Embed Size (px)
Citation preview
Spreadsheet Risk Management
Frequently Asked Questions Guide
Table of contents
Introduction 1
Anintroductiontospreadsheetriskmanagement 21. Whyarespreadsheetssoprevalenttoday? 22. Whatisspreadsheetriskmanagement? 23. Whydospreadsheetspresentarisk? 24. Isthelevelofriskincreasing? 45. Whataboutotherdesktoptoolsavailabletousers? 46. Whyhasspreadsheetriskmanagementsuddenlybecomeimportant? 47. Dotechnologysolutionsexistthatcanassistwithmanagingspreadsheetrisk? 4
Executiveownershipandgovernance 58. Whoisaccountableforeffectivespreadsheetriskmanagement? 59. Whatdothemajorlegislativeactshavetosayaboutspreadsheets? 510. Howcantheexecutivedefineandcommunicatetheirspreadsheetriskmanagementrequirements? 511. Whoshouldoperatespreadsheetriskmanagementprocesses? 512. Whyshouldwereportonspreadsheetrisktoseniormanagementandtheexecutive? 613. Whatshouldtheriskresponsibilitiesofaspreadsheetownercover? 614. WhatshouldbetheroleoftheITdepartment? 615. Whatshouldbetheroleofoperationalriskdepartments? 716. Whatshouldbetheroleofinternalaudit? 7
Creatingalibraryofcriticalspreadsheets 817. Howdowemeasurerisk? 818. Howdowestarttoidentifythepotentiallycriticalspreadsheets? 919. Whichpartsoftheorganisationcanhavethegreatestdependencyoncriticalspreadsheets? 920. Howcanweensurethatweidentifyallpotentiallycriticalspreadsheets? 921. Whataboutspreadsheetsthathavelinkstootherspreadsheets? 10
Implementingaspreadsheetcontrolframework 1122. Whatisaspreadsheetcontrolframeworkandwhyisitimportant? 1123. Whatarethetypicalkeycomponentsofaspreadsheetcontrolframework? 1124. Whenisaspreadsheetnotfitforpurpose? 12
Assessingspreadsheetcontrolsandcurrentriskexposure 1325. Doweneedtoassessthecontrolsinoperationacrossallourspreadsheets? 1326. Howdoweconsistentlyassesscontrolsacrossspreadsheets? 1327. Howdoweassesswhetherthecontrolsareeffective? 1428. Candifferentapproachesbetakentoresolveanycontrolissues? 1429. Howcanweidentifycommoncontrolissuesacrosstheorganisation? 1530. Howdoweensurethatcontrolissuesareresolvedandclosedwithinanacceptabletimeframe? 1531. Whoisresponsibleforacceptingtheresidualriskthatexistswithinaspreadsheet? 15
Gainingassuranceovercriticalspreadsheets 1632. Howcantheorganisationensurethatspreadsheetownersareappropriatelymanagingspreadsheetrisk? 1633. Wherecontrolshavebeendeficient,howcanwerelyontheintegrityofthespreadsheet? 1634. Isitpossibletorelyonthespreadsheetriskmanagementprocesstoprovideassuranceoverthecriticalspreadsheets? 1635. Howoftenshouldspreadsheetsorthespreadsheetcontrolenvironmentbeevaluated? 1736. Shouldinternalauditbereliedontoprovideassuranceonbehalfofthebusiness? 17
Spreadsheetriskindicatorsandreporting 1837. Whatotherformsofassurancecanwerelyuponratherthanperiodiccontrolsassessments? 1838. Aretheregenerallyacceptedkeyindicatorsofspreadsheetriskormeasuresthatshouldbeapplied? 1839. Whatinformationisprovidedtotheexecutive/riskcommitteesregardingspreadsheetrisk? 1840. Howcanweensuremanagementandspreadsheetownerstakeonmoreaccountabilityfortheriskassociated withthespreadsheetstheyown? 1941. Howcanweensurethatspreadsheetriskisincorporatedintoourcurrentregulatoryreportingprocesses? 19
Trainingandawareness 2042. Makingspreadsheetownersawareofthepotentialriskisdifficult.Arethereanytriedandtestedapproaches? 2043. Aretheredifferinglevelsoftrainingrequiredforspreadsheetowners? 2044. Istheintranetaneffectivetoolforensuringawarenessofspreadsheetriskwithintheorganisation? 20
Resources 2145. Whatarethekeyspreadsheetriskmanagementcapabilitiesthatshouldexistinanyorganisation? 2146. Towhatdegreeshouldtheorganisationexpecttobesourcingthird-partyskills? 2147. Shouldtheorganisationbeemployingspecificspreadsheetsupportteams? 2248. Shouldformalprocessesexisttoensurethattheorganisationconsistentlymanagesspreadsheetrisk? 22
Technologyenablingeffectivespreadsheetriskmanagement 2349. Dotechnologysolutionsexisttohelpwithspreadsheetriskmanagement? 2350. Arethereestablishedsolutionsandclearmarketleaders? 2351. Iftechnologysolutionsareimplemented,willtheyimpactallspreadsheetsoperatingwithintheorganisation? 2352. Arethereperformanceorusabilityissuesthatneedtobeconsideredwhenimplementingspreadsheetcontrolsolutions? 2353. Whowouldimplementandmanagetheoperationofanyspreadsheetsolutions? 2354. Isitasstraightforwardasinstallingthesoftwareinordertomanagetheriskortobecompliant? 24
AboutProtivitiInc. 25End-usercomputingriskmanagementservices 25
Contacts 26
Table of contents (continued)
�
Spreadsheetsareeverywhere.Theyenableustoquicklyandflexiblyperformanalysisthatotherwisewouldbedifficultortime-consuming.Asaresult,wetendtoplaceunduetrustintheintegrityoftheanalysisspreadsheetsmake.Asspreadsheetusershavebecomemoreinformationtechnology(IT)proficient,theirspreadsheetshavebecomemorecomplex.Spreadsheetswereneverdesignedtobeenterprise-levelapplications,butthegrowinguseofcomplexanduser-definedfunctions,lengthymacrosandlinkstootherspreadsheetsandsystemshasledtothedevelopmentofhighlycomplicatedapplications.Incontrasttomostotherapplicationsofthisnatureandcriticality,spreadsheetsrarelyaredesignedanddevelopedbyexpertusersorwithcontrolsinmind.
Manycompaniesrelyonspreadsheetsasakeyapplicationthatsupportsoperationalandfinancialreportingprocesses.Thepurposesofspreadsheetsarewidespread,fromperformingcomplexmodellingfortradingdecisionstoaccountingreconciliationsandcalculatingemployeebonuses.
Asimplesearchofyournetworkmaysurpriseyouasitwillrevealthousands,ifnotmillions,ofspreadsheetsinuse.Doyouknowwhomanagesthem?Whatisthepurposeofthesespreadsheets?Howreliablearetheircalculations?Whoensurestheresultstheyproducearevalid?
Theincreasedregulationandcompliancethatnowimpactsspreadsheetcontrolisnotsurprisinggiventhatthepastfewyearshaveseennumerousmultimillion-pounderrorsandfraudsattributedtotheuseofspreadsheets.WealsoseecompaniesfilingmaterialweaknessesanddeficiencieswiththeSecuritiesandExchangeCommission(SEC)asaresultofthelackofcontrolsaroundtheirfinancialreportingspreadsheets.
Thisregulatorypressureandincreasingfocusfromauditorsisforcingorganisationstoaddresstheissueofspreadsheetriskmanagement,thoughfewreallyunderstandwhattheissueisandwhattheyneedtodoaboutit.Whileguidanceexists,muchofitisacademic,providinglittlepracticalvaluetocompanies.
ThispublicationisbasedonProtiviti’sextensiveexperienceassistingourclientsinthisfield.Ourapproachandguidancerepresentsapragmaticresponsetospreadsheetriskbasedonrealbusinessneed.Althoughthispublicationusestheterm‘spreadsheet’,muchoftheguidanceappliesequallytootherend-user-developedapplications,suchasdatabasesandreports.Spreadsheetsarethemostprevalentofend-userapplications,butthereareothertypesgrowinginnumbersthatshouldnotbeignored.
Protiviti
Introduction
�
An introduction to spreadsheet risk management
1.Whyarespreadsheetssoprevalenttoday?Technologyisdevelopingrapidly,asareusers’expectationsaboutwhatitshoulddeliver–andwhen.ThisimpatienceposeschallengesforITdepartments.WhentheITdepartmentcannotmeetusers’expectations,theyaremorelikelytoexplorealternativeoptions.
Aspreadsheetisapowerfultoolthatinmanycasesisaviablealternativetolengthysoftwaredevelopmentcyclesforuserswhorequireresultsimmediatelyorneedtokeepaheadofthecompetition.Asaresult,spreadsheetsareeverywhere.Theyenableuserstoquicklyperformanalysisthatotherwisewouldbedifficultortime-consuming.
Theabilityoftheusertodevelopandconfigurepowerfulsolutionsinaspreadsheetenvironmentwithoutappropriatetrainingorawarenessisintroducingahighdegreeofspreadsheet-relatedriskintothecorporateenvironment.Thislevelofriskwillgrowwiththeincreasinguseandcomplexityofspreadsheets.
Thekeyreasonsbehindthegrowinguseofspreadsheetsinclude:• Theyareflexibleandeasytouse.• Immediateresultsaregenerated,withpotentiallyveryshort
developmentperiods.• Itiseasytobecomereasonablyproficientintheuseofa
spreadsheet(thoughitislessstraightforwardtobecomereasonablyproficientintheirdesignanddevelopment).
• Theycanbeconfiguredtothepersonalrequirementsoftheuser.• Theyarereadilyaccessiblebynearlyallusers,astheyareusually
astandardcorporatedesktopapplication.• Spreadsheetscansupportthedownloadandanalysisofdata
fromcoresystems.• Overtime,usershavebecomemoreadvancedintheiruse
ofspreadsheets.• Spreadsheetsoftwareitselfhasbecomeincreasinglypowerful
overtheyears,openingupgreaterfunctionalitytousers.
2.Whatisspreadsheetriskmanagement?Afundamentalproblemwithspreadsheetsisthatuntraineduserstendtoplaceunduetrustintheintegrityoftheanalysisthatispreparedinthem.AsusersbecomemoreIT-literate,thenumberofspreadsheetsinuseisincreasing,andtheyarebecomingsignificantlymoresophisticated.
Manycompaniesrelyonspreadsheetsasakeyapplicationthatsupportsoperationalandfinancialreportingprocesses.Thepurposesofsuchspreadsheetsarewidespread,fromperformingcomplexmodellingtomaketradingdecisions,toaccountingreconciliations,tocalculatingemployeebonuses.
Spreadsheetriskmanagementhelpsensurethattheriskpresentedbyspreadsheetsisunderstoodandappropriatelymitigated.
3.Whydospreadsheetspresentarisk?Spreadsheetscanprovideabroadspectrumofsolutionstotheuser.Thefollowingtablecontainssometypicalexamplesofspreadsheetusesandhowtheycangowrong:
Use Whatcangowrong
Billing Amajortelecomorganisationinvestedmillionsincorebillingsystemstosupporttheirkeyrevenueearningstream:billingcustomersforcallsmade.Forcertaincorporatecustomers,however,thebillingrules,whichwereoftencomplex,changedfromyeartoyear.
Thebillingteamconcludedthatforthesecorporatecustomers,itwastoodifficultforITtochangethesystemsonayearlybasis.Therefore,flexiblespreadsheetsweredesignedthatwoulddownloaddatafromthecoresystemsandcalculatetheinvoices.
Thebillingrulesweretoocomplexforspreadsheetownerstoconstantlycheckforpossibleusererrors.Asaresult,errorsweresoonidentified.
Whilelostrevenuewasrecoveredfromtherelevantcorporatecustomers,thereputationalimpactonthetelecomorganisationisdifficulttoquantify.Hadadetailedreviewofthespreadsheetsnotbeenperformed,therevenueleakagewouldhaveremainedundetected.
Reporting Anaccountingconsolidationpackageprovidedareportingfunctionthatcouldnotbeconfiguredtosupportthechangingreportingrequirementsofthefinancedepartment.
