spreadsheet risk management - iia risk management faqs.pdf · table of contents introduction 1 an...
TRANSCRIPT
![Page 1: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/1.jpg)
Spreadsheet Risk Management
Frequently Asked Questions Guide
![Page 2: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/2.jpg)
![Page 3: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/3.jpg)
Table of contents
Introduction 1
Anintroductiontospreadsheetriskmanagement 21. Whyarespreadsheetssoprevalenttoday? 22. Whatisspreadsheetriskmanagement? 23. Whydospreadsheetspresentarisk? 24. Isthelevelofriskincreasing? 45. Whataboutotherdesktoptoolsavailabletousers? 46. Whyhasspreadsheetriskmanagementsuddenlybecomeimportant? 47. Dotechnologysolutionsexistthatcanassistwithmanagingspreadsheetrisk? 4
Executiveownershipandgovernance 58. Whoisaccountableforeffectivespreadsheetriskmanagement? 59. Whatdothemajorlegislativeactshavetosayaboutspreadsheets? 510. Howcantheexecutivedefineandcommunicatetheirspreadsheetriskmanagementrequirements? 511. Whoshouldoperatespreadsheetriskmanagementprocesses? 512. Whyshouldwereportonspreadsheetrisktoseniormanagementandtheexecutive? 613. Whatshouldtheriskresponsibilitiesofaspreadsheetownercover? 614. WhatshouldbetheroleoftheITdepartment? 615. Whatshouldbetheroleofoperationalriskdepartments? 716. Whatshouldbetheroleofinternalaudit? 7
Creatingalibraryofcriticalspreadsheets 817. Howdowemeasurerisk? 818. Howdowestarttoidentifythepotentiallycriticalspreadsheets? 919. Whichpartsoftheorganisationcanhavethegreatestdependencyoncriticalspreadsheets? 920. Howcanweensurethatweidentifyallpotentiallycriticalspreadsheets? 921. Whataboutspreadsheetsthathavelinkstootherspreadsheets? 10
Implementingaspreadsheetcontrolframework 1122. Whatisaspreadsheetcontrolframeworkandwhyisitimportant? 1123. Whatarethetypicalkeycomponentsofaspreadsheetcontrolframework? 1124. Whenisaspreadsheetnotfitforpurpose? 12
Assessingspreadsheetcontrolsandcurrentriskexposure 1325. Doweneedtoassessthecontrolsinoperationacrossallourspreadsheets? 1326. Howdoweconsistentlyassesscontrolsacrossspreadsheets? 1327. Howdoweassesswhetherthecontrolsareeffective? 1428. Candifferentapproachesbetakentoresolveanycontrolissues? 1429. Howcanweidentifycommoncontrolissuesacrosstheorganisation? 1530. Howdoweensurethatcontrolissuesareresolvedandclosedwithinanacceptabletimeframe? 1531. Whoisresponsibleforacceptingtheresidualriskthatexistswithinaspreadsheet? 15
Gainingassuranceovercriticalspreadsheets 1632. Howcantheorganisationensurethatspreadsheetownersareappropriatelymanagingspreadsheetrisk? 1633. Wherecontrolshavebeendeficient,howcanwerelyontheintegrityofthespreadsheet? 1634. Isitpossibletorelyonthespreadsheetriskmanagementprocesstoprovideassuranceoverthecriticalspreadsheets? 1635. Howoftenshouldspreadsheetsorthespreadsheetcontrolenvironmentbeevaluated? 1736. Shouldinternalauditbereliedontoprovideassuranceonbehalfofthebusiness? 17
Spreadsheetriskindicatorsandreporting 1837. Whatotherformsofassurancecanwerelyuponratherthanperiodiccontrolsassessments? 1838. Aretheregenerallyacceptedkeyindicatorsofspreadsheetriskormeasuresthatshouldbeapplied? 1839. Whatinformationisprovidedtotheexecutive/riskcommitteesregardingspreadsheetrisk? 1840. Howcanweensuremanagementandspreadsheetownerstakeonmoreaccountabilityfortheriskassociated withthespreadsheetstheyown? 1941. Howcanweensurethatspreadsheetriskisincorporatedintoourcurrentregulatoryreportingprocesses? 19
![Page 4: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/4.jpg)
Trainingandawareness 2042. Makingspreadsheetownersawareofthepotentialriskisdifficult.Arethereanytriedandtestedapproaches? 2043. Aretheredifferinglevelsoftrainingrequiredforspreadsheetowners? 2044. Istheintranetaneffectivetoolforensuringawarenessofspreadsheetriskwithintheorganisation? 20
