Risk is inherent in the use of spreadsheets within financial institutions but it has long been ignored. Now regulatory scrutiny into processes is spurring growth in the market for spreadsheet control solutions. Nolan Gesher explains why they are worth considering Spreadsheets seem to be the perfect tool for managing critical data with flexibility and little or no overhead. Yet, the characteristics that make them so desirable also pose risk. The manually intensive nature of spreadsheet creation and use increases their level of vulnerability to error and fraud. In light of the recent global financial crisis, auditors and regulators are increasingly scrutinising all areas of business – including processes and controls surrounding spreadsheets. In an attempt to comply with these challenges, a burgeoning market for spreadsheet control solutions has emerged. So, why should executives and risk professionals take notice of this trend? The proof is in the numbers Spreadsheets are often used to manage critical data, making them an essential decision-making tool. For example, data is extracted from spreadsheets and entered into a general ledger for corporate reporting to calculate business decisions. Despite the importance of spreadsheets, they seldom have the proper levels of control applied to mitigate the risks inherent in the data they contain and the processes they support. Ninety per cent of organisations surveyed by Fiserv believe spreadsheets represent a material risk, yet the majority said they had only rudimentary controls in place. According to a recent Gartner report, spreadsheet control solutions have not become a widespread area of concern with executives and the use of automation is not yet considered a necessary practice. Nevertheless, Gartner predicts the market is set to experience steady growth. Recent headlines have uncovered a number of spreadsheet-fraud related incidents that have cost the industry millions in financial losses. In a recent case, bank tellers manipulated large deposit tickets and the spreadsheets used to track them. This enabled them to hide the deposits and skim an estimated $3 million. Taking a closer look Incidents such as these have prompted auditors to examine the way spreadsheets are used and monitored. Spreadsheets are being scrutinised under global regulations on an ongoing basis. For example, the Sarbanes-Oxley Act, section 404, in the US, the Turnbull report on internal control in the UK and the Australian Securities Exchange’s Principle 7 require management and outside auditors to report on the adequacy of internal controls. In a recent survey, Fiserv found that 70% of organisations said the proposed purchase of a spreadsheet control solution would also need to pass internal return on investment (ROI) hurdles before gaining approval. Showing a ROI is therefore a necessity for spreadsheet control solutions – in addition to guarding against accidental error, satisfying the enhanced focus on spreadsheet use by auditors and regulators, and mitigating spreadsheet-based fraud. However, what was also apparent is that forward thinking organisations are beginning to realise that investment in spreadsheet governance solutions ultimately pays for itself – not only in terms of increased efficiencies, but also through improved transparency and enhanced audit and control capabilities. These attributes serve to identify and prevent potential spreadsheet derived losses before they occur. So, what is needed to meet the control, audit and efficiency requirements of enterprise spreadsheet use? • Discovery and assessment – The creation of a living inventory of spreadsheets to identify all spreadsheets within an organisation, which is then periodically updated to account for changes and new spreadsheets, is a major challenge and one best served via an automated solution. Not all spreadsheets require the same level of audit and control though. Through automated risk analysis firms have the ability to determine those spreadsheets that are deemed worthy of a level of audit and control as opposed to those that pose no risk to the business and do not require enhanced governance. Individual spreadsheet analysis can then be aggregated so that an enterprise wide risk appraisal can be understood by those responsible for audit, compliance and risk management. • Security – Spreadsheets and file shares come with the ability to password-protect data but implementation and control of these passwords relies entirely on individual users. Automated spreadsheet governance solutions approach security from an enterprise perspective by providing organisations with security capabilities typically associated with key applications. • Control – Spreadsheet governance within an organisation demands multiple types and degrees of control around spreadsheet use. Among these are the need for audit capabilities to track all changes made within a spreadsheet and the ability to manage links between spreadsheets and account for active, broken or inconsistent links. In addition, version comparison capabilities can quickly identify changes made between any two versions of the same spreadsheet and determine whether they are appropriate. • Analytics – Spreadsheets are proficient at alerting users to formatting mistakes, such as an incorrectly structured formula. This is typically where cell-level analysis begins and ends. Spreadsheet analysis capabilities are critical in identifying conditions or events that require investigation. Such analytics need to proactively look for anomalies at the cell level to alert users and reviewers alike of potential errors or fraud. • Operational efficiency – All of the attributes discussed above provide a level of operational efficiency via time or cost savings that cannot be achieved without an automated spreadsheet control solution. By automating manual and therefore uncontrolled processes, an institution will be able to save time, impact the bottom line and identify and reduce the number of errors within a spreadsheet. An added benefit is that this capability also serves to identify and ideally discourage fraudulent behaviour. Mitigating risk When confronting the inherent risks in spreadsheets, firms need to focus on their immediate priorities. Most spreadsheet control solutions can be positioned as end-to-end or standalone to help firms to take a step-by-step approach in solving spreadsheet control needs. The way forward will often be different based on each individual organisation’s needs, but standard practices need to be implemented and the best approach is close consultation with a solution provider to properly understand the most effective and efficient direction to take. Regardless of the starting point, it is likely the use of spreadsheets in any organisation is in dire need of control. An automated audit and control framework that can support all business lines across the organisation is required to address this long-ignored, yet looming, area of hidden risk....
Start a FREE trial or subscribe to continue reading:
Start a 4 week free trial
Try Risk.net's premium content for a limited period. Register now for your FREE trial to one of our leading brands.
*not available to previous trialists or subscribers.
Log In or Subscribe Now
Subscribe to Risk.net Business now to access all our premium news & features content for 1 year.
Pay by Credit Card for immediate access.