SpreadsheetswerebuiltthattookthefinancialreportinginformationfromappropriatelycontrolledEnterpriseResourcePlanningandconsolidationsystemsoftware,manipulatedthedataandprovidedreportingtoseniormanagement.
Controlsaroundthesystemswereregularlyreviewedandassessedasoperatingeffectively.Thespreadsheetwasneverinscopeforthereviewsasitwasownedwithinfinancebytheindividualsresponsibleforreporting.
Whenthespreadsheetswerereviewedindetail,asignificanterrorwasidentifiedinthecalculationofyear-endaccruals–aresultofanerrorwithinanumberofthecalculationsperformedoutsideofthesysteminthespreadsheet.
Significantinvestmenthadoccurredtoensurethatsystemswereappropriatelyconfiguredandcontrolled.ThisinvestmentwasentirelyunderminedbythecreationofspreadsheetstoproducereportsthatshouldhavebeenconfiguredinthecoreITsystems.
�
Use Whatcangowrong
Pricing AcommoditiestradingfirmpricedandmanagedexposureonitsoptionstradingbookthroughacomplexspreadsheetthatincludedacodedMonteCarloalgorithm.
Thespreadsheetwasproducedbyatraderwithadvancedspreadsheetknowledge.Thetraderalsooperatedadditionalmanualcontrolsthatprovidedassurancethatthespreadsheetwasaccuratelycalculatingpriceandexposurelevels.
Whenthetradermovedtoanotherorganisation,thespreadsheetwasinheritedbyanewoptionstraderwhowasnotanadvanceduserofspreadsheets.Thistradermadesomeassumptionsaboutthespreadsheet’soperation.Overtime,errorswereintroducedintoformulasandexposurelevelsweretrackedinaccurately.Optionswereincorrectlytradedandmonth-endprofitandlossanalysisshowedasignificantlossontheoptionsbook.
Theerrorwastrackedbacktoinaccuracieswithinthespreadsheet.Theoptionstraderhadnoknowledgeoftheerrors.
Budgeting Aconsultingfirmemployedbasicspreadsheetstopriceandbudgetclientengagements.Thespreadsheetsprovidedanalysisthatallowedtheengagementmanagerstocalculatethehoursandleveloftheteamontheengagement.Theobjectivewastoensurethatthefirmachievedacertainmarginoneachengagement.Thespreadsheets,whilerelativelysimple,hadlittleornocontroloverthecontent.Formulascouldbechangedandpricingtablesupdated.
Whenerrorswereaccidentallyintroducedintoanengagementbudgetingspreadsheet,theydidnotresultinsignificantfinancialimpactforthatparticularengagement.However,theerrorwassignificantlycompoundedwhenthespreadsheetwassharedamongalltheengagementmanagersandthemodelwasusedtopriceotherengagements.
Eventually,itwasdiscoveredthatmajorengagementshadbeenpricedinappropriatelyandthefirmwouldnotachieveitstargetmargin.Thelostmoneywasnotrecoverablefromtheclients,asfeeswerepartofalready-signedcontracts.
Inadditiontotheseexamples,asimpleInternetsearchforspreadsheeterrorsrevealsnumerousexamples,includingbudgetingerrors,financialstatementerrors,pricingerrors,andfraudorbaddecision-makingasaresultofpoorinformation.Thefinancialimpactcanbesignificant(manymillionsofpounds)andthedamagetoacompany’sreputationcanbeevenworse.
Somefrequentlyquotedexamplesinclude:
“Acut-and-pasteerrorcostTransAlta$24millionwhenitunderbidanelectricity-supplycontract.”Source: The Register
“Falsely-linkedspreadsheetspermittedfraudtotalling$700millionatAlliedIrishBank/Allfirst.”Source: EuSpRIG
“Kodak’sSEC10-Kfilingreportedamaterialweaknessinitsinternalcontrolssurroundingthepreparationandreviewofspreadsheetsthatincludeneworchangedformulas.”Source: Compliance Week
Use Whatcangowrong
Dataquality
Manyorganisationsusespreadsheetsasasimpletoolforcapturingdataonlargeprojects.AcommonexampleofthishasbeenthecapturingofdataonriskandcontrolforSarbanes-Oxleyprojects.Spreadsheetsarealsooftenusedtotrackremediationandclosureofgaps.
Businessesareoftenleftwithlargenumbersofspreadsheetsthatmustbemaintainedovertime.Organisationsthathaveadoptedthisapproachoftenwanttoextractinformationfromthetemplatesanduseit–forexample,toprepareweekly/monthlyprogressreports.
Manyorganisationsthathaveadoptedthisapproachhavefoundthattheproductionofmanagementinformationisextremelytime-consuming.Furthermore,whenthedataisconsolidatedintomonthlyreports,inconsistenciesareoftenidentified.Thesearetypicallyacombinationoftimingissuesanderrors.
Anothercommonproblemisthatthereoftenaremultipleusersofthespreadsheets.Thisresultsinsignificantversion-controlissuesasthewrongversionsarepickedupandusedortwousersattempttomakechangessimultaneously,potentiallyundoingeachother’schanges.
Thoughthedirectconsequencesofthesedataqualityissueswerenotsignificant,thecostofmanuallyproducingmanagementinformationandresolvingthequalityissueswassubstantial.
�
Asspreadsheetusershavebecomemoreproficient,theirspreadsheetshavebecomemorecomplex.Spreadsheetswereneverdesignedtobeenterprise-levelapplications.However,thegrowinguseofcomplexanduser-definedfunctions,lengthymacrosandlinkstootherspreadsheetsandsystemshasledtothedevelopmentofhighlycomplicatedapplications.
4.Isthelevelofriskincreasing?Yes.Spreadsheetsarebecomingmorecomplexandusersarefindingincreasinglynovelapplicationsforthem.Usertrainingandawarenessisstilllimited,however.Asspreadsheetsbecomemorecomplex,theyaremorepronetoerror.AsusersareperceivedtobecomemoreIT-literate,morespreadsheetsarebeingusedtosupportcriticalbusinessprocesses.Acombinationofthesetwofactorsissignificantlyincreasingtheoverallriskprofileformanyorganisations.Theperceivedlevelofriskisalsorisingduetogrowingawarenessandunderstandingoftheriskthatuncontrolledspreadsheetspose,aswellasincreasedregulatoryandauditscrutiny.
5.Whataboutotherdesktoptoolsavailabletousers?Whilethisdocumentusestheterm‘spreadsheet’,theissuesandapproachesoutlinedcouldjustaseasilyapplytootherdesktoptoolsavailabletoendusers.Thesetoolsincludedatabasesoftware(e.g.MicrosoftAccess),reportingtools(e.g.CrystalReports)oranyother‘power’toolthatcanbeconfiguredbytheenduseranddependedupontosupportoperationalprocesses.
End-user-developeddatabasescanbeevenmoreriskythanspreadsheets,asinmanycasesthedatamanipulationislesstransparenttotheenduser.Reportingtoolsoftenallowuserstodevelopcustomisedreportswhich,ifthequeryisconfiguredincorrectly,canresultinusersinadvertentlyrestrictingthedatatheyreport.
However,thekeydifferencebetweenspreadsheetsandotherdesktoptoolsisthatspreadsheetsarebyfarthemostcommonlyused,andhavebyfarthebroadestendrangeofusers.
Thetechnologysolutionsreferencedlaterinthisguidetosupportthemanagementofspreadsheetsdifferfromthoseavailableforotherdesktoptools.Incertaincases,thesolutionshavesomefunctionalitythatcanbeappliedacrossmultipledesktoptools,butthisisgenerallytheexception.
6.Whyhasspreadsheetriskmanagementsuddenlybecomeimportant?
Spreadsheetriskalwayshasbeenimportant.However,asdiscussedinanswerstopreviousquestions,thereareindicationsitisbecomingmoresignificant.
TheUK’sH.M.Customs&Excise,inits‘Methodology for the Audit of Spreadsheet Models’(2001),saidthat“thecomplexityandfunctionalityofspreadsheetshasreachedlevelsofsophisticationthatfewcouldhaveimaginedevenfiveyearsago.Theconsequentthreatposedtobusinessesbysuchpowerful‘end-user’applications,mainlyinthehandsofuntrainedusers,isimmense”.Thisobservationhascontinuedtoholdtrueintheyearssinceitspublication.
Itisalsofairtosaythatrecentregulatorycomplianceinitiativeshaveforcedorganisationstoconsiderthespreadsheetrisktowhichtheyareexposed.Inparticular,guidanceproducedinsupportoftheSarbanes-OxleyActhasadvisedorganisationstospecificallyconsiderspreadsheetrisk.Regulatorybodiesandexternalauditfirmshavedetectedtheincreasingexposuretospreadsheetriskandaretakingactiontoensureitisaddressed.
7.Dotechnologysolutionsexistthatcanassistwithmanagingspreadsheetrisk?
Yes.Thesection‘Technologyenablingeffectivespreadsheetriskmanagement’providesmoredetailaboutthetypesofsolutionsavailable.
�
Executive ownership and governance
8.Whoisaccountableforeffectivespreadsheetriskmanagement?Seniormanagement(‘theexecutive’)including,butnotlimitedtotheboard,isultimatelyaccountable,onbehalfoftheorganisation,fortheeffectivemanagementofallrisk,includingspreadsheetrisk.Thisexecutiveaccountabilityisusuallytotheshareholders(whereapplicable)andtheregulatorybodiesgoverningtheindustryandenvironmentinwhichtheorganisationoperates.
Theexecutivemustunderstand:• Whatistherisk?• Wheredoestheriskexist?• Howsignificantistherisk?• Whoiscurrentlydealingwiththerisk?• Whenwillthisriskbemanagedtoanacceptablelevel?
Giventheever-increasingdependencyonspreadsheets,aswellastheexternalfocusonthem,theexecutiveisincreasinglyawarethatspreadsheetriskisanareaofexposurethatshouldbeactivelymanaged.Thispotentiallytime-consumingtaskshouldleveragemanyoftheriskmanagementprocessesalreadyinoperation,includingcurrentcomplianceefforts.
9.Whatdothemajorlegislativeactshavetosayaboutspreadsheets?
Themajorlegislativeactsinexistencetoday,namelySarbanes-Oxley,CompaniesAct,Turnbull,BaselandMiFID,donotfocusspecificallyonspreadsheetrisk.However,effectivemanagementofspreadsheetriskisrequiredtosatisfytherequirementsofeachoftheseregulations.
Legislationtendstoprovidemoregenericstatementssuchas,“Aneffectivesystemofinternalcontrol…”(Turnbull).Thisensuresabroadsweepofrequirementsthatwillcoverasmanyscenariosaspossiblewithinadiversecommercialenvironment.Therefore,organisationsandthemonitoringbodies(e.g.externalauditfirms,regulatoryauthorities)arerequiredtointerpretthelegislationanddeterminehowitsrequirementsshouldbeappliedtoeachorganisation.
Whathasbecomeclearoverthelastfiveyearsisthattheregulatorybodiesandauditfirmsarebecomingincreasinglyawareofthepotentialexposuretospreadsheetriskthatcanexistinanorganisation.Infact,thisissuebecamesosignificantduringtheSarbanes-Oxleycompliancepeakbetween2004and2006thatthemajorauditfirmsreleasedvariouspapersandguidancetoensureorganisationswereawarethatspreadsheetriskmanagementwasanareatheywouldbefocusingonspecifically.Inmanyorganisations,theyfoundthatmanagingspreadsheetriskwasanissueforwhichnooneintheorganisationwastakingaccountability.
Spreadsheetriskmanagementisthereforearequirementforallorganisationsthataresubjecttotheseregulations.Theonlyscenarioinwhichthiswouldnotapplyiswhenanorganisationhasnosignificantbusinessprocessessupportedbyspreadsheets.
Infact,theonlywayanorganisationwithoutaneffectivespreadsheetriskmanagementstrategycanbeconfidentitisnotexposedtosignificantriskistopreventusersfromhavingaccesstotheapplication.Thisisclearlynotapracticalsolutionformostorganisations.
10.Howcantheexecutivedefineandcommunicatetheirspreadsheetriskmanagementrequirements?
