
Executive information sysytemExecutive information sysytem
Executive information sysytem
 
Risk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivediRisk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivedi
 
Disaster recovery white_paper
Disaster recovery white_paperDisaster recovery white_paper
Disaster recovery white_paper
 
A Study of Automated Decision Making Systems
A Study of Automated Decision Making SystemsA Study of Automated Decision Making Systems
A Study of Automated Decision Making Systems
 
Executive Supportive System
Executive Supportive SystemExecutive Supportive System
Executive Supportive System
 
Equipment Criticality Analysis
Equipment Criticality AnalysisEquipment Criticality Analysis
Equipment Criticality Analysis
 
Implementing ERP In Public Sector
Implementing ERP In Public SectorImplementing ERP In Public Sector
Implementing ERP In Public Sector
 
Automated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data AmsterdamAutomated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data Amsterdam
 
Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...
 
Operational Risk Management System with Statistical Control
Operational Risk Management System with Statistical ControlOperational Risk Management System with Statistical Control
Operational Risk Management System with Statistical Control
 
Systems analysis and design (abe)
Systems analysis and design (abe)Systems analysis and design (abe)
Systems analysis and design (abe)
 
Information and communication systems
Information and communication systemsInformation and communication systems
Information and communication systems
 
Risk management(software engineering)
Risk management(software engineering)Risk management(software engineering)
Risk management(software engineering)
 
Risk_Technology
Risk_TechnologyRisk_Technology
Risk_Technology
 
Understanding Stratex Risk Events
Understanding Stratex Risk EventsUnderstanding Stratex Risk Events
Understanding Stratex Risk Events
 
BCBS Information Article By Mike Gowlett
BCBS Information Article By Mike GowlettBCBS Information Article By Mike Gowlett
BCBS Information Article By Mike Gowlett
 
Know risk for mining industry 1
Know risk for mining industry 1Know risk for mining industry 1
Know risk for mining industry 1
 
Risk assesment template
Risk assesment templateRisk assesment template
Risk assesment template
 

Similar to Excel In Managing Spreadsheet Risk

Pivotal CRM - Analytics
Pivotal CRM - Analytics Pivotal CRM - Analytics
Pivotal CRM - Analytics
Pivotal CRM
 
Genpact_IPIE_an_analytics_foundation_v2
Genpact_IPIE_an_analytics_foundation_v2Genpact_IPIE_an_analytics_foundation_v2
Genpact_IPIE_an_analytics_foundation_v2
Growth Strategy Services, LLC.
 
Business analytics for the CIO
Business analytics for the CIOBusiness analytics for the CIO
Business analytics for the CIO
Manish Nair
 
Kapanowski LEAN_VISUAL_MGT
Kapanowski LEAN_VISUAL_MGTKapanowski LEAN_VISUAL_MGT
Kapanowski LEAN_VISUAL_MGT
Gary Kapanowski
 
Map r whitepaper_zeta_architecture
Map r whitepaper_zeta_architectureMap r whitepaper_zeta_architecture
Map r whitepaper_zeta_architecture
Narender Kumar
 
Erp
ErpErp
Erp
Dr. SURAJ KUMAR MUKTI
 
Charisma Analyzer - Business Intelligence Software
Charisma Analyzer - Business Intelligence SoftwareCharisma Analyzer - Business Intelligence Software
Charisma Analyzer - Business Intelligence Software
TotalSoft
 
1 K E Y Data Sheet
1 K E Y Data Sheet1 K E Y Data Sheet
1 K E Y Data Sheet
Sanjay Mehta
 
1KEY 2.0.2 Datasheet
1KEY 2.0.2 Datasheet1KEY 2.0.2 Datasheet
1KEY 2.0.2 Datasheet
Dhiren Gala
 
Chapter 3 E R P And Related Tech Alexis Leon
Chapter 3 E R P And Related Tech Alexis LeonChapter 3 E R P And Related Tech Alexis Leon
Chapter 3 E R P And Related Tech Alexis Leon
Sonali Chauhan
 
White Paper Data Quality Process Design For Ad Hoc Reporting
White Paper Data Quality Process Design For Ad Hoc ReportingWhite Paper Data Quality Process Design For Ad Hoc Reporting
White Paper Data Quality Process Design For Ad Hoc Reporting
macrochaotic
 
