Spreadsheet Controls - Are your spreadsheets exposing your organisation to unmitigated risks? | Deloitte UK has been saved
Every organisation has many checks and controls: these can range from manual checks all the way up to automated system controls. A significant number of controls will involve spreadsheets which are being used to support critical business decisions and processes. There have been stories in the media of incidents or near-misses where a problem with a spreadsheet has threatened to cause a material issue for an organisation - and these stories only cover the problems which are actually detected and become public. Given these incidents, robust controls over spreadsheets is an important consideration for organisations of all sizes.
There are clear benefits to using spreadsheets, but challenges come in keeping on top of the risk that each individual spreadsheet poses. The challenges then multiply if new spreadsheets are being created constantly within the organisation. If the risks associated with individual spreadsheets are not well understood, then an organisation cannot understand, and therefore cannot effectively mitigate, the aggregate risk they are faced with.
Fundamentally, the principal risk is the risk of an error in a spreadsheet’s output. This risk manifests from many different places however, which all need to be considered to properly address it:
Beyond the immediate risk of the accuracy of a spreadsheet’s output, there are operational risks that organisations need to consider, especially regarding spreadsheets intended for long term recurring use:
The foundation for ensuring the use of spreadsheets does not expose an organisation to unmitigated risk is codifying an appropriate Spreadsheet Risk Management Framework. The framework defines what a spreadsheet is, how they are to be assessed for risk, and the processes and controls that set out how the risk management strategy works day to day in the organisation. Every organisation’s framework will be different, and reflective of their particular ways of working and the challenges of their sector, but in general a framework and these supported processes will cover:
Even the best laid control frameworks are worth very little without continual assurance to validate that the controls are operating effectively. The scope of this assurance, and the frequency with which it is performed, is specific to each organisation as they will have different frameworks in place managing spreadsheet risk and different external pressures (e.g. regulatory reporting requirements). Broadly, spreadsheet control assurance activity comprises:
If you are experiencing challenges or have concerns with spreadsheet risk within your organisation and want to have a discussion with one of our experts, please get in touch.
Charles is a director in Deloitte’s dedicated business modelling & Analytics centre of excellence with over 14 years of experience advising a range of clients and leads our Financial Planning & Analytics offering. Charles has extensive experience in delivering tactical planning solutions to clients as part of finance transformations, cost reductions and transactional support. Charles’s clients include both public and private sector organisations, blue-chip corporates and private equity houses operating across the Financial Services, Technology and Public sectors. Charles is a member of the Chartered Institute of Management Accountants (CIMA) and previously worked as a software engineer on safety critical software.
Martin is a senior director within Deloitte’s dedicated modelling centre of excellence, who leads the team’s Model Review activities. A Chartered Accountant, Martin has over twenty years of experience, providing business modelling services in support of the strategic decisions of multinational companies. Martin’s relevant experience includes the review and development of a significant number of complex models across a range of industry sectors for funds, major bids, structured financed projects, mergers and acquisitions, business valuations, refinancing and restructuring.
Ololade Adesanya is a Director in Deloitte’s Risk Advisory practice and Financial Services Controls Advisory Lead. Ololade has over 16 years experience working with firms in the Financial Services industry providing assurance and advisory services around governance, risks and controls. Ololade’s experience spans internal controls design and implementations, risk and controls engineering, controls remediation and internal audit. Ololade is a Fellow Chartered Accountant with the Institute of Chartered Accountant in England and Wales. She is passionate about applying technology to drive process, risk and controls improvements and has executive certificates in Fintech (Oxford Said Business School) and Digital Transformation (Imperial College London). In recent times she has been working with Financial Services firms to provide support around aspects of the UK Corporate Governance reforms. She has written and contributed to blogs/articles on corporate governance and internal audit and presented in many conferences.