Typicallythisisachievedbycreatingaspreadsheetriskmanagementpolicythatstateswhattheexecutiveexpectsfromtheorganisation.Then,theorganisationwillneedtodefinehowitimplementsthepolicyinaspreadsheetriskmanagementoperatingmodel.Thisoperatingmodelshouldsetoutaccountability,rolesandresponsibilities,processes,controlsandminimumcontrolstandards.
Whendefiningsuchrequirements,theexecutiveshouldtakeintoaccountprocessesinplacetoensurecompliancewithanyexistingpolicies.Ifthereisnotaneffectivecomplianceprocessinplace,itislikelythespreadsheetpolicywillbecomeanotherineffectivepieceofpaperonthepileofexistingpolicies.Furtherguidanceonimplementinganeffectivegovernance,riskandcomplianceprogrammecanbefoundinProtiviti’sEnterprise Risk Management FAQ Guide.
Ifclearandregularassuranceisprovidedtotheexecutiveonotherpolicies,theexecutivecanbemoreassuredthatintroducingaspreadsheetriskmanagementpolicywillbeaneffectivevehicleforensuringtheorganisationcanbegintoeffectivelymanagespreadsheetrisk.
11.Whoshouldoperatespreadsheetriskmanagementprocesses?BecausetheITdepartmentprovidestheinfrastructureandsoftwarecriticaltotheoperationofthespreadsheets,itisobviouslyresponsibleforensuringthatthisaspectofthetechnologyiseffectivelycontrolled.However,theITdepartmentcannotbeheldsolelyresponsibleforoperatingriskmanagementprocessesaroundindividualspreadsheets.
Spreadsheetsaredesigned,implemented,updated,tested(sometimes)andmadeoperationalbytheownersandusersofthosespreadsheets.Thisiswhyspreadsheetsaresoprevalent,andthisshouldnotchange.However,spreadsheetownersshouldberesponsibleforoperatingeffectivespreadsheetriskmanagementprocesses.
Theexecutiveshoulddefine,onbehalfofthebusiness,whatconstituteseffectivespreadsheetmanagementprocesses.Theexecutivealsoshouldensureappropriatemonitoringisputinplacetoensurecompliancewiththeseprocesses.
�
Itisimportantthatorganisationsdonotletresponsibilityforspreadsheetriskmanagementfallbetweenthegaps.ThebusinesssideoftenconsidersspreadsheetstobeIT’sresponsibilityandremovesthemfromthescopeofanyriskmanagementwork.ThesamegoesforITprofessionals,whooftenconsiderspreadsheetstobeownedbythebusinessside.Clearly,ifnobodyistakingresponsibilityforspreadsheetriskmanagement,theexecutivehasaproblem.
Theorganisationcanresolvethisconfusionbydefiningclearrolesandresponsibilitieswithinthespreadsheetriskmanagementoperatingenvironment.
TheITdepartmentmaybeabletoprovidesolutionstoassistwitheffectivespreadsheetriskmanagement.Inthisscenario,theITdepartmentwouldbecomeaccountablefortheeffectiveoperationofthesesolutions;therefore,theresponsibilityforeffectiveriskmanagementmaybesharedbetweentheITdepartmentandthespreadsheetowners.
Inpractice,co-operationbetweenbusinessandITiscriticaltotheoperationofaneffectivespreadsheetriskmanagementenvironment.
12.Whyshouldwereportonspreadsheetrisktoseniormanagementandtheexecutive?
Creatingareportingprocessthatdemonstratesaneffectivespreadsheetriskmanagementprocessiscriticalforthefollowingreasons:• Itallowsoperationalmanagementandtheexecutiveto
understandthekeyriskstotheorganisation,thesignificanceofthoserisksandtheworkinprogresstomanagethoserisks.
• Bettertransparencyofspreadsheetriskmanagementdrivesbetterbehaviouramongoperationalpersonnel.
• Demonstrationofeffectiveriskmanagementprocessesiscriticalforsatisfyinglegislativerequirements.
Failingtoimplementadiscreteprocessforreportingontheeffectivenessofthespreadsheetriskmanagementenvironmentisamissedopportunity.Ensuringthereistransparencyovertheeffectivenessofthewholeoperationalriskmanagementenvironmentisagoalanyorganisationshouldlooktoachieve.
Manyorganisationsalreadyhavesomeformofoperationalriskmanagementreportingprocessinplace.Inthesecases,thecriticalstepistheintegrationofthespreadsheetriskmanagementprocessesintothecurrentassessmentandreportingapproach.
13.Whatshouldtheriskresponsibilitiesofaspreadsheetownercover?
Thespreadsheetownershouldberesponsiblefortheidentificationandassessmentofoperationalrisksthatexistinthespreadsheetstheyown.
Infulfillingtheseresponsibilities,thespreadsheetownershouldbeprovidedwithguidanceonwhatisexpectedandgivenaccesstothetoolsnecessarytoensuretheirassessmentofrisksandcontrolsisconsistentwiththerestoftheorganisation.
Thespreadsheetownershouldberesponsiblefortheidentificationandoperationofappropriatecontrolsthatmitigatetherisktoanacceptablelevel.Theyalsoshouldberesponsibleforacceptingspreadsheetriskwithindefinedlimitsofauthority.Limitationsontheamountofrisktheycanacceptshouldbeagreeduponwithseniormanagementortheexecutive.
14.WhatshouldbetheroleoftheITdepartment?Ithasbeenemphasisedthatthespreadsheetownersareresponsibleforcontrollingtherisksassociatedwiththeirspreadsheets.
However,thereisanassumptionthattheITinfrastructurerelieduponbythespreadsheetownersisavailableandsecure.ThisistheresponsibilityoftheITdepartment.Alackofcontroloverthisinfrastructuretypicallyhasanimpactontheavailabilityorsecurityofspreadsheets(aswellasapervasiveimpactacrossothertechnologywithintheorganisation).
Whenassessingtherisksassociatedwithaspreadsheet,thespreadsheetownermightchoosetorelyonthecontrolsoperatedbytheITdepartment.Forexample,aspreadsheetmaybeneededeverydaytoprocesskeytransactions.Theavailabilityofthespreadsheetisthereforecritical,andthespreadsheetownerwillwishtoestablishthatthespreadsheetwillbeavailableandcanberecoveredintheeventofanyproblems.TheownerwillhavetoestablishtheeffectivenessofthesecontrolsthroughinteractionwiththeITdepartment.
Anotherexampleinvolvesaccesstothespreadsheet.Thespreadsheetownermaydeterminethatthespreadsheetshouldberestrictedtocertainindividuals.Therefore,ITmayneedtosetupastoragelocationthathasrestrictedaccessandensuretheserestrictionsaremaintainedunlessfurtheraccesshasbeenauthorisedbythespreadsheetowner.
Inbothoftheaboveexamples,ITimplementstherequiredcontrols.However,thesecontrolshavebeendefinedbythespreadsheetowner,whomustassesstheadequacyofthesecontrolsagainsttherisksheisseekingtoaddress.
�
15.Whatshouldbetheroleofoperationalriskdepartments?Operationalriskdepartmentsexistwithinmanyorganisations.Typically,matureoperationalriskmanagementframeworksalreadyhavebeenimplementedandprocessesaroundtheseframeworksarewellestablishedandoperatingeffectively.Ariskmanagementframeworkcannotbemature,however,ifitdoesnotconsideralltherisktowhichtheorganisationisexposed.
Therefore,thechallengefortheoperationalriskdepartmentistoensuretheriskframeworkencompassesandensureseffectivespreadsheetriskmanagement.Oneoptionistoincorporatethespreadsheetriskmanagementpolicyintotheoverallriskframework.Doingsoallowsspreadsheetrisktobeconsideredwithinanexistingriskmanagementgovernancestructure,ratherthanconsideringspreadsheetriskmanagementasanindependentactivity.
16.Whatshouldbetheroleofinternalaudit?Inmanyorganisations,itistheresponsibilityofinternalaudittoprovidealevelofindependentassurancetotheexecutivethatriskwithintheorganisationisbeingmanagedeffectively.Internalauditshouldfocusonthespreadsheetriskmanagementcontrolsinoperation.Typically,inorganisationsthatarestartingtoreviewtheeffectivenessofspreadsheetriskmanagement,thecontrolswillbeineffective,necessitatinggapanalysisandremediation.Iftherearenooverarchingcontrolsinoperation,internalauditoftencanhelpgettheseissuesontheexecutive’sagenda.
Internalauditshouldingeneralavoiddoingdetailedtestingofindividualspreadsheetsforintegrity.Performingreviewsofindividualspreadsheetsislikelytofocustheorganisationonresolvingissueswithinindividualspreadsheetsratherthanaddressingtherootcauseoftheproblem:ineffectivespreadsheetriskmanagementcontrols.One-timeintegritytestingofindividualspreadsheetsisimportanttoensuretheyareoperatingasintended,butthistestingdoesnotnecessarilyneedtobeperformedbyinternalaudit.
�
Creating a library of critical spreadsheets
17.Howdowemeasurerisk?Spreadsheetcriticalityisdefinedasthelikelyimpacttotheorganisationofanerroroccurringinthespreadsheet.Ideally,anyspreadsheetriskshouldbeevaluatedintermsofitslikelyfinancialimpact.However,afinancialquantificationisoftentoocomplextoimplementduringtheinitialassessmentofcriticalspreadsheets.Therefore,organisationshaveemployedamoregeneralscaleforestimatinglikelyimpact.Anexampleisprovidedbelow:• Low:Nokeybusinessdecisionsaremadebasedonthe
informationcontainedwithinthespreadsheet.Errorsthatoccurwouldbeofembarrassmentorhindrancetothosedirectlyassociatedwiththespreadsheet,butwouldhavenoreallong-termimpactonthebusiness.
• Medium:Anerrorinthespreadsheetoradelayinpreparingthespreadsheetmayresultinsignificantlosstothebusiness.Informationcontainedinthespreadsheetmaybesensitiveandemployeescouldexploittheinformationiftheyhadaccesstoit.
• High:Anerrorinthespreadsheetoradelayinpreparingthespreadsheetmayresultinamateriallosstothebusiness.Informationcontainedinthespreadsheetishighlysensitiveandinappropriatedisclosurecouldbeexploitedbymarketsorcompetitors,orcouldbeinbreachoflegislation(e.g.theUKDataProtectionActortheUSHealthInsurancePortabilityandAccountabilityActorGramm-Leach-BlileyAct).
Todeterminewhichspreadsheetsposethehighestriskwithintheorganisation,theinherentriskofaspreadsheetmustbeassessed.Inherentriskisdefinedas:‘Therisktoanorganisationintheabsenceofanyactionsmanagementmighttaketoaltereithertherisk’sprobabilityorimpact’(InstituteofInternalAuditors).Aspreadsheet’sinherentriskis,therefore,acombinationofitscriticality(impact)totheorganisationandtheinherentlikelihoodoferrorinthespreadsheet,whichisderivedfromacombinationofthecomplexityandthedesignofthespreadsheet.
Todeterminethecomplexityofaspreadsheet,thefollowingkeycharacteristicsshouldbereviewed:• Spreadsheetsize.• Complexityofformulas.• Volumeoflinkagestoothercells,tabsandspreadsheets.• Volumeofdata.• ExistenceofVisualBasiccode.
Thiscanbeatime-consumingprocessforlargespreadsheets,butsoftwaretoolscanautomaticallyscanspreadsheetfilesandproduceascorebasedonapredefinedscaleofcomplexity.
However,thelikelihoodoferrorinvolvesspreadsheetdesignaswellascomplexity.Assessingdesigninvolvesreviewingeachspreadsheetinturnandidentifyingcharacteristicsofbaddesignthatcouldincreaseaspreadsheet’slikelihoodoferror.Examplesofbaddesignincludehard-codingofnumbersorassumptionsintoformulasandinconsistentoroverwrittenformulaswithinacolumnorrow,whichresultinahigherlikelihoodoferror.
Calculatingtheinherentriskofspreadsheetsallowstheorganisationtofocusanysubsequenteffortonthosespreadsheetswiththehighestrisk.Aneffectivewaytoillustratethespreadsheetriskprofileistheuseofariskmap.Figure1showsasimpleexampleofariskmap:
Thebusinessshouldfocusmostofitseffortsonthespreadsheetswithahighcriticalityandhighlikelihoodoferror,asshowninbrowninFigure1.However,itisimportantthattheorganisationdoesnotignorespreadsheetswithlowlikelihoodoferrorbuthighcriticality.Someofthesespreadsheetsmayneedtobecontrolled,astheoccurrenceofanerrorcouldhaveasignificantimpactontheorganisation.SuchspreadsheetsareshowncircledinthetopleftofFigure1.
