Understanding the significance of spreadsheet risk

Ewen Ferguson, associate director at consultancy and audit firm, Protiviti, offers advice on understanding the significance of spreadsheet risk and how to implement a risk management policy.

Spreadsheets are used everywhere, by companies of all sizes and across all sectors. They enable us to quickly and flexibly perform analysis that otherwise would be difficult or time consuming. There is also a tendency for end users and managers to place undue trust in the integrity of the analysis performed using spreadsheets.

Since 2000, there have been a number of new regulatory compliance requirements (most notably Sarbanes-Oxley) that have increased the level of scrutiny over the way spreadsheets are used and controlled in financial reporting and other critical business functions. This increased scrutiny is not surprising given that the past few years have seen numerous multi-million-pound errors and frauds attributed to the use of spreadsheets.

The past couple of years have also seen companies filing material weaknesses and deficiencies with the Securities and Exchange Commission (SEC) as a result of the lack of controls around the spreadsheets used for financial reporting.

Top 10 tips for addressing the risk

1. Define the objectives of what you’re trying to achieve, as this will have a significant impact on scoping decisions and priorities. For example, are you trying to mitigate operational risk or to comply with specific legislation?

2. Define a starting point: this could be a business unit or function that you want to review. For example, for Sarbanes-Oxley compliance purposes, the focus will be on spreadsheets that support the financial reporting process. For spreadsheets that are operational in nature, the focus may be on trading desks.

3. Build an inventory: you also need to understand the extent to which spreadsheets are used. The results of a simple search of your network may surprise you as it will reveal thousands, if not millions, of spreadsheets in use (several thousand per employee is not uncommon). Do you know who manages them? How reliable are their calculations? Who ensures the results they produce are valid?

4. Focus on risk: to increase the chances of the project being successful and valuable, it is critical to take a risk-based approach and to focus initially on the parts of the business that place most reliance on spreadsheets (e.g. finance, trading, actuarial).

5. Perform a risk assessment: based on your inventory and selected business function or process, it is then important to continue the risk-based approach and categorise spreadsheets, to help prioritise the efforts. Spreadsheet risk should be considered in terms of the likelihood of an error occurring and the impact of an error on the organisation i.e., its significance. Quantifying the risk in financial terms is also helpful and there are software tools available that can make this step more efficient.

6. Focus on the process: consider if there are mitigating controls within the business processes in which the spreadsheets are used that would detect errors should they arise.

7. Identify controls: define an appropriate spreadsheet control framework that:

Ensures minimum standards are clearly documented and consistently communicated.
Identifies standard risks and controls that critical spreadsheets in the organisation can be measured against.
Provides the opportunity to re-evaluate the minimum standards and ensure amendments to executive or legislative requirements can be incorporated centrally into the framework and rolled out across the organisation.

8. Establish a baseline: Before controlling spreadsheets the logical integrity must be assessed to adequately baseline functionality. There is little point in controlling a spreadsheet that is not working in the first place. Software is available to considerably increase the efficiency and effectiveness of baselining efforts.

9: Implement Policies and Procedures: Policies and procedures should be defined and implemented. However, policies and procedures will only help reduce the risk if they are consistently adopted and monitored. Training programmes and monitoring processes will be required to achieve compliance.

10: Maintain: Ensure that the controls put in place can be relied upon going forward, to reduce the requirement for reviewing the spreadsheets on a periodic basis.

This regulatory pressure and increasing focus from auditors is forcing organisations to address the issue of spreadsheet risk management, although few really understand what the risk exposure is and what they need to do about it. Additionally, the recent change in the UK rate of VAT to 15% could cause a headache for many organisations, given the number of spreadsheets that have the VAT rate ‘hardcoded’ in them.

Why are spreadsheets so prevalent?

Technology is developing rapidly, as are users’ demands and expectations about what it should deliver, and when. This impatience poses challenges for IT departments. When IT departments cannot meet users’ expectations, users are more likely to explore alternative options.

Spreadsheets (especially following the introduction of additional data capacity and processing efficiency in MS Excel 2007) are powerful analysis tools that, in many cases, are capable of delivering the same functionality as formally developed applications. Spreadsheets are often a viable and sensible alternative to IT owned applications that are subject to lengthy software development cycles. As a result, they are a ubiquitous business tool.

What is the risk?

There is good reason for caution: a simple internet search for spreadsheet errors reveals numerous examples, including budgeting errors, financial statement errors, pricing errors, fraud and bad decision making as a result of poor information. The financial impact of these errors can be significant (in some cases many millions of pounds) and the damage to a company’s reputation can be even worse. Below are some recent errors identified by Protiviti:

An undocumented workbook was inherited by a new user. Embedded assumptions and resulting errors led to exposures being incorrectly tracked and options being incorrectly priced and traded. This caused the company a multi-million-pound loss.
An incorrect formula in a hidden row helped cause a $50m error in a company’s capital reserves.
Improper use of a LOOKUP function resulted in a $1.5m error in a company’s cash flow statement.
A formula accidentally overwritten with a hard-coded number caused a multi-million pound trading loss for a company.

The use of software solutions

The last few years have seen an increasing number of technical solutions on the market that are aimed at helping companies manage the risk associated with using spreadsheets. One very powerful and useful (but potentially dangerous) tool is Microsoft Access. The risks and principles set out above apply equally well to databases or other user developed applications.

With so many products available it can be difficult to understand what the different products do and to select one that is appropriate to an individual’s or company’s need. The different types of solutions can be broadly grouped into three categories. However, some of the leading vendors provide all the functionality within a single solution or suite of solutions. The categories are:

Spreadsheet search/discovery: perform automated scans of networks or specific servers to generate an inventory of all spreadsheets discovered. Some solutions perform analysis to allow the user to deal with the large number of results typically generated.
Spreadsheet auditing/base lining: automated tools to assist a reviewer when auditing a spreadsheet. Although some element of manual review is still required, these tools, when used correctly, greatly improve the efficiency of performing such reviews.
Spreadsheet management/control: typically provide change control, version management, change history (audit trail) and security over those spreadsheets managed by the solution. Some solutions can be used to restrict access to functionality or specific cell ranges.

Final thoughts

Spreadsheets are here to stay and provide a wide range of critical business applications. They are by the far the most common end user developed tools, but it is crucial that there are adequate controls in place to mitigate potential risks. As well as meeting regulatory requirements, spreadsheet control helps to reduce potential losses due to errors and can result in significant productivity and efficiency gains.