Best practise in data management
Best practise in data managementBest practise in data management
Best practise in data management
Pravitha Flockhart
 
Pw Cwp Spreadsheet404 Sarbox
Pw Cwp Spreadsheet404 SarboxPw Cwp Spreadsheet404 Sarbox
Pw Cwp Spreadsheet404 Sarbox
greghawes
 
HCLT Whitepaper: Enterprise Analytic Dashboard
HCLT Whitepaper: Enterprise Analytic DashboardHCLT Whitepaper: Enterprise Analytic Dashboard
HCLT Whitepaper: Enterprise Analytic Dashboard
HCL Technologies
 
Dyna Trace Whitepaper Performance
Dyna Trace Whitepaper PerformanceDyna Trace Whitepaper Performance
Dyna Trace Whitepaper Performance
gopi1985
 
Harnessing the Power of an Enterprise IT Dashboard - uptime software
Harnessing the Power of an Enterprise IT Dashboard - uptime softwareHarnessing the Power of an Enterprise IT Dashboard - uptime software
Harnessing the Power of an Enterprise IT Dashboard - uptime software
uptime software
 
Fqm Brochure
Fqm BrochureFqm Brochure
Fqm Brochure
jennifer_russo
 
Why And Ontology Engine Drives The Point Cross Orchestra Engine
Why And Ontology Engine Drives The Point Cross Orchestra EngineWhy And Ontology Engine Drives The Point Cross Orchestra Engine
Why And Ontology Engine Drives The Point Cross Orchestra Engine
Kuzinski
 
Why And Ontology Engine Drives The Point Cross Orchestra Engine
Why And Ontology Engine Drives The Point Cross Orchestra EngineWhy And Ontology Engine Drives The Point Cross Orchestra Engine
Why And Ontology Engine Drives The Point Cross Orchestra Engine
Kuzinski
 
Getting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsGetting Started with Advanced Network Operations
Getting Started with Advanced Network Operations
Schneider Electric
 

Similar to Excel In Managing Spreadsheet Risk (20)

Pivotal CRM - Analytics
Pivotal CRM - Analytics Pivotal CRM - Analytics
Pivotal CRM - Analytics
 
Genpact_IPIE_an_analytics_foundation_v2
Genpact_IPIE_an_analytics_foundation_v2Genpact_IPIE_an_analytics_foundation_v2
Genpact_IPIE_an_analytics_foundation_v2
 
Business analytics for the CIO
Business analytics for the CIOBusiness analytics for the CIO
Business analytics for the CIO
 
Kapanowski LEAN_VISUAL_MGT
Kapanowski LEAN_VISUAL_MGTKapanowski LEAN_VISUAL_MGT
Kapanowski LEAN_VISUAL_MGT
 
Map r whitepaper_zeta_architecture
Map r whitepaper_zeta_architectureMap r whitepaper_zeta_architecture
Map r whitepaper_zeta_architecture
 
Erp
ErpErp
Erp
 
Charisma Analyzer - Business Intelligence Software
Charisma Analyzer - Business Intelligence SoftwareCharisma Analyzer - Business Intelligence Software
Charisma Analyzer - Business Intelligence Software
 
1 K E Y Data Sheet
1 K E Y Data Sheet1 K E Y Data Sheet
1 K E Y Data Sheet
 
1KEY 2.0.2 Datasheet
1KEY 2.0.2 Datasheet1KEY 2.0.2 Datasheet
1KEY 2.0.2 Datasheet
 
Chapter 3 E R P And Related Tech Alexis Leon
Chapter 3 E R P And Related Tech Alexis LeonChapter 3 E R P And Related Tech Alexis Leon
Chapter 3 E R P And Related Tech Alexis Leon
 
White Paper Data Quality Process Design For Ad Hoc Reporting
White Paper Data Quality Process Design For Ad Hoc ReportingWhite Paper Data Quality Process Design For Ad Hoc Reporting
White Paper Data Quality Process Design For Ad Hoc Reporting
 
Best practise in data management
Best practise in data managementBest practise in data management
Best practise in data management
 
Pw Cwp Spreadsheet404 Sarbox
Pw Cwp Spreadsheet404 SarboxPw Cwp Spreadsheet404 Sarbox
Pw Cwp Spreadsheet404 Sarbox
 