Eventhesimplestspreadsheetsoftencontainerrors,asisillustratedbythebudgetingexampleinQuestion3.Inourexperience,simplespreadsheetsareoftensubjecttoverylimitedornotestingandasaresult,areoftenmorepronetosignificanterrorsthancomplexspreadsheets,whichmaybemorethoroughlytested.
Likelihoodoferror
Crit
ical
ity
5
8
2
1
7
3
4
10
9
6
Figure1:Simpleexampleofaspreadsheetriskmap
Key:
Spreadsheet
�
18.Howdowestarttoidentifythepotentiallycriticalspreadsheets?Thereareanumberofwaystostarttheprocessofidentifyingthecriticalspreadsheets,including:• Automatedscanningtools.• Questionnaires.• Processdocumentation(whereavailable).• Interviewsorworkshops.
Thebestwaytostartisusuallybyperforminganautomatedscanofthenetworktoidentifypotentialspreadsheets.Thiswillquicklyidentifyanypotentiallycomplexspreadsheetsinuseaswellaspartsofthebusinessmostreliantonspreadsheets.
However,themosteffectivewayofidentifyingcriticalspreadsheetsistoholddiscussionswithkeyindividuals,processownersanddepartmentheads.Anyinitiativetoimplementaneffectivespreadsheetriskmanagementmodelshouldstartwiththeareasperceivedtobethemostdependentonspreadsheets,havesignificantoperationalimportance,orhavehadpreviousspreadsheetincidents.
Whendiscussingthespreadsheetsindividualsaredependenton,itisoftenusefultostartfromthepremisethatdependentspreadsheetsarethosethat,ifdeleted,wouldeithertaketoolongtore-create(insomecases,justonehourredevelopingaspreadsheetcanbetoolong)orcouldnotbere-createdatall.Theoutputofanautomatedscanalsocanbehelpfulwhenholdingthesediscussionstoensureallcomplexspreadsheetscurrentlyinusearediscussed.
Thenextstageistoidentifythespreadsheetsthat,ifinaccurate,wouldhaveanegativeimpactontheorganisation.Thiscanbeachallenge,astheindividualwillwanttoconsiderothercontrolsinoperationthatmitigatetherisk.However,itisimportantthattheindividualfocusesonpotentialfinancialimpactinthecontextofinherentrisk(i.e.withoutcontrols).Thisissothattheorganisationcanensurethat,whentheassessmentofcontrolsisperformedlaterintheprocess,eitherthecontrolsfullymitigatetheinherentriskortheresidualriskisunderstoodandaccepted.
19.Whichpartsoftheorganisationcanhavethegreatestdependencyoncriticalspreadsheets?
Thefunctions/divisionsthataremostdependentwillvarybyorganisation.Thereare,however,somekeyriskindicators(KRIs)thatcanbeusedtoquicklyprioritiseeffortsonpartsoftheorganisationthatmostlikelyhaveanincreaseddependencyonspreadsheets.Theseindicatorsinclude:• Ahighvolumeofspreadsheets,ratherthanformalapplications,
areknowntosupportcriticalprocesses.• Spreadsheetsareusedtomanipulatedatapriortoinputinto
anapplication,orafteroutput.• Knownincidents,includingerrororactualfinanciallosses,
haveoccurredasaresultofspreadsheets.• Spreadsheetsareusedasinterfacesbetweensystems.• Calculationsareperformedinspreadsheetsbecausetheyare
toocomplextobeperformedinsystems.• Processesortransactionschangetomeetmarketrequirements
(thisoftenindicatesthatcoreapplicationscannotsupportchangingbusinessrequirementsaswellasspreadsheetscan).
Inaddition,financeand‘frontoffice’functionsareoftenusersofcriticalspreadsheetsduetothenatureoftherolestheyperform.
20.Howcanweensurethatweidentifyallpotentiallycriticalspreadsheets?
Itisnotpossibletobecompletelysurethatallcriticalspreadsheetshavebeenidentified,butanorganisationcanscanthefileserversforallspreadsheetfiles.Typicalsearchescanrevealmillionsofspreadsheets,manyoldandobsolete.Simpleanalysiscanhelpfocusonthepotentiallycriticalspreadsheets.Inconsideringanysuchanalysis,organisationsshouldbeawarethatcost-effectivetoolsexistthatautomatealargepartoftheworkandgreatlydecreasethetimeandeffortrequired.
Analysisshouldbeperformedonthe‘lastmodified’datetoidentifyspreadsheetsthathavebeenactiveinthelastsixmonths(or12months,dependingontheorganisation’sriskappetite).Analysiscouldthenfocusonthespreadsheetsthatexceedacertainsize(largerspreadsheetsaretypicallymorecomplexandthereforeoftenhaveahigherinherentrisk).Itisalsoworthtryingtoidentifywhethermultiplespreadsheetsareactuallydifferentversionsofthesamespreadsheet,whereauserregularlysavesthespreadsheetwithadifferentdateorversionnumber.Manyoftheleadingautomatedscanningtoolsautomaticallytakethesefactorsintoaccount.
Fordiscussionswithusersregardingtheircriticalspreadsheets,itisusefulasacompletenesschecktohavealistofspreadsheetstheusersarecurrentlyrecordedasowningandhaverecentlyused.Duringthesediscussions,itisoftendiscoveredthatsomespreadsheetsarebeingusedasworkaroundsforsystemsorreportsthatdonotmeettheneedsofthebusiness.Informationregardingworkaroundsforineffectivesystemsisworthcapturing,asitcanbefedintothechange/enhancementprocessesforthesesystems.
�0
Theothercommontypeofcriticalspreadsheetisonethatformspartofthecontrolenvironmentaroundthecorebusinessprocess(e.g.aspreadsheetcontainingcontroltotals,checksorreconciliations).Thesespreadsheetsareimportantastheyarebeingreliedupontoidentifypotentialerrorsinthesecorebusinessprocesses.
Simplespreadsheetsusedtorecordpersonalinformationshouldnotbeoverlooked.Thesespreadsheetsarenotlikelytobedeemedcriticaltotheorganisation,butaccessmayneedtobetightlycontrolledinordertomeetprivacystandardsinmanycountries.
21.Whataboutspreadsheetsthathavelinkstootherspreadsheets?
Theorganisationneedstoensurethatanydependenciesbetweenspreadsheetsareidentifiedandrecorded.(ItispossibletolinkspreadsheetstogetherbyreferencingcellsinanotherspreadsheetorthroughVisualBasiccodecreatedinaspreadsheet.)
Ifaspreadsheetiscritical,butalsodependentontheaccuracyofinformationcontainedinanotherspreadsheet,theorganisationneedstorecordthespreadsheetthatisprovidinginput.Discussionswithindividualsoftenwillidentifyonlythetop-levelspreadsheet.However,thistoplevelmaybedependentuponanetworkofsub-spreadsheets.Itisnotuncommontoobservemultiplelayersoflinkedspreadsheets.
Toolsexistthatautomaticallyidentifyanyspreadsheetsthatfeedinformationtoaselectedspreadsheet;theyalsocansearchVisualBasiccodeforkeyfunctionnames.Thisisessentiallyacompletenesscheck,butaveryimportantone,inthatitcanensureallcriticalspreadsheetshavebeenrecorded.Generally,aspreadsheetthatprovidesinformationtoaseparatecriticalspreadsheetwillitselfbecritical.Theinformationcollatedcanbeusedtocreateamapordiagramthatisusefultoillustratethedependenciesanddataarchitecture.
��
Implementing a spreadsheet control framework
22.Whatisaspreadsheetcontrolframeworkandwhyisitimportant?
Aspreadsheetcontrolframeworkisthestructureanorganisationimplementstodefinethespreadsheetrisksandtheassociatedcontrolsthatshouldbeconsidered.
Acontrolframework:• Ensuresminimumstandardsareclearlydocumentedand
consistentlycommunicated.• Identifiesstandardrisksandcontrolsthatcriticalspreadsheets
intheorganisationcanbemeasuredagainst.• Providestheopportunitytore-evaluatetheminimumstandards
andensureamendmentstoexecutiveorlegislativerequirementscanbeincorporatedcentrallyintotheframeworkandrolledoutacrosstheorganisation.
Theeffectiveimplementationofaspreadsheetcontrolframeworkshouldbeassessedthroughmanagementassuranceprocessesorthroughindependentevaluation(e.g.byinternalaudit).
23.Whatarethetypicalkeycomponentsofaspreadsheetcontrolframework?
Thecontrolframeworkshouldidentifythekeyorganisation-levelrisksthatspreadsheetsarerequiredtobeassessedagainst,suchasfinancial,reputationalandregulatory.Controlobjectivesshouldbedefinedagainsteachofthesehigh-levelrisks.
Giventhesimilaritiesbetweenspreadsheetdevelopmentandapplicationdevelopment,itisappropriatetoleverageanindustry-recognisedITcontrolframework.Byusingexistingframeworks,theorganisationcanselectthecontrolobjectivesthatapply,butalsoprovidealevelofassurancethatallpossibleareasofriskandcontrolhavebeenconsidered.OneframeworktoconsiderusingisControlObjectivesforIT,orCobiT.
Thereasonforhavingcontrolobjectivesisthatspreadsheetownerscanassesseachofthehigh-levelrisksfortheirspreadsheetsandthenassesshowthecurrentcontrolsachievetheassociatedcontrolobjectives.
Someofthecontrolobjectivesmaybedeemedmandatoryorkey,andshouldbedefinedclearlyinthespreadsheetpolicy(e.g.spreadsheetsecurity).Forothercontrolobjectivesnotclassifiedasmandatory,theultimatedecisionaboutwhichobjectivesapplymaybelefttothespreadsheetowner.Thecontrolsobjectivesthatapplywilldependonthelevelofriskandthecriticalityofthespreadsheet.
Atypicalsetofcontrolsthatcouldbeincorporatedintotheframeworkaresuggestedbelow.Theextenttowhichthesecontrolsmustbeappliedwillvaryonacase-by-casebasis:• Accesscontrol:Definingandmaintainingappropriateuser
accessrightsandrestrictions,includingsegregationofdutieswhereapplicable.
• Backups:Backupofspreadsheetsanddatatoensurecontinuityandavailability.
• Changecontrol:Controllingchangesthataremadetothespreadsheet,includingadequatetestinganddocumentationofchanges.
• Datainputvalidation:Ensuringcompletenessandaccuracyofdatainputs.
• Dataintegrityandsecurity:Preventingunauthorisedmodificationofthespreadsheetandprotectingsensitivecellsfromaccidentalchangeordeliberatemanipulation.
• Developmentcontrol:Controllingthedevelopmentprocess,testinganddeploymentofnewspreadsheets.
• Documentation:Appropriatedocumentationmaintainedtodescribetheowner,businessobjectives,functions,changehistory,assumptions,externallinksandanyotherrelevantinformation.ThiswouldextendtodocumentingmacrosorVisualBasiccodeifapplicable.
• Independentreview:Documentedindependentreviewofspreadsheetlogicandchanges.
• Versioncontrol:Ensuringthatonlythecurrentversionofthespreadsheetisused,andspecificpreviousversionscanberetrievedorre-createdifrequired.
TheITGovernanceInstitute,inits‘IT Control Objectives for Sarbanes-Oxley, 2nd Edition’,providesasetofillustrativekeycontrolsforend-usercomputing,whichincludesspreadsheets.Thesecontrolsconsistof:• Existenceofandadherencetopoliciesandprocedures.• Documentationandregularintegrityreviewofend-user
computingapplications.• Backupandsecurestorageofapplicationsanddata.• Securitytopreventunauthorisedaccess.• Independentverificationtoensurecompletenessandaccuracy
ofinputs,processingandoutputs.
Theguidealsoprovidesasampleapproachforspreadsheets,consistingofthefollowingthreestages:• Createaninventoryofspreadsheetsinvolvedinthefinancial
reportingprocess.• Performariskassessment(impactandlikelihood)offinancial
statementerror.• Implementandassessspreadsheetcontrols.