Resources 2145. Whatarethekeyspreadsheetriskmanagementcapabilitiesthatshouldexistinanyorganisation? 2146. Towhatdegreeshouldtheorganisationexpecttobesourcingthird-partyskills? 2147. Shouldtheorganisationbeemployingspecificspreadsheetsupportteams? 2248. Shouldformalprocessesexisttoensurethattheorganisationconsistentlymanagesspreadsheetrisk? 22
Technologyenablingeffectivespreadsheetriskmanagement 2349. Dotechnologysolutionsexisttohelpwithspreadsheetriskmanagement? 2350. Arethereestablishedsolutionsandclearmarketleaders? 2351. Iftechnologysolutionsareimplemented,willtheyimpactallspreadsheetsoperatingwithintheorganisation? 2352. Arethereperformanceorusabilityissuesthatneedtobeconsideredwhenimplementingspreadsheetcontrolsolutions? 2353. Whowouldimplementandmanagetheoperationofanyspreadsheetsolutions? 2354. Isitasstraightforwardasinstallingthesoftwareinordertomanagetheriskortobecompliant? 24
AboutProtivitiInc. 25End-usercomputingriskmanagementservices 25
Contacts 26
Table of contents (continued)
![Page 5: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/5.jpg)
�
Spreadsheetsareeverywhere.Theyenableustoquicklyandflexiblyperformanalysisthatotherwisewouldbedifficultortime-consuming.Asaresult,wetendtoplaceunduetrustintheintegrityoftheanalysisspreadsheetsmake.Asspreadsheetusershavebecomemoreinformationtechnology(IT)proficient,theirspreadsheetshavebecomemorecomplex.Spreadsheetswereneverdesignedtobeenterprise-levelapplications,butthegrowinguseofcomplexanduser-definedfunctions,lengthymacrosandlinkstootherspreadsheetsandsystemshasledtothedevelopmentofhighlycomplicatedapplications.Incontrasttomostotherapplicationsofthisnatureandcriticality,spreadsheetsrarelyaredesignedanddevelopedbyexpertusersorwithcontrolsinmind.
Manycompaniesrelyonspreadsheetsasakeyapplicationthatsupportsoperationalandfinancialreportingprocesses.Thepurposesofspreadsheetsarewidespread,fromperformingcomplexmodellingfortradingdecisionstoaccountingreconciliationsandcalculatingemployeebonuses.
Asimplesearchofyournetworkmaysurpriseyouasitwillrevealthousands,ifnotmillions,ofspreadsheetsinuse.Doyouknowwhomanagesthem?Whatisthepurposeofthesespreadsheets?Howreliablearetheircalculations?Whoensurestheresultstheyproducearevalid?
Theincreasedregulationandcompliancethatnowimpactsspreadsheetcontrolisnotsurprisinggiventhatthepastfewyearshaveseennumerousmultimillion-pounderrorsandfraudsattributedtotheuseofspreadsheets.WealsoseecompaniesfilingmaterialweaknessesanddeficiencieswiththeSecuritiesandExchangeCommission(SEC)asaresultofthelackofcontrolsaroundtheirfinancialreportingspreadsheets.
Thisregulatorypressureandincreasingfocusfromauditorsisforcingorganisationstoaddresstheissueofspreadsheetriskmanagement,thoughfewreallyunderstandwhattheissueisandwhattheyneedtodoaboutit.Whileguidanceexists,muchofitisacademic,providinglittlepracticalvaluetocompanies.
ThispublicationisbasedonProtiviti’sextensiveexperienceassistingourclientsinthisfield.Ourapproachandguidancerepresentsapragmaticresponsetospreadsheetriskbasedonrealbusinessneed.Althoughthispublicationusestheterm‘spreadsheet’,muchoftheguidanceappliesequallytootherend-user-developedapplications,suchasdatabasesandreports.Spreadsheetsarethemostprevalentofend-userapplications,butthereareothertypesgrowinginnumbersthatshouldnotbeignored.
Protiviti
Introduction
![Page 6: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/6.jpg)
�
An introduction to spreadsheet risk management
1.Whyarespreadsheetssoprevalenttoday?Technologyisdevelopingrapidly,asareusers’expectationsaboutwhatitshoulddeliver–andwhen