HCLT Whitepaper: Enterprise Analytic Dashboard
HCLT Whitepaper: Enterprise Analytic DashboardHCLT Whitepaper: Enterprise Analytic Dashboard
HCLT Whitepaper: Enterprise Analytic Dashboard
 
Dyna Trace Whitepaper Performance
Dyna Trace Whitepaper PerformanceDyna Trace Whitepaper Performance
Dyna Trace Whitepaper Performance
 
Harnessing the Power of an Enterprise IT Dashboard - uptime software
Harnessing the Power of an Enterprise IT Dashboard - uptime softwareHarnessing the Power of an Enterprise IT Dashboard - uptime software
Harnessing the Power of an Enterprise IT Dashboard - uptime software
 
Fqm Brochure
Fqm BrochureFqm Brochure
Fqm Brochure
 
Why And Ontology Engine Drives The Point Cross Orchestra Engine
Why And Ontology Engine Drives The Point Cross Orchestra EngineWhy And Ontology Engine Drives The Point Cross Orchestra Engine
Why And Ontology Engine Drives The Point Cross Orchestra Engine
 
Why And Ontology Engine Drives The Point Cross Orchestra Engine
Why And Ontology Engine Drives The Point Cross Orchestra EngineWhy And Ontology Engine Drives The Point Cross Orchestra Engine
Why And Ontology Engine Drives The Point Cross Orchestra Engine
 
Getting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsGetting Started with Advanced Network Operations
Getting Started with Advanced Network Operations
 

Recently uploaded

Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 

Recently uploaded (20)

Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 

Excel In Managing Spreadsheet Risk

  • 1. 0300 IA&BR February 06 9/1/06 20:34 Page 32 FEATURE Excel in managing spreadsheet risk Finance would be virtually unthinkable without the humble spreadsheet. Jonathan Wyatt and Scott Bolderson offer advice on how to minimise the risks of using this ubiquitous business tool T HE RISK ASSOCIATED only about financial reporting management requires and where with the use of Risk. Spreadsheet risk is pervasive spreadsheets are as a result spreadsheets has become across the business as a whole. widely used. A simple self- increasingly high profile assessment survey can generate Attitude over the last couple of years. very useful results. Businesses that are required to There are four key stages to Having identified high-risk comply with the Sarbanes Oxley managing spreadsheet risk (See Key areas, the next stage is to prepare Act are likely to have created an stages). A good place to start is the an inventory or register of the inventory of spreadsheets deemed areas of highest risk, which entails spreadsheets in use. Once again, critical to the financial reporting considering the business’s attitude there are many ways of putting process. The number of to risk. What is it that keeps senior together the inventory and how the spreadsheets identified has been a inventory is surprise to many businesses. For prepared is not “Automated solutions can help fine tune those who have not been through important. security and enforce change management this process, they may not have a However, in our and data retention policies” clue about how many spreadsheets experience a exist in their organisation. walkthrough of Unfortunately, having key business prepared the inventories, and management awake at night? What processes is one of the best ways of assessed this risk, many decisions do we take that could ensuring that all critical businesses have not been able to have a significant impact on spreadsheets are identified. identify practical solutions and shareholder value? What could Automated tools can also be used have found themselves asking the seriously damage our reputation? to scan networks for important question, what do we do next? Work should be prioritised on spreadsheets. Key attributes such The good news is that there are those areas of highest risk. as File Size and Last Modified date solutions out there. But the bad Whilst an inherent risk can be used to identify potentially news is that for many businesses assessment can be helpful, another current and complex spreadsheets. the spreadsheets identified to date key question to ask is where does Sequential filenames can also be a are only the tip of the iceberg. the business place heavy reliance give away of regular analysis. Whilst an inventory prepared for on spreadsheets? The middle It is important to pick up the Sarbanes Oxley Act is a good management team is usually very spreadsheets supporting analyses start, it is important to remember aware of which core applications on which decisions are made, that the Sarbanes Oxley Act is do not provide the information that spreadsheets used for 32 Internal Auditing & Business Risk | February 2006
  • 2. 0300 IA&BR February 06 9/1/06 20:34 Page 33 FEATURE presentation and reporting purposes, spreadsheets that drive assumptions that feed into other systems (or other spreadsheets), spreadsheets that support the control environment, that monitor processes with a view to detecting errors, and spreadsheets that are used for data capture or to process adjustments. For each spreadsheet, it is important to capture who is deemed the spreadsheet owner(s); who designed and built the spreadsheet; key data maintained in the spreadsheet; frequency with which the analysis is prepared; what the spreadsheet is used for; and details of interfaces to/from the spreadsheet. This information is important in making an assessment of the significance of the spreadsheet. Priorities The next stage is to assess the importance of each spreadsheet, which will enable the business to prioritise on the spreadsheets that matter. Each spreadsheet should be considered from two perspectives: criticality and complexity. By understanding the functions performed by the spreadsheet and the overall control environment in which it operates we can make an assessment of the criticality of the spreadsheet to the organisation. A common mistake is to assess criticality only in terms of direct Key stages • Identify potentially critical spreadsheets • Understand the risk profile • Assess spreadsheet controls • Implement control solutions financial loss resulting from an error in the spreadsheet. Whilst potential for direct financial loss as a result of error is clearly important, there are other factors to take into account. For example, organisations may wish to consider the sensitivity of the information contained in the spreadsheet and the impact of information in the spreadsheet getting into the wrong hands. Or the opportunity to use the spreadsheet to perpetrate ➲ 33 February 2006 | Internal Auditing & Business Risk
  • 3. 0300 IA&BR February 06 9/1/06 20:34 Page 34 FEATURE is also helpful to have an appropriate location on the ➲ fraud, for example by inflating understanding of the complexity network and it may be appropriate budgets, covering up poor when evaluating the type and to use passwords to control access performance, manipulating key level of control to implement to the spreadsheet. Design information on which bonus around the spreadsheet. methods could be important: for a payments are based. Or the reliance Assessing a spreadsheet’s relatively complex spreadsheet it is on the spreadsheet as a key control complexity can be based on a important to design the over a business critical process. number of criteria. For example, the spreadsheet so as to reduce the risk When considering the criticality size or scale of the spreadsheet; the of errors arising. And integrity of a spreadsheet it is important to spreadsheet layout and design; the checks: check totals should be built not only consider the functions that formulae design; and logical into the spreadsheet to highlight the spreadsheet is performing but complexity. There are a number of errors arising from incomplete or other controls that operate which relatively cheap automated inaccurate data capture. may mitigate any risk associated solutions in the market place that At this stage the question with the spreadsheet. When will perform this calculation based should arise, should we really be performing the assessment, it is on specific criteria defined by the using a spreadsheet at all? If the rarely practical to use a linear scale user. A manual approach is often spreadsheet has high complexity of 1 to 5 for this, so more subjective less efficient and can lead to and high criticality and is used on a descriptions are needed. inconsistencies. frequent basis over a prolonged For example, one may indicate period, the answer is almost that no key business decisions are certainly ‘no’. Whatever the made based on the information. Figure 1 conclusion we reach on whether or The risk materialising would be of Spreadsheet control not we should be using the embarrassment to those directly