AlthoughthisapproachisdesignedforSarbanes-Oxley,itisconsistentwithProtiviti’sapproachtospreadsheetriskmanagement,whichcanbeappliedregardlessofriskmanagementobjectivesandnatureofspreadsheetusage.
��
24.Whenisaspreadsheetnotfitforpurpose?Incertainscenariosspreadsheetscanbetoocomplex,inwhichcasetheorganisationshouldconsidermigrationofthespreadsheetintoastructuredapplicationcontrolledbytheITdepartment.
Examplescenariosinwhichthisoptionshouldbeconsideredinclude:• Thespreadsheetcontainsmasterdatausedtofeedcalculations
andreports.• ThespreadsheetmakesuseofalargeamountofVisual
Basiccode.• Therearemultipleusersofthesamespreadsheet.• Thespreadsheetisusedasaninterfacebetweentwosystems.• Thespreadsheetisslowandoftenrequiresregularrestarting.
Transitioningthespreadsheetintoamoreformalapplicationdevelopmentenvironmentwillsignificantlyreducetherisk.Thecost/benefitofthisactionwillneedtobeassessed.Whiletheoverallriskprofileisreduced,theremaybeasignificantcostassociatedwiththedevelopmentandongoingmaintenanceofsuchanapplication.
��
Assessing spreadsheet controls and current risk exposure
25.Doweneedtoassessthecontrolsinoperationacrossallourspreadsheets?
Itisnotusuallynecessarytoassesscontrolsacrossallspreadsheetsinuse.However,theextenttowhichtestingisrequiredwilldependonthelevelofrisktheorganisationiswillingtoaccept.Typically,spreadsheetswithalowlevelofinherentrisk(seeQuestion17formoreinformationonriskassessmentapproaches)aregenerallynotincorporatedintoaformalspreadsheetriskmanagementmodel.Fortheselower-riskspreadsheets,werecommendthatspreadsheetownersaremadeawareoftheirresponsibilitiestowardspreadsheetriskmanagement,butthattheorganisationdoesnotrequirethemtoperformformalriskandcontrolassessmentsontheirspreadsheets.
26.Howdoweconsistentlyassesscontrolsacrossspreadsheets?Consistentspreadsheetcontrolassessmentisfacilitatedbyhavinganeffectivespreadsheetcontrolframeworkagainstwhicheachspreadsheetriskcanbeassessed.FurtherguidanceonthekeyrequirementsofaspreadsheetcontrolframeworkisprovidedinresponsetoQuestion23.Keyaspectsofcontrolthatneedtobeconsideredinclude:designstandards,changemanagementcontrols,baselineintegritytestingperformed,documentationretained,accesscontrolsandcontrolsoverbackup.
KeyaspectsoftheoverallcontrolenvironmentarelikelytobedependentonIT.Inparticular,ITislikelytoberesponsibleforgeneralcontrolsoveraccesstothenetworkandbackupofthenetwork.Theassessmentofthesecontrolsshouldbeperformedcentrallyandreflectedinthespreadsheetriskmanagementpolicyandguidelines.
However,thespreadsheetownerwillstillneedtotakeresponsibilityfordefiningthespecificaccessrightsforthespreadsheet.ThespreadsheetowneralsowillneedtoassesswhethertheservicelevelsofferedbyITandthestandardbackup/restoreprocessesmeettherequirementsofthebusiness.
Figure2showsatypicalsplitbetweenindividualspreadsheettestingandpervasiveITtesting.Theuseoftechnicalmanagementsolutionscanincreasetheabilitytopervasivelyorcentrallytestspreadsheetcontrols(seethesection‘Technologyenablingeffectivespreadsheetriskmanagement’).
Figure2
Spre
adsh
eet
owne
r-m
anag
edc
ontr
ols •Designmethods.
•Initialtesting(baselining).
•Changemanagementcontrols.
•Documentation.
•Spreadsheetpasswords.
•Definitionofaccessrequirementsof
networkfolder.
A separate assessment of control requirements should be performed for each individual spreadsheet. This is likely to be performed by the spreadsheet owner.
Spreadsheet risk management policy should provide guidance on aspects of control that need to be assessed by each spreadsheet owner.
Spreadsheetriskmanagementpolicy
Perv
asiv
e
IT-d
epen
dent
con
trol
s •Networksecurity.
•Networkchangemanagement.
•Backupandrestore.
•ITdisasterrecovery.
Tested on an annual basis by a central team (potentially as part of an existing compliance process or internal audit programme).
Spreadsheet risk management policy defines requirements of spreadsheet owners, reflecting observations made when performing review of general controls.
��
Theorganisationmustensuretheassessmentsareperformedbyapersonwiththeappropriateskills.Ifassessmentisdonebythespreadsheetowners,itisessentialthattheyconsistentlyandeffectivelyassessthecontrolsinoperationaroundtheirspreadsheets.Manysuccessfulprojectstoimplementaspreadsheetriskmanagementframeworkhaveemployedacentralteamofexpertstoprovideguidance,trainingandreviewontheassessmentsperformedbyindividualspreadsheetowners.
27.Howdoweassesswhetherthecontrolsareeffective?Thefirststepofanyassessmentistoensurethecontrolsinoperationachievetheminimumcontrolstandardsdefinedinthespreadsheetcontrolframework.Havingachievedcompliancewiththeminimumcontrolstandards,considerationshouldbegiventoanyothercontrolsthathavebeenimplemented.Theidentificationandassessmentofcontrolsshouldusethespreadsheetcontrolframeworktoensuretheassessmentconsidersallrisksandcontrolsandisperformedconsistentlyacrosstheorganisation.
Thenextstepistounderstandthelevelofresidualrisktheorganisationisexposedtowiththecontrolscurrentlyinoperation.Residualriskisanassessmentoftheexpectedimpactandlikelihoodoferrorafterallrisk-relatedactionshavebeenimplemented(e.g.controlsortransferofrisk).Theresidualriskcanbedeterminedbyconsideringboththeimpactofthespreadsheettotheorganisationandthelikelihoodoferror.
Impact:Thespreadsheetownerwillneedtoassessthepotentialfinancialimpactorconsequenceofanerrorarisinginthespreadsheetoverthenext12months–hence,thecriticalitytotheorganisation.Ifthereareothercontrolsinplacethatwouldlimitthepotentialimpact–forexample,reconciliationsthatwoulddetectanerror–theseshouldbetakenintoaccount,whetherornottheyareindependentofthespreadsheet.
Likelihoodoferror:Determinedbyacombinationofthecomplexityanddesignqualityofthespreadsheet.SeetheresponsetoQuestion17forfurtherinformation.
Ifthecalculatedresidualriskisabovethatacceptabletotheorganisation,thecontrolsareinadequate.Then,remediationactivitieswillneedtobeinstigatedtoimprovecontrolsorreducethespreadsheet’slikelihoodoferror–forexample,throughredevelopmentofthespreadsheet.
28.Candifferentapproachesbetakentoresolveanycontrolissues?Therearemanydifferentapproachesthatcanbeadoptedtoreduceresidualrisktoanacceptablelevel.Thespreadsheetriskmanagementframeworkshouldprovideguidanceandprovideexamples.Aprescriptiveapproachrarelyworks.Thespreadsheetownerwillneedtoassessthepotentialriskandthecontrolobjectives,andthenputinplaceappropriatecontrols.
Bywayofanexample,anyspreadsheetriskmanagementpolicyislikelytostatethataccesstothespreadsheetshouldberestrictedtoappropriateusers.Oneapproachmaybetoaddapasswordtothefile,utilisingthebasicsecurityfeaturesofExcel.Thisprovidesonlyabasiclevelofcontrolaspasswordsaresharedandrarelychangedandrepeatattemptsareallowed.
Anotherapproach(potentiallyadditionaltotheExcelpassword)istosetupadirectoryonthenetworkandgrantaccesstoadefinedlistofusers.Thisshouldprovideahigherlevelofcontrol,asuseraccountsaremanagedcentrallyandbetterpasswordstandardscanbeapplied.However,underthismodelalluserswithaccesstothespreadsheetdohavethesamelevelofaccess.
Anotheroptionistomakeuseofspreadsheetcontrolsoftware(seethesection‘Technologyenablingeffectivespreadsheetriskmanagement’).Suchtoolscanprovidegreaterflexibility,allowinguser-orrole-basedaccessandsegregationofdutiesinthespreadsheettobeenforced.Thesetoolsalsoprovideanaudittrailofactionsusershaveperformed.
Thespreadsheetownerwillneedtodecidewhatlevelofcontrolisrequired,takingintoaccountanyrequirementsofthespreadsheetriskmanagementpolicy.Abasicpasswordmaybeadequateforsomespreadsheetsthatdonotcontainsensitivedataandonlyhaveafewusers.Thiswillnot,however,besufficientinmanycases.
��
29.Howcanweidentifycommoncontrolissuesacrosstheorganisation?
Oneofthebenefitsofimplementingaconsistentspreadsheetcontrolenvironmentacrosstheorganisationisthatitiseasiertoidentifycommoncontrolissues.Togainthisbenefit,controlsidentifiedshouldberecordedagainstcontrolobjectiveswithintheframework.Thesameshouldbedoneforanyplannedactionsthatareraisedtoreduceresidualrisktoanacceptablelevel.Bylinkingactionstocontrolobjectives,theorganisationisabletoanalysewheresignificantcontrolgapsexist.
Theactionstypicallywillbetacticalsolutionsimplementedlocallywithintheorganisation.Atthisstagethereisanopportunityfortheorganisationtoreviewthesetacticalsolutionsanddetermineifthereisamorestrategicsolutionthatwouldultimatelybemorecost-effectivetotheorganisationasawhole.
30.Howdoweensurethatcontrolissuesareresolvedandclosedwithinanacceptabletimeframe?
Foreverycontrolissueordeficiencyidentifiedaspartofthespreadsheetreview,actionplansandresponsesshouldbedevelopedanddocumented.Actionownersalsoshouldbeassignedwithresponsibilityforensuringthatactionsaredeliveredbytheagreedclosedate.Whentheactionisclosed,theriskshouldbere-evaluatedandarevisedresidualrisklevelrecorded.
Aprocessneedstobeputinplacetoensureallactionsareresolvedonatimelybasis.Thiswillbemosteffectivewhenitformspartoftheexistingissuestracking/reportingsystemmonitoredbyanappropriategroup(e.g.internalaudit,compliance,risk).
Aclearescalationpolicyshouldbedefinedtoassistactionownerswheresupportisrequiredandensuretheyaremotivatedtoresolveissuesonatimelybasis.Long-overdueactionsshouldbeescalatedthroughthechainofcommand.Thereareinstanceswhereslippageisattributabletounavoidableoperationalreasons,buttoooftentheseareusedtojustifynotaddressingknowncontrolissues.Ironically,itisoftenthecasethatcontrolissuesaretherootcauseofcontinuedoperationalincidents.
31.Whoisresponsibleforacceptingtheresidualriskthatexistswithinaspreadsheet?
Aprocessneedstobeimplementedtoensurethatappropriatelyqualifiedandauthorisedemployeesareacceptingriskonbehalfoftheorganisation.Spreadsheetownersmaybeacceptingsignificantriskassociatedwiththeirspreadsheetsratherthanimplementingappropriateactionplans.
Defininglevelsofriskauthoritymeansthatanyresidualriskabovedefinedlevelswillneedtobeescalatedtoahigher-levelauthoritywithintheorganisation;forexample,aresidualrisklevelof£100,000orbelowcanbeacceptedbythespreadsheetowners,whilearisklevelofmorethan£100,000andlessthan£500,000needstobeescalatedtothedepartmenthead.
Thereisadangerthatthisapproachwillencouragespreadsheetownerstounderestimatethelevelofriskassociatedwiththeirspreadsheets.Therefore,itisimportantthatspreadsheetriskevaluationsarereassessedbyskilledprofessionals–throughtheinvolvementofinternalaudit,forexample.
Anoptionthathasworkedforsomeorganisationsisdefiningandapplyingauthoritylimitsbasedontheinherentrisk,nottheresidualrisk.Thisshouldensurethatanyhigh-riskspreadsheetissubjecttosomeformofindependentreviewandsign-off.SeetheresponsetoQuestion17formoreinformationonassessinginherentrisk.
