Spreadsheets are everywhere. They enable us to quickly and flexibly perform analysis that otherwise would be difficult or time-consuming. As a result, we tend to place undue trust in the integrity of the analysis spreadsheets perform.
As spreadsheet users have become more information technology (IT) proficient, their spreadsheets have become more complex. Spreadsheets were never designed to be enterprise-level applications, but the growing use of complex and user-defined functions, lengthy macros and links to other spreadsheets and systems has led to the development of highly complicated applications. In contrast to most other applications of this nature and criticality, spreadsheets rarely are designed and developed by expert users or with controls in mind.
Many companies rely on spreadsheets as key applications that support operational and financial reporting processes. The purposes of spreadsheets are widespread; from performing complex modeling for trading decisions to accounting reconciliations and calculating employee bonuses.
A simple search of your network may surprise you, as it will likely reveal thousands, if not millions, of spreadsheets in use. Do you know who manages them? What is the purpose of these spreadsheets? How reliable are their calculations? Who ensures the results they produce are valid?
The increased regulation and compliance that now impact spreadsheet control is not surprising given past few years of numerous multimillion-dollar errors and fraud attributed to the use of spreadsheets. We also see companies filing reports of material weaknesses and deficiencies with the Securities and Exchange Commission (SEC) as a result of the lack of controls around their financial reporting spreadsheets.
This regulatory pressure and increasing focus from auditors are forcing organizations to address the issue of spreadsheet risk management, though few really understand what the issue is and what they need to do about it. While guidance exists, much of it is academic, providing little practical value to companies.
This publication represents a pragmatic response to spreadsheet risk based on real business needs. Although this publication uses the term “spreadsheet,” much of the guidance applies equally to other end-user-developed applications, such as databases and reports. Spreadsheets are the most prevalent of end-user applications, but there are other types growing in numbers that should not be ignored. Sections include:
- Executive ownership and governance
- Creating a library of critical spreadsheets
- Implementing a spreadsheet control framework
- Assessing spreadsheet controls and current risk exposure
- Gaining assurance over critical spreadsheets
- Spreadsheet risk indicators and reporting
- Resources
- Technology enabling effective spreadsheet risk management
Download the entire Booklet:
Spreadsheet Risk Poll