spreadsheet, the likelihood is that it associated with the spreadsheet, but framework is here to stay, at least in the short would have no real long term term, and hence we need to look for impact on the business. Three may ways and means of improving the indicate that an error in the level of control. spreadsheet or a delay in preparation of the spreadsheet may Spreadsheet Policy Solutions result a significant loss to the Stage four entails implementing business. Information contained in control solutions. The first priority the spreadsheet is sensitive and for a high-risk spreadsheet is employees could exploit the usually to ensure that it is doing information if they had access to it. what is was designed to do, which And, five may mean that an error in is usually achieved through a the spreadsheet or a delay in Roles and Control Minimum spreadsheet review. A spreadsheet preparation of the spreadsheet may responsibilities Processes Standards review tests the logical security, result a material loss to the internal consistency and arithmetic business. Information contained in accuracy of the formulae, the spreadsheet is highly sensitive When assessing complexity, it is algorithms and calculations within and inappropriate disclosure may important to also consider the all cells of the selected spreadsheets. be exploited by markets or complexity of the subject matter, Consideration would also often be competitors or could be in breach of not just the form of the spreadsheet. given to the reasonableness of key legislation (such as data protection Some form of judgement is assumptions, and the accuracy of legislation). The spreadsheet could required. Having performed the data capture. This independent be used to perpetrate senior analysis, some form of risk map review is designed to provide management fraud. should determine if further action is reasonable assurance that the Scale required and to prioritise the work. spreadsheet does not contain Assessing spreadsheet material or logical errors. The scale does not usually start at 0. controls is often the simplest Unfortunately, a spreadsheet This is for the simple reason that if stage as it is usually the case that review only represents a point in internal audit identifies a no controls, or at best inadequate time assessment. Having spreadsheet in which an error controls, exist. It is as a result established the integrity of the would have no impact on the usually a relatively quick process spreadsheet, it is important to business, then the spreadsheet is to assess the existing controls. implement controls that provide probably not needed. The type of controls required us with reasonable assurance Assessing the complexity of a would be dependent on the nature going forward. spreadsheet is relatively of the risk identified in stage two. Defining a Spreadsheet straightforward and once again The key controls in a spreadsheet to Control Framework, such as that we tend to adopt a 5-point scale. provide assurance over its integrity illustrated in figure 1, will ensure Spreadsheets range in complexity would typically include such issues that all aspects of spreadsheet from simple worksheets to large as access controls. For example, the management are addressed. and complex models with many spreadsheet should be stored in an The diagram shows that there worksheets, links and formulae. It 34 Internal Auditing & Business Risk | February 2006
  • 4. p35xx 13/1/06 12:27 PM Page 1 FEATURE are four key aspects to such a tune security and enforce change then care should be taken with the framework. Spreadsheet policy management and data retention software selection process to ensures that senior management’s policies. Some also provide very ensure the business gets the expectations are clearly powerful tools for audit and review. solutions it needs. communicated to the businesses However, such tools vary For most businesses and set down the ground rules significantly in terms of price, spreadsheets are prepared using governing the use of spreadsheets. quality and practicality. A solution Microsoft Excel. Another very Roles and responsibilities define that might be appropriate for a powerful and useful, but the requirements for identifying large multinational may not be occasionally dangerous tool, is spreadsheet owners and setting Microsoft Access. When performing out what is expected of the owner a review of spreadsheets internal “Spreadsheet policy ensures that senior and other key individuals. Control auditors should also be looking to processes make clear the key steps pick up any user-managed management's expectations are clearly around security, change, release databases. In most cases, analysis communicated to the businesses and set management and monitoring of performed in databases is of high down the ground rules governing the use spreadsheets given the nature of a complexity. In our experience, if particular spreadsheet and given databases have been implemented of spreadsheets” its risk classification. Finally, by the business and are not minimum standards to managed by IT, then the likelihood communicate the baseline appropriate for a much smaller of error is high. The principles set standards that any spreadsheet, organisation. Many organisations out above apply equally well to whatever the classification, is will in practice require a mixture databases or other user managed required to comply with. of guidance, policies, and one or data analysis tools. Currently there are a number of more tools, to cost effectively commercial solutions to assist with manage the risk. Jonathan Wyatt is the operation of key control If automated solutions for managing director of technology risk and Scott processes within the Spreadsheet spreadsheet management are Bolderson is associate director Control Framework, some of which desirable, and for any organisation of technology risk at the are extremely powerful. These with a significant number of high- consultant Protiviti automated solutions can help fine risk spreadsheets they should be, Business and technology cannot Protiviti be separated. As businesses have www.isaca.org/eurocacs is a Gold Sponsor become more reliant on technology, IT risk. at this year’s ISACA so the associated risks have grown. EuroCACS event. Visit Now more than ever it is essential to us from 19-22 March address the challenges around new 2006 at the Hilton technologies, escalating costs and London Metropole Hotel. compliance with regulations. ADVERT Seen clearly, Protiviti specialists ensure that your technology delivers more results and fewer regrets. controlled effect vely. Call +44 (0)20 7930 8808 or visit protiviti.co.uk Page 35 Technology Risk Internal Audit Business Risk - Application Controls Effectiveness - Audit Committee Advisory - Integrity Risk Services (including - Information Security - Start-up and Development Advice fraud, computer forensics and - IT Operations and Service Delivery - Outsourcing and Co-sourcing anti-money laundering) - End User Computing including IT Audit Services - Regulatory Compliance and - Internal Audit Quality Corporate Governance Assurance Review - Enterprise Risk Management - Supply Chain and Revenue Assurance © 2006 Protiviti Ltd. 35 February 2006 | Internal Auditing & Business Risk