Thereisalsoanargumentforemphasisingtospreadsheetownersthatiftheysignificantlyunderestimatethatriskandincidentsassociatedwiththeirspreadsheetoccur,thatunderestimationwillbeconsideredamajorfailingintheirpersonalriskmanagementperformanceaswellasthatoftheirdepartment.Anyeffectivecomplianceprogrammeshouldlookforevidenceofthistypeofbehaviour.
��
Gaining assurance over critical spreadsheets
32.Howcantheorganisationensurethatspreadsheetownersareappropriatelymanagingspreadsheetrisk?
Thereareanumberofoptionstheorganisationcanemploy.
Thefirstfocusesonindividualspreadsheets.Throughtheassessmentofinherentrisk,theorganisationisabletolistitsmostcriticalspreadsheets.Foreachofthemostcriticalspreadsheets,theorganisationshouldconsideranindependentreviewofallaspectsofthespreadsheetowner’sresponsibilities.Thisshouldincludetheoperationofkeycontrolsforthespreadsheetandareviewoftheriskassessmentsperformedbythespreadsheetowner.Independentreviewshouldbeperformedbyexperiencedprofessionals.Suchareviewcouldbeperformedbyaspecialistteam,internalauditorathird-partyorganisation.
Analternativeapproachisidentifyingabasicsetofkeycontrolsfromthespreadsheetcontrolframeworkthatshouldbeimplementedinallspreadsheets.Someformoftestingthenwillbeperformed,whetheraspartofaself-assessmentprocessoraspartofanindependentreview.Thisapproachprovidesalevelofassurancetotheexecutivethatatleasttheminimumcontrolstandardsarebeingachievedacrossallkeyspreadsheets.Thisapproachdoesnotnecessarilylookattheresponsibilitiesofthespreadsheetowner,butfocusesonthecontrolsinoperation.Thistendstobetheapproachtakenbymostorganisationsastheyimprovetheiroverallspreadsheetriskmanagementenvironment.
OtherpotentialoptionsareconsideredinresponsetoQuestion37.
33.Wherecontrolshavebeendeficient,howcanwerelyontheintegrityofthespreadsheet?
Thiscanbeoneofthebiggestissueswithinspreadsheetriskmanagement.Whenaspreadsheet’scontrolshavebeenevaluatedasineffective,theorganisationcannotrelyontheintegrityofthatspreadsheetuntilithasbeentestedandanadequatecontrolenvironmentestablished.
Theintroductionofcontrolsalonewillnotmeanthataspreadsheetiscompleteandaccurate.Implementingcontrolswillreducetheriskthatnewerrorsareintroducedgoingforward.However,ifthespreadsheetisinaccuratewhenthecontrolsarefirstimplemented,itwillremaininaccurate.Thereforetestingisrequiredtoobtainassurancethatcriticalspreadsheetshaveintegrity.
Thetestingofaspreadsheetcanappeardauntingorevenimpossible.However,therearetechniquesthatcanbeemployedtoprovideareasonablelevelofassuranceatminimumcost.
Beforethesetechniquesarediscussed,itisworthnotingthatanyspreadsheetcontainingVisualBasiccodeormacrosshouldbesubjecttomoreformalapplicationdevelopmenttestingofthecode.
Spreadsheettesting/auditingtools(seesection‘Technologyenablingeffectivespreadsheetriskmanagement’)areavailablethatwillhelptoperformanalysisofformulas,spreadsheetlinksanddata.Theoutputfromthesetoolsshouldbeanalysedandanyanomaliesinvestigatedwiththespreadsheetowner.Althoughthesetoolscannotcompletelyautomatethetestingofspreadsheets,theymaketheprocessconsiderablymoreefficientandfacilitateteststhatwouldbeimpracticaltoperformmanually.
Forthemostcriticalspreadsheets,thismechanicalprocesswillnotbesufficient.Otheroptionsincludeperformingsensitivitytesting,changingkeyparametersandpredictingtheimpactofthesechangesonthespreadsheet.Thiscanbeaneffectivefinalsteptocheckthatthespreadsheetappearstobefunctioningcorrectly.Sensitivityanalysisalone,however,willnotbesufficienttoidentifyallpotentialerrors.
Therealsomaybesignificantbenefittobuildingchecktotalsintothespreadsheettoidentifypotentialissuesearly.Ultimately,thespreadsheetownermustconfirmthatsomeonehascheckedtheaccuracyofthespreadsheetandthatitisoperatingasexpected.
34.Isitpossibletorelyonthespreadsheetriskmanagementprocesstoprovideassuranceoverthecriticalspreadsheets?
Aneffectiveinternalcontrolenvironmentreducesthelikelihoodthaterrorsorirregularitieswilloccurandremainundetected,butitdoesnoteliminatethatpossibility.Similarly,well-definedspreadsheetriskmanagementprocesseswillsignificantlyreduce–butnoteliminate–anorganisation’sexposuretospreadsheetrisk.Formanyorganisations,adherencetoawell-definedspreadsheetriskmanagementpolicywillreducetherisktoanacceptablelevel,aswellashelpingtosatisfyregulatoryrequirements.(Note,however,thattheserequirementsalsomaynecessitateanassuranceprocesstoensurethespreadsheetriskmanagementprocessisoperatingasdefined.FurtherguidanceisprovidedinresponsetoQuestion32.)
��
35.Howoftenshouldspreadsheetsorthespreadsheetcontrolenvironmentbeevaluated?
Thespreadsheetriskmanagementprocessshouldbesubjecttothesameassuranceapproachasotheroperationalriskmanagementprocesses.Manyorganisationswilllooktogainannualassuranceoverthedesignandoperatingeffectivenessofthespreadsheetriskmanagementoperatingmodel.
However,formanyorganisationstheimplementationofaspreadsheetriskmanagementpolicyrepresentsasignificantchange.Asaresult,forareasofhighrisk,areaswhereahighvolumeofcomplexspreadsheetshavebeenidentifiedorareaswhereahighvolumeofcontroldeficiencieshavebeenidentifiedinthepast,theorganisationshouldconsiderincreasingthefrequencyofmanagementassurancetestinguntilthenewprocesseshavebeenembracedbythebusiness.
36.Shouldinternalauditbereliedontoprovideassuranceonbehalfofthebusiness?
Itistheresponsibilityofoperationalmanagementtoensuretheorganisationhasappropriatecontrolsinplacethatareoperatingeffectively.Theoperationalmanagementteamshouldthereforeensurethatadequateassuranceprocessesareinplace.
Internalauditmayassistmanagementinprovidingthisassurance.Theroleinternalauditplaysisentirelydependentontherelationshiptheinternalauditdepartmenthaswiththeoperationalsideofthebusinessaswellastheprioritiesoftheauditcommittee.
Ifinternalauditdoessupportoperationalmanagementbyperforminganauditorreview,itremainstheresponsibilityofoperationalmanagementtoensurethescopeoftheirreviewissufficienttoprovidethedesiredlevelofassurance.
��
Spreadsheet risk indicators and reporting
37.Whatotherformsofassurancecanwerelyuponratherthanperiodiccontrolsassessments?
Manyorganisationshaverevisitedtheirregulatorycomplianceapproachtoplaceincreasedrelianceonhigh-levelmonitoringcontrolstoreducetheircostofcompliance.Technicalsolutionsformanagingspreadsheets(asdiscussedinthesection‘Technologyenablingeffectivespreadsheetriskmanagement’)canprovideamethodforimplementingequivalentmonitoringcontrolsaroundspreadsheets.
Implementingamonitoringtoolisnotanalternativetoimplementinganeffectivespreadsheetriskmanagementframework.Furthermore,beforerelyingonamonitoringtool,itisnecessarytoperformtestingtogainalevelofassurancethatthespreadsheetsareincompliancewithpolicyandfreefrommaterialerrors.Onlythencanthebenefitbegainedfromimplementingatechnicalsolutiontodetectandnotifywhenchangesaremadethatmayordobreachthepolicy.
Thisprovidesmuchgreaterassurancethanmanualassessmentsbecausesamplingisnotrequired.Consequently,resourcescanbedevotedtoensuringthepolicyandcontrolframeworkisappropriate,ratherthantoperformingcontrolstesting.
38.Aretheregenerallyacceptedkeyindicatorsofspreadsheetriskormeasuresthatshouldbeapplied?
Thereisnogenerallyacceptedsetofkeyriskindicators(KRIs)orinternationallyrecognisedstandard.
DefiningKRIsisaboutdefiningasetofmeasurableparametersthatwillprovideanindicationofanincreased/increasinglevelofspreadsheetriskinthearea.Theorganisationshouldconsiderhavingkeyoperationaldepartmentsreportthesestatisticstomanagementonaregular(e.g.monthly)basis.
Theobjectiveoftheindicatorsistoprovideamorefrequentnotificationthancontrolsassessmentsofapotentiallyincreasingexposuretospreadsheetriskasaresultofchangestothewayspreadsheetsarebeingusedtosupportthebusiness.Wheredepartmentshaveanincreasingtrend,thiscouldtriggerspecificworktobeperformedwithinthedepartmenttoensurethatspreadsheetriskcontinuestobemanagedeffectively.
Thefocusshouldbeonidentifyingtwoorthreeparametersthatcanbeeasilyreportedbutdirectlymonitorspreadsheetriskintheorganisation.Someexamplesofindicatorsthathavebeenusedatotherorganisationsarelistedbelow.Whereanindicatorusestermssuchas‘critical’or‘complex’,theorganisationsthemselvesmustdefineatwhatlevelthesetermsbecomeapplicable:• Numberof‘critical’spreadsheetsoperatedinthedepartment.• Numberof‘complex’spreadsheetsoperatedinthedepartment.• Aggregateinherentriskofalloperationalspreadsheets.• Aggregateresidualriskofalloperationalspreadsheets.• Volumeofspreadsheetriskactionplans.• Volumeofoverduespreadsheetriskactionplans.
Thelistaboveisbynomeanscomplete.However,itdoesprovideanindicationofthetypeofindicatorsthatthebusinessshouldbelookingtotrack.Itisimportantthattheindicatorsaresimpletomeasureandeasytoproducebyadepartmentonceeffectivespreadsheetriskmanagementprocessesareinoperation.Somespreadsheetriskmanagementtools–particularlythosedesignedtoperformanautomatedscanandriskassessment–canbehelpfulwhenlookingtotracksomeoftheseindicators.
39.Whatinformationisprovidedtotheexecutive/riskcommitteesregardingspreadsheetrisk?
Spreadsheetriskshouldbeasingleaspectofamuchbroaderoperationalriskreportingstructure.Itisimportantthatanyinformationprovidedtotheexecutiveisincorporatedintotheexistingriskreportingprocesses.Thisensuresthatspreadsheetriskcanbeassessedinthecontextofotheroperationalrisksthattheorganisationisexposedto,andprioritisedaccordingly.Thenatureandextentofinformationreportedwillultimatelybedrivenbythelevelofresidualrisk,whenconsideredalongsideotherkeyriskareasthebusinessisseekingtomanage.
Itisalsoimportantthattheorganisationcandemonstratethatintheeventsignificantspreadsheetrelatedissuesarise,thereareprocessesinplacetoensurethattheseissuesarebroughttotheattentionoftherelevantindividuals,andappropriatemanagementresponseactionsareinplaceandprioritised.
��
Typicallyanexecutivewillwanttoknow:• Whatistherisk?• Wheredoestheriskexist?• Howsignificantistherisk?• Whoiscurrentlydealingwiththerisk?• Whenwillthisriskbemanagedtoanacceptablelevel?
Notethattheabovequestionscouldhavecomefromamuchmoregenericapproachtooperationalriskmanagement.Spreadsheetriskalsocanbeaggregatedwithothertypesofoperationalrisktoprovideanoverallriskexposuremeasureforoperationalprocesses,departments,andsoon.
Theprovisionofthisinformationalsoensuresthattheexecutiveisfullybriefedandinapositiontoanswerquestionsbyexternalauditorsandregulatorybodies.
FurtherguidanceonimplementinganenterprisewideriskmanagementprocesscanbefoundinProtiviti’sGuide to Enterprise Risk Management,availableseparately.
