Spreadsheet Controls

Every organisation has many checks and controls: these can range from manual checks all the way up to automated system controls. A significant number of controls will involve spreadsheets which are being used to support critical business decisions and processes. There have been stories in the media of incidents or near-misses where a problem with a spreadsheet has threatened to cause a material issue for an organisation - and these stories only cover the problems which are actually detected and become public. Given these incidents, robust controls over spreadsheets is an important consideration for organisations of all sizes.

There are clear benefits to using spreadsheets, but challenges come in keeping on top of the risk that each individual spreadsheet poses. The challenges then multiply if new spreadsheets are being created constantly within the organisation. If the risks associated with individual spreadsheets are not well understood, then an organisation cannot understand, and therefore cannot effectively mitigate, the aggregate risk they are faced with.

What are the Risks?

Fundamentally, the principal risk is the risk of an error in a spreadsheet’s output. This risk manifests from many different places however, which all need to be considered to properly address it:

• Does the spreadsheet have a clearly defined purpose? Without a clear purpose, a spreadsheet’s design may not be fit for purpose, its inputs may be inappropriate and its outputs may be used in situations where it is not appropriate to do so.
• How was the spreadsheet built? Does the organisation have a dedicated and experienced modelling resource that maintains good practice and templates, or was it built when needed by someone in finance who picked up their spreadsheet skills over time starting from a blank spreadsheet?
• How was the spreadsheet tested? If the spreadsheet has not been robustly tested, then there could be errors present that were not noticed during development.

Beyond the immediate risk of the accuracy of a spreadsheet’s output, there are operational risks that organisations need to consider, especially regarding spreadsheets intended for long term recurring use:

• Who is accountable for the spreadsheet’s output? Without a clear line of accountability, there is a risk that if an issue is identified with a spreadsheet, it could be hard to track or follow up the issue to ensure that the spreadsheet has been updated to remedy the issue.
• Is knowledge of the spreadsheets concentrated? Often spreadsheets will contain complexities and intricacies that are only understood by their developers or regular operators (including complex macros). If these individuals depart, or are otherwise unavailable, there could be a risk of a knowledge gap leading to inappropriate operation of the spreadsheet by a replacement.
• Are assumptions appropriate? – All spreadsheets make use of assumptions in deriving their outputs, and the appropriateness of assumptions may change over time. It is important that the assumptions used are appropriate for the question being asked and are congruent with other assumptions included in the spreadsheet. Unless all of these are well understood by the user, even small changes can result in outputs which drive inappropriate decision making.

What Controls address the Risks?

The foundation for ensuring the use of spreadsheets does not expose an organisation to unmitigated risk is codifying an appropriate Spreadsheet Risk Management Framework. The framework defines what a spreadsheet is, how they are to be assessed for risk, and the processes and controls that set out how the risk management strategy works day to day in the organisation. Every organisation’s framework will be different, and reflective of their particular ways of working and the challenges of their sector, but in general a framework and these supported processes will cover:

• Organisation and Governance – Governance plays an essential role in spreadsheet risk management, and therefore approval from an appropriate governance body (typically the Board Risk Committee), with senior stakeholders receiving periodic reports regarding compliance, is recommended. In addition, functional spreadsheet risk roles that report directly to senior stakeholders (e.g. CRO) who are responsible for the framework and the governance should be established. Governance includes ensuring development of a spreadsheet validation capability / function responsible for the independent validation of business critical spreadsheets.
• Spreadsheet Risk Quantification – guiding thinking about the quantitative techniques for spreadsheet risk assessment and mitigation regarding data: the sensitivity to errors or absence of variables, the sensitivity of outputs and impact of erroneous use.
• Spreadsheet Lifecycle Management – maintaining a comprehensive inventory covering all existing in-use spreadsheets from all areas of the business; classifying spreadsheets based on the level of risk, materiality and complexity, and defining proportionate controls around the development, documentation, testing, maintenance, and ongoing assurance of a spreadsheet.

Assurance

Even the best laid control frameworks are worth very little without continual assurance to validate that the controls are operating effectively. The scope of this assurance, and the frequency with which it is performed, is specific to each organisation as they will have different frameworks in place managing spreadsheet risk and different external pressures (e.g. regulatory reporting requirements). Broadly, spreadsheet control assurance activity comprises:

• Spreadsheet Discovery - investigative exercises to determine if there are spreadsheets in use within the organisation that have not been captured in the control infrastructure. For example, conversations can be held with key process owners (e.g. in finance) to understand what spreadsheets are in use routinely by them, with any spreadsheets described then cross-checked against the organisation’s spreadsheet inventory to verify that they are recorded. Alternatively, automated tools can be deployed to scan areas of the organisation’s IT infrastructure identifying files based on set criteria that might be considered reportable spreadsheets, and then reviewed to consider whether they should be/have been recorded in the inventory.
• Spreadsheet Assessment – initial and periodic update reviews of spreadsheets on a rolling basis, selected from the organisation’s spreadsheet inventory. These assessments would include reviewing the spreadsheet’s records in the inventory (e.g. identity of the owner, whether all required documentation is present, and whether a sufficient extent of testing has been performed). It may also extend to a review of the spreadsheet itself using spreadsheet logic analysis tools to verify that required templates and good practice have been used to build and maintain the spreadsheet, and that the spreadsheet conforms to its intended specifications.

If you are experiencing challenges or have concerns with spreadsheet risk within your organisation and want to have a discussion with one of our experts, please get in touch.