||July 6, 2009
Spreadsheet Risk Management FAQ: Table of Contents
View and download the entire booklet
An introduction to spreadsheet risk management
Executive ownership and governance
- 1. Why are spreadsheets so prevalent today?
- 2. What is spreadsheet risk management?
- 3. Why do spreadsheets present a risk?
- 4. Is the level of risk increasing?
- 5. What about other desktop tools available to users?
- 6. Why has spreadsheet risk management suddenly become important?
- 7. Do technology solutions exist that can assist with managing spreadsheet risk?
Creating a library of critical spreadsheets
- 8. Who is accountable for effective spreadsheet risk management?
- 9. What do the major legislative acts have to say about spreadsheets?
- 10. How can the executive define and communicate spreadsheet risk management requirements?
- 11. Who should operate spreadsheet risk management processes?
- 12. Why should we report on spreadsheet risk to senior management and the executive?
- 13. What should the risk responsibilities of spreadsheet owners cover?
- 14. What should be the role of the IT department?
- 15. What should be the role of operational and risk departments?
- 16. What should be the role of internal audit?
Implementing a spreadsheet control framework
- 17. How do we measure risk?
- 18. How do we start to identify the potentially critical spreadsheets?
- 19. Which parts of the organization can have the greatest dependency on critical spreadsheets?
- 20. How can we ensure that we identify all potentially critical spreadsheets?
- 21. What about spreadsheets that have links to other spreadsheets?
Assessing spreadsheet controls and current risk exposure
- 22. What is a spreadsheet control framework and why is it important?
- 23. What are the typical key components of a spreadsheet control framework?
- 24. When is a spreadsheet not fit for purpose?
Gaining assurance over critical spreadsheets
- 25. Do we need to assess the controls in operation across all our spreadsheets?
- 26. How do we consistently assess controls across spreadsheets?
- 27. How do we assess whether the controls are effective?
- 28. Can different approaches be taken to resolve any control issues?
- 29. How can we identify common control issues across the organization?
- 30. How do we ensure that control issues are resolved and closed within an acceptable time frame?
- 31. Who is responsible for accepting the residual risk that exists within a spreadsheet?
Spreadsheet Risk Indicators and Reporting
- 32. How can the organization ensure that spreadsheet owners are appropriately managing spreadsheet risk?
- 33. Where controls have been deficient, how can we rely on the integrity of the spreadsheet?
- 34. Is it possible to rely on the spreadsheet risk management process to provide assurance over the critical spreadsheets?
- 35. How often should spreadsheets or the spreadsheet control environment be evaluated?
- 36. Should internal audit be relied on to provide assurance on behalf of the business?
Training and awareness
- 37. What other forms of assurance can we rely upon rather than periodic controls assessments?
- 38. Are there generally accepted key indicators of spreadsheet risk or measure that should be applied?
- 39. What information is provided to the executive/risk committees regarding spreadsheet risk?
- 40. How can we ensure management and spreadsheet owners take on more accountability for the risk associated with the spreadsheets they own?
- 41. How can we ensure that spreadsheet risk is incorporated into our current regulatory reporting processes?
- 42. Making spreadsheet owners aware of potential risk is difficult. Are there any tried and tested approaches?
- 43. Are there differing levels of training required for spreadsheet owners?
- 44. Is the intranet an effective tool for ensuring awareness of spreadsheet risk within the organization?
Technology enabling effective spreadsheet risk management
- 45. What are the key spreadsheet risk management capabilities that should exist in any organization?
- 46. To what degree should the organization expect to be sourcing third-party skills?
- 47. Should the organization be employing specific spreadsheet support teams?
- 48. Should formal processes exist to ensure that the organization consistently manages spreadsheet risk?
- 49. Do technology solutions exist to help with spreadsheet risk management?
- 50. Are there established solutions and clear market leaders?
- 51. If technology solutions are implemented, will they impact all spreadsheets operating with the organization?
- 52. Are there performance or usability issues that need to be considered when implementing spreadsheet control solutions?
- 53. Who would implement and manage the operation of any spreadsheet solutions?
- 54. Is it as straightforward as installing the software in order to manage the risk or to be compliant?