40.Howcanweensuremanagementandspreadsheetownerstakeonmoreaccountabilityfortheriskassociatedwiththespreadsheetsthattheyown?
Aneffectivewayofembeddingspreadsheetriskmanagementprocessesistoimplementsomeformofcertificationprocess,whichalsohelpstoensurethatspreadsheetriskownerstakeonmoreaccountability.Oneapproachistoasktheindividualsaccountableforeffectiveriskandcontrolmanagementtoconfirmtheaccuracyofthespreadsheetstheyoperateandthatallriskandcontrolassessmentsassociatedwiththespreadsheetarecompleteandaccurate.Thiscanbefurtherenhancedbyrequiringtheindividualstoconfirmthelevelofresidualriskarisingfromtheseassessments.
Havingspreadsheetownersassesscontroleffectivenessonaperiodic(e.g.quarterly)basisensurestheystarttoactivelyowntheirriskandcontrolassessmentsandareresponsibleformaintainingthemonaregularbasis.Italsopresentsanopportunityforthespreadsheetownertohighlightissuesandobtainsupportinresolvingthem.Fromamanagementperspective,thefactthatindividualswithintheorganisationarepersonallyaccountableforsigningoffonthisquarterlyreviewprovidesacertainlevelofcomfortthattheirspreadsheetriskismanaged.Usingself-assessmenttechnologycansignificantlyreducethemanagement’soverheadforsuchaprocess.
Afeworganisationshaveintroducedriskmanagementperformanceintoemployeecontracts,withindividualsmeasuredonhoweffectivelytheydeliverontheirriskmanagementresponsibilities.However,thiscanbedifficulttoimplementinmanyorganisations,andmostspreadsheetownerswilloverstatetheimportanceofspreadsheetriskmanagementgiventheirotherresponsibilities.
41.Howcanweensurethatspreadsheetriskisincorporatedintoourcurrentregulatoryreportingprocesses?
Theeffectivemanagementofspreadsheetriskisalreadyimpliedinmostoftheexistingregulatoryreportingrequirements.Ifspreadsheetsareusedwidelyandultimatelyrelieduponbythebusiness,itisnotpossibletoconcludeontheeffectivenessofinternalcontrolswithoutconsideringtheeffectivenessofspreadsheetriskmanagementcontrols.Considerwhetherandhowspreadsheetriskhasbeenassessedinthepastwhentheorganisationhasattestedtotherequirementsofexternalbodies.Istheorganisationcomfortablethatithasappropriatelyassessedspreadsheetriskwhenmakingtheseattestations?
Ifspreadsheetriskhasnotbeenformallyevaluatedinthepast,itdoesnotnecessarilymeanthattheorganisationhasmisrepresenteditsposition.Itsimplymeansthatgreatertransparencyisrequiredaroundtheorganisation’sconclusionsabouttheeffectivenessofspreadsheetriskmanagement.
Organisationsneedtoensurethatspreadsheetriskisconsideredwhenmakinganyfuturestatementtoregulatorybodies,anditisessentialfortheexecutivetounderstandthatspreadsheetriskisactivelymanagedwhensigningoffonanyattestationstatement.Ifanorganisationhasimplementedaneffectivespreadsheetriskmanagementframeworkandhasobtainedassurancethatthisframeworkisoperatingeffectively,thebusinesswillbewellplacedtoreachaconclusion.Essentially,theorganisationisrequiredtoprovideassurancetotheexecutivethatthespreadsheetriskpolicyhasbeeneffectivelyimplementedthroughouttheorganisationandthatexistingissueshavebeenidentifiedandarebeingactivelymanaged.
�0
Training and awareness
42.Makingspreadsheetownersawareofthepotentialriskisdifficult.Arethereanytriedandtestedapproaches?
Increasingspreadsheetriskawarenesscanbechallengingbecausespreadsheetsaretypicallyusedbymanypeoplewithintheorganisation.
Basicawarenesstrainingshouldbeprovided,coveringtheminimumcontrolstandardsandillustratingsomebest-practicetechniques.Italsoshouldprovideindividualswithguidanceonwheretogoforfurtherinformation(suchasanonlineresourceoraspreadsheetsupportteam).Critically,theyshouldbeeducatedonkeyindicatorsthatimplysignificantinherentriskwithinthespreadsheetstheyoperate,andknowwhomtocontactwhentheseindicatorsarepresent.Usersshouldbeprovidedwithregularremindersofthekeyissuesandoftheirresponsibilities.Simplyprovidingsomeinitialtrainingandpostingastandardontheintranetisunlikelytoachievethedesiredlevelofaccountability.
AneffectiveprocessistointegratetheawarenesstrainingintotheHRjoiner’sprocess.Indoingso,allnewjoinerstotheorganisationareprovidedwiththetraining.Trainingcurrentemployees,however,remainsachallenge.Therearemanydifferentapproachestoeducatingahighvolumeofpeople,suchasthoseusedforinternalcommunications,healthandsafetyawarenessandfiredrills.
Wherecriticalspreadsheetshavebeenidentified,amoreformaltrainingprogrammewillbenecessary.Analternativetotrainingthathasworkedwellformanyorganisationsisprovidingacentralsupportteamtowalkthespreadsheetownerthroughtheprocess.Thisisnotonlymoreeffectivethanclassroomtraining,butalsohelpsthebusinessachieveconsistencyinimplementationofthespreadsheetriskmanagementframework.
43.Aretheredifferinglevelsoftrainingrequiredforspreadsheetowners?
Thisvariesandwilldependontheindividualspreadsheetowners.Spreadsheetownersshouldhavetheoptiontorequestadditionaltrainingonspreadsheetdevelopmenttechniques.Thesetypicallywouldbestandardspreadsheettrainingcoursesthatcovermoreeffectiveuseofspreadsheets.
However,specifictrainingonspreadsheetriskmanagementprocesseswillneedtobeprovidedtouserswhoownandoperatespreadsheetswithanincreasedlevelofinherentrisk.Itisalsoagoodideatoreviewthoseindividualsrequestingspreadsheetdevelopmenttraining,asthisoftenimpliestheyhaveahigherdependencyonspreadsheetsandwishtodevelopmoreeffective(andprobablymorecomplex)solutions.Thistrainingshouldprovideguidanceonevaluatingspreadsheetriskandtheeffectivenessofspreadsheetcontrols.
Analternativetotrainingistoprovideacentralsupportteamtowalkthespreadsheetownerthroughtheprocess.Thishasworkedwellformanyorganisations.Itisnotonlymoreeffectivethanclassroomtraining,butitalsohelpsthebusinessachieveconsistencyinimplementationofthespreadsheetriskmanagementframework.
44.Istheintranetaneffectivetoolforensuringawarenessofspreadsheetriskwithintheorganisation?
Theintranetisanexcellenttoolforprovidingreferenceinformationforindividuals.Ifpossible,allspreadsheetriskmanagementframeworks,processesandtrainingshouldbemadeavailableontheintranet.
However,postingdocumentsontheintranetisnotasubstitutefordeliveringtraining.Employeesshouldbeawareitexists,buttheirtrainingshouldbedeliveredthroughdiscussions,lectures,practicalexercisesandonlinetests.Amoreinteractivemethodisrequiredtoensuretheproperapproachtospreadsheetriskmanagementintheorganisationisappreciatedandunderstood.
��
Resources
45.Whatarethekeyspreadsheetriskmanagementcapabilitiesthatshouldexistinanyorganisation?
Allusersofspreadsheetsneedtobeprovidedwithtrainingtodevelopabasiclevelofknowledge.Thisshouldinclude:• Awarenessofkeyspreadsheetrisks.• Understandingoftheminimumspreadsheetcontrolstandards.• Understandingofthekeyindicatorsofaspreadsheet
becomingcritical.• Knowledgeofwhomtoengagewhenaspreadsheetis
becomingcritical.
Providingthisleveloftrainingtoalluserscanbechallengingformanyorganisations.Asaresult,manybusinessesinitiallyfocusonthosepartsoftheorganisationthataremoredependentontheuseofspreadsheets.
Inadditiontothisbasiclevelofknowledge,thebusinesswillneedaccesstopeoplewithmuchdeeperskillswhocanprovidesupportandguidancetothewidercommunity.Someorganisationshavesetupcentralteamswiththesedeeperskillsthatthespreadsheetownerscandrawonwhenrequired.Unlessusersaregrantedaccesstothesetypesofpeople,itcanbedifficulttoeffectivelyrolloutthespreadsheetriskmanagementframework.Thedeeperskillsrequiredinclude:• Riskassessmentskills.• Spreadsheetdesignskills.• Advancedspreadsheetdevelopmentskills(includingVisualBasic
developmentifmacrosarewidelyusedinthebusiness).• Spreadsheettestingskills.
46.Towhatdegreeshouldtheorganisationexpecttobesourcingthird-partyskills?
Thereisnorequirementtomakeuseofthirdparties.Manyorganisationshavefoundithelpful,however,todrawontheexperiencesofotherorganisationswhenestablishingaspreadsheetriskframework.
Skilledthird-partyresourceshavebeenengagedinanumberofareas,including:• Developmentofaspreadsheetpolicy.• Identificationandassessmentofcriticalspreadsheets.• Spreadsheettesting.• Managementassurance.
Organisationshavegainedvaluefromemployingexperiencedconsultingfirmstoperformtheinitialidentificationoftheircriticalspreadsheets.Theconsultantsprovidealevelofindependentevaluationbutalsodrawontheirexperiencewithotherorganisationstoaccuratelyassesstheinherentriskandcomplexityofspreadsheets.Attheendofaprojectinwhichconsultantshavebeenemployed,itisimportantforanyorganisationtoensuretheprocesseshavebeenembeddedintheirday-to-dayoperationalprocesses.
Spreadsheettestingcanbetime-consuming,andexperiencehasshownthatitisunlikelytobeeffectivewhenperformedbythespreadsheetowners.Thereisanaturaltendencyforthespreadsheetownertotakeshortcutsandperformalessthoroughreview.Third-partycompaniesareabletoleveragespecialisedtestingtoolsthatprovideahigherlevelofassurance.Spreadsheettestingis,hopefully,aprocessperformedthroughone-offprojects,sothereisanopportunitytoagreetoarelationshipwithathirdpartytoensuretheyareavailabletoperformthisworkasandwhenrequired.
Managementassuranceexiststoensurethatappropriatespreadsheetcontrolsareinplaceandoperatingeffectively.Organisationsoftendonothavetheluxuryofinternalriskteamswiththecapacitytoperformextensivemanagementassurancework.Thealternativeistoallowthespreadsheetownerstoperformaself-assessmentofthecontrolsinoperation.Thisistypicallyagoodapproach,butonlywhenusedincombinationwithsomeformofindependentassuranceworktoensureself-assessmentsareperformedappropriately.Third-partyfirmscanprovidethiscapabilityonanannualorotherscheduledbasis.
Otherservicesprovidedbythirdpartiesinclude:• Evaluationoftechnologysolutionsinthemarketplace.• Implementationofaspreadsheetmanagement
technologysolution.• Assistinginternalauditwithspreadsheetreviews.• Trainingandawarenessonspreadsheetriskmanagement.• Developmentofappropriatecontrolframework.
��
47.Shouldtheorganisationbeemployingspecificspreadsheetsupportteams?
Toeffectivelyimplementspreadsheetriskmanagementprocesses,thebusinesswilltypicallyneedtoprovidespreadsheetownerswithaccesstopeoplewithdeepexpertiseonanas-neededbasis.Thedeeperskillsrequiredinclude:• Spreadsheetriskmanagementpolicyexpertise.• Riskassessmentskills.• Spreadsheetdesignskills.• Advancedspreadsheetdevelopmentskills(includingVisualBasic
developmentifmacrosarewidelyusedinthebusiness).• Spreadsheettestingskills.
Someorganisationshavefoundthatacost-effectiveapproachistocreateasmallpoolofcentralresourcesthatthebusinesscandrawontoprovidedeeperskillswhenrequired.Thiswilldepend,however,onthecomplexityofthespreadsheetsusedwithintheorganisation.Organisationswillnotrequirespecialisedspreadsheetsupportanalystsifthespreadsheetownersarecapableofadequatelycontrollingthespreadsheetstheyoperate.
