Spreadsheet Risk Management: Frequently Asked Questions

Spreadsheet Risk Management: Frequently Asked Questions



Spreadsheets are everywhere. They enable us to quickly and flexibly perform analysis that otherwise would be difficult or time-consuming. As a result, we tend to place undue trust in the integrity of the analysis spreadsheets perform.

As spreadsheet users have become more information technology (IT) proficient, their spreadsheets have become more complex. However, spreadsheets were never designed to be enterprise-level applications, but the growing use of complex and user-defined functions, lengthy macros and links to other spreadsheets and systems has led to the development of highly complicated applications. In contrast to most other applications of this nature and criticality, spreadsheets rarely are designed and developed by expert users or with controls in mind.

Furthermore, thanks to numerous multimillion-dollar errors and fraud attributed to the use of spreadsheets in the past few years, there is increased regulation and compliance that now impact spreadsheet control. Companies also are filing material weaknesses and deficiencies with the Securities and Exchange Commission (SEC) as a result of the lack of controls around their financial reporting spreadsheets. This regulatory pressure and increasing focus from auditors is placing spreadsheet risk management among the key risks that organizations need to address.

A simple search of your network may surprise you as it will reveal thousands, if not millions, of spreadsheets in use. Do you know who manages them? What is the purpose of these spreadsheets? How reliable are their calculations? Who ensures the results they produce are valid?

This new publication, which is based on Protiviti’s extensive experience assisting clients in this field, provides guidance on how to address these questions, among others. Our approach and guidance represent a pragmatic response to spreadsheet risk based on real business needs. Topics covered in this publication include:

  1. An introduction to spreadsheet risk management
  2. Executive ownership and governance
  3. Creating a library of critical spreadsheets
  4. Implementing a spreadsheet control framework
  5. Assessing spreadsheet controls and current risk exposure
  6. Gaining assurance over critical spreadsheets
  7. Spreadsheet risk indicators and reporting
  8. Training and awareness
  9. Resources
  10. Technology enabling effective spreadsheet risk management