End-user computing applications, particularly spreadsheets, are being used throughout organizations today. In many cases, they are supporting critical business activities and enabling users to perform analysis that otherwise would be difficult or time-consuming. More organizations also are relying on them in lieu of systems developments or upgrades that have been postponed or are still in the planning stages.
Remarkably, studies indicate that errors are found in 94 percent of spreadsheets. A fundamental problem with spreadsheets is that they often are designed and developed by untrained users and without enough consideration for building in controls and adhering to best practices that minimize the risk of errors. Spreadsheets tend to evolve significantly during their lifecycle, including modifications made by users who inherit them. Typically, it is these same users who tend to place undue trust in the integrity of the analysis derived from these spreadsheets.
Nevertheless, spreadsheets are being relied upon for increasingly sophisticated activities, and thus they create potential for a high level of risk. Many companies, in fact, rely on spreadsheets as key applications that support operational and financial reporting processes, including complex modeling to make trading decisions, accounting reconciliations, actuarial analysis, and employee compensation and bonuses, among other activities.
Many organizations tend to underestimate their reliance on spreadsheets, yet some of their most complex, high-profile decisions are based on analysis in these applications.
Challenges and Opportunities
Spreadsheets are becoming more complex. Users are finding increasingly novel applications for them when performing business-critical analysis, despite the elevated likelihood of errors. User training and awareness is limited, and in some cases companies are reducing training, as they assume users possess requisite spreadsheet skills.
However, increasing regulatory/compliance pressure, external auditor focus and a growing awareness of spreadsheet risk are compelling more organizations to consider this issue, though few understand its significance within their organization and how they should address it. Additionally, several highprofile business issues have increased awareness of the significant impact spreadsheet problems can have on the stated financials from organizations.
Among the most pressing challenges in addressing spreadsheet risk is, in many cases, the lack of clear ownership. In practice, cooperation between business and IT functions is critical to effective spreadsheet risk management. However, although spreadsheets normally are business-developed, it often is unclear whether spreadsheet risks are to be addressed by IT or the business. The good news is that automated technology solutions now exist to make this task considerably easier. These solutions enable the CIO to provide the business with the flexibility needed and reduce the pressure on stretched or reduced IT resources, while managing the associated technology risk to an acceptable level.
Our Point of View
Spreadsheets are here to stay and increasingly are serving as critical business applications. As such, they need to have adequate controls. In addition to complying with regulatory/compliance requirements, spreadsheet controls help to reduce potential losses due to errors and can introduce significant productivity and efficiency gains.
Some tips for addressing spreadsheet risk include the following.
- Define objectives to be achieved. This will have a significant impact on scoping decisions and priorities, and therefore the population of spreadsheets on which to focus. For example, is the organization trying to mitigate operational risk or achieve compliance with specific legislation?
- Focus on risk. To increase the chances of spreadsheet risk management being successful and valuable, it is critical to take a risk-based approach and focus initially on the parts of the business that place the most reliance on spreadsheets.
- Define a spreadsheet control framework. Such a framework should:
- Ensure minimum standards are documented clearly and communicated consistently.
- Identify spreadsheet risks and controls against which critical spreadsheets in the organization can be measured.
- Provide the opportunity to re-evaluate minimum standards and ensure amendments to executive or legislative requirements can be incorporated centrally into the framework and rolled out across the organization.
- Conduct training. Organizations must define and implement detailed policies and procedures for the use of spreadsheets. However, such policies and procedures will only help reduce the risk if they are adopted, monitored and tested consistently. Therefore, organizations need training programs and monitoring processes to maintain the framework.
How We Help Companies Succeed
Protiviti’s approach to end-user computing risk is based on real business need and built on practical experience. We can help with all phases of a spreadsheet project, from building a spreadsheet inventory and performing a risk assessment to implementing an effective yet pragmatic spreadsheet risk management framework and assisting
with software selection and configuration. Protiviti remains vendor-independent but has thorough knowledge of the technology solutions available in the market.
Protiviti helped one of the largest global insurance and financial services companies gain control of its critical spreadsheets. This project included testing and remediating the organization’s spreadsheets and Access databases, defining its control framework, assisting with implementing the chosen technical solution to support the control framework, and delivering “best practice” training.
Our work uncovered a number of errors, including one with a potential impact of $50 million. The project sponsor described Protiviti’s engagement as one of the best consulting projects he had seen. Furthermore, our suite of services defined the corporate “gold standard” for spreadsheet control. The control framework we worked with our client to design and implement has already been adopted by another functional business area, with further companywide adoption planned.