Someorganisationsemployspreadsheetsupportteamstoensurecriticalspreadsheetsaredevelopedinacontrolledyetresponsivemannertosupportbusinessrequirements.Theseteamsessentiallyoperateasarapiddevelopmentteam,typicallylocatedalongsidetheoperationalstafftheysupport.
Theuseofaspreadsheetsupportteamneedstobecarefullymonitoredtoensureallapplicationdevelopmentrequirementsdonotgothroughthespreadsheetsupportteam,ascertainrequestsshouldgothroughthemoreformalITdevelopmentenvironment.
Successfulspreadsheetsupportteamstendtooperateinfinancialservicesorganisationsandtypicallyinatradingenvironmentwheredailyanalysisanddealconstructionisperformedthroughcomplexspreadsheets.(Thisisagoodexampleofwheremoretraditionalapplicationsareseldomflexibleenoughtosupportbusinessrequirements.)Somebusinessesalsohaveusedcentralsupportteamstoprovidetrainingtothebusinessonspreadsheetriskanddrivetheimplementationofthespreadsheetriskmanagementpolicy.
48.Shouldformalprocessesexisttoensurethattheorganisationconsistentlymanagesspreadsheetrisk?
Aspreadsheetriskmanagementoperatingmodelshouldcontaindocumentedprocessesandcontrols.Processesshouldexisttoensurethatallindividualswithspreadsheetriskmanagementresponsibilitiescanfollowaconsistentprocess.
Critically,controlsalsoshouldbedefinedwithintheseprocesses.Thesecontrolswillhavedefinedcontrolownersresponsiblefortheiroperation.Havingdocumentedcontrolsensurestheorganisationisabletoevaluatetheeffectivenessofthespreadsheetriskmanagementprocesses.
Spreadsheetriskmanagementprocessestypicallyinclude:• Policydefinition.• Usertrainingandawareness.• Identificationofcriticalspreadsheets.• Individualriskassessment(assessmentofriskinan
individualspreadsheet).• Overallriskassessment(consolidationandaggregationofrisk
informationandassociatedreporting).• Controlsdefinitionandimplementation.• Controlstestingandassurance.• Certificationofspreadsheets(quarterlyorannualcertificationby
spreadsheetownersthattheyunderstandtheirresponsibilitiesandthatriskisbeingmanagedinaccordancewithpolicy).
• Compliance(processofgainingassurancethatthebusinessisincompliancewiththespreadsheetriskmanagementpolicy).
��
Technology enabling effective spreadsheet risk management
49.Dotechnologysolutionsexisttohelpwithspreadsheetriskmanagement?
Thereisarelativelynewmarketfortechnicalsolutionstoassistwithspreadsheetriskmanagement.Manyofthemoreestablishedvendorshavebeenoperatinginthisareaforonlyafewyears.
VentanaResearchhasconductedresearchwithinthisareaandestimatesthatwhilethetotalmarketforenterprisespreadsheetmanagementtoolswas$15millionin2006,thiswillgrowtoanestimated$500millionby2011.Inourview,thisestimateisconservativegiventherelianceplacedonspreadsheetsbysomanycompaniesandtheincreasingscrutinyandcompliancerequirementsbeingplaceduponthem.
Thetypesoftechnicalsolutionsavailablecangenerallybecategorisedintothreegroups:1. Spreadsheetmanagement/control:Thesesolutionstypically
providechangecontrol,versionmanagement,changehistory(audittrail)andsecurityoverthosespreadsheetsmanagedbythesolution.Somesolutionscanbeusedtorestrictaccesstofunctionalityorspecificcellranges.
2. Spreadsheetsearch/discovery:Thesesolutionsperformautomatedscansofnetworksorspecificserverstogenerateaninventoryofallspreadsheetsdiscovered.Somesolutionsperformlimitedanalysistohelptheuserdealwiththelargenumberofresultstypicallygenerated.
3. Spreadsheetauditing:Theseautomatedtoolsassistareviewerwhenauditingaspreadsheet.Althoughsomeelementofmanualreviewisstillrequired,thesetools,whenusedcorrectly,greatlyimprovetheefficiencyofsuchreviews.
50.Arethereestablishedsolutionsandclearmarketleaders?Thevendorsareamixtureofnewcompanieswhoarespecialisinginthisparticularmarketandseveralexistingsoftwarevendorswhohavediversifiedtheirexistingproductrange.
Althoughsomesolutionsaremoreestablishedthanothers,themarketisstillrelativelyimmatureandgainingnewentrants.Noclearmarketleaderhasyetemerged,partlybecausetherightchoiceofsolution(orcombinationofsolutions)willdependonindividualcompanies’requirementsandgoals.
Giventherapidlychangingstateofthemarket,itisdifficulttoprovidedetailedinformationinapublicationsuchasthis.Protivitidoes,however,maintaininformationonalloftheleadingsolutionsandwouldbepleasedtoprovidefurtherinformationonrequest.Thoughthereisclearlyalargemarket,webelievethecurrentnumberofvendorsisunsustainable,andthatsomeconsolidationwilloccur.
51.Iftechnologysolutionsareimplemented,willtheyimpactallspreadsheetsoperatingwithintheorganisation?
Thespreadsheetmanagementandcontrolsolutionsaretypicallyusedonlytomanagespreadsheetsthathavebeenidentifiedasbusiness-criticalor‘inscope’.
Itistheoreticallypossibletomonitorandmanagealloftheorganisation’sspreadsheets,butitwouldnormallybeimpracticalgiventhenumberofspreadsheetsthatexistinmostorganisations.Werecommend,aspartofthesolutionimplementation,thatcarefulconsiderationbegiventodeterminingwhichspreadsheetsshouldbeincluded.Therulesfordeterminingwhichspreadsheetsareinscopeshouldbedefinedinthespreadsheetriskmanagementpolicy.
52.Arethereperformanceorusabilityissuesthatneedtobeconsideredwhenimplementingspreadsheetcontrolsolutions?
Thisdependsontheindividualsolutionandhowitoperates.Somesolutionsplacelimitationsonuserfunctionality.Othersmayincreasethetimeittakestosavelargespreadsheetsormaygeneratesignificantvolumesofdatatrafficonthenetwork.Companiesshouldensurethattheyevaluateanyusabilityandtechnicalconstraintsandrequirementsduringtheproductselectionprocess.
53.Whowouldimplementandmanagetheoperationofanyspreadsheetsolutions?
Typically,theimplementationofsuchsolutionsisrunasaproject,withadedicatedprojectteamreportingtobothbusinessandITstakeholders.Thebusinesswillwanttoensurethatthesolutionanditsassociatedprocessesmeettheirobjectives.IToftenwillrequirethesolutiontofitwiththeirtechnicalarchitectureandnotadverselyaffectnetworkperformance.ITisalsolikelytohaveresponsibilityformaintainingtheplatformgoingforward,andtherefore,willneedtobeinvolvedintheselectionandimplementationprocesses.
Often,thesolutionalsowillrequireasystemadministratorrolefortechnicalassistancewithmatterssuchassettingupnewusers.Additionally,thereislikelytobearequirementforabusinessmanagerorreviewertoensurethatchangesmadeareappropriate.Theactualroleswilldependontheobjectivesandthesolution(s)chosen.
��
54.Isitasstraightforwardasinstallingthesoftwareinordertomanagetheriskortobecompliant?
Unfortunately,spreadsheetriskmanagementisnotasstraightforwardassimplyimplementingatool.Infact,theselectionandimplementationofaspreadsheetriskmanagementtoolispotentiallyoneoftheeasiestpartsoftheoverallprogramme.
Beforeimplementingatool,thebusinesswillneedtodetermineitsriskappetiteandpoliciesgoverningtheuseofspreadsheets.Then,thebusinesswillneedtoeducateallusersofpotentiallycriticalspreadsheetsandembedariskmanagementculture.Thisistypicallythemostcomplexpartofanyspreadsheetriskmanagementprogramme.
Oncethebusinesshasidentifiedthepotentiallycriticalspreadsheetsthatwillbecontrolledusingtheselectedtool,thespreadsheetownerwillneedtoperformtestingtoensurethespreadsheetisoperatingeffectively.(Thereislimitedvalueintrackingchangestoaspreadsheetthatlacksintegrityfromthestart.)
Thespreadsheetownerthenwillneedtodecidewhatactions/changesshouldbeloggedandreviewresponsibilities.Thereisnopointinbuildingupanaudittrailofallthechangesmadetoaspreadsheetifnobodyreviewsandfollowsuponthechanges.Thespreadsheetowneralsomustconsideraccesscontrolrequirements,andthespreadsheetriskmanagementtoolwillneedtobeconfiguredappropriatelytomanagethisaccess.
��
Protiviti(www.protiviti.co.uk)isaglobalconsultingandinternalauditfirmcomposedofexpertsspecialisinginriskandadvisoryservices.Thefirmhelpsclientssolveproblemsinfinance,operations,technology,litigationandGRC.Protiviti’shighlytrained,results-orientedprofessionalsserveclientsintheAmericas,Asia-Pacific,EuropeandtheMiddleEastandprovideauniqueperspectiveonawiderangeofcriticalbusinessissues.
Protivitihasmorethan60locationsworldwideandisawhollyownedsubsidiaryofRobertHalfInternationalInc.(NYSEsymbol:RHI).Foundedin1948,RobertHalfInternationalisamemberoftheS&P500index.
End-usercomputingriskmanagementservicesProtivitihastheexperiencetohelpyouunderstandtherisksassociatedwithyourend-usercomputingapplications.Wecanhelpyouimplementaneffectivespreadsheetriskmanagementframeworkthatprovidesanappropriatelevelofcontrolwithoutadverselyimpactingusabilityorproductivity.Ourapproachrepresentsapragmaticresponsetoend-usercomputingriskbasedonrealbusinessneedandbuiltonpracticalexperience.
Protivitiknowswhatauditorsarelookingforinrespecttostatutoryandcompliancerequirements,andcanhelpyouinterpretandmeetthoserequirements.Weremainvendor-independentbuthavethoroughknowledgeofthesolutionsonthemarket.Withthisknowledge,wecanhelpyou:• Definespreadsheetriskmanagementpoliciesand
supportingprocesses.• Evaluatetheoptionsavailablebasedonyourspecific
requirementsandobjectives.• Createaninventoryofspreadsheetsthroughscanningortargeted
discussionswithusers.• Reviewspreadsheetstoidentifyerrorsanddevelopabase-lined
versionthatcanbecontrolled.• Implementaspreadsheetmanagementframework,including:
– Selectaspreadsheetriskmanagementtool.– Determinewhatcontrolsandsettingsshouldbeconfigured
withinthesolution.– Developprocedures,training/awarenessprogrammesand
monitoringprocesses.
About Protiviti Inc.
Wealsohelpinternalauditfunctionsaddvaluethroughauditingend-usercomputing,including:• Assessment(pilotstudyorfullassessment)oftheextentto
whichend-userapplicationssupportcriticalbusinessprocessesandtherisktheseapplicationspresenttothebusiness.
• Identificationandassessmentofcontrolsinplacearoundthedevelopment,operationandmaintenanceofend-userapplications.
• Auditsofindividualapplicationstoidentifypotentialerrorsanddesignweaknesses,usingautomatedtoolsandourspreadsheetauditmethodology.
• Remediationofidentifiedcontrolgapsandapplicationserrors.
��
Contacts
EMEA(Europe,MiddleEastandAfrica)JonathanWyattManagingDirector+44(0)[email protected]+44(0)[email protected]
RobNieves+44(0)2073890445rob.nieves@protiviti.co.ukUnitedStatesEdwardHillManagingDirector+17133145010edward.hill@protiviti.comEvanCampbell+17133144974evan.campbell@protiviti.comAndrewStruthers-Kennedy+14104546879andrew.struthers-kennedy@protiviti.com
Asia-PacificSingaporeMatthewFieldManagingDirector+6562206066matthew.field@protiviti.com
AustraliaJustinTrentini+61282209502justin.trentini@protiviti.com.au
Protivitiisnotlicensedorregisteredasapublicaccountingfirmanddoesnotissueopinionsonfinancialstatementsorofferattestationservices.ProtivitiisanEqualOpportunityEmployer.
© �00� Protivitiprotiviti.co.uk+�� �0 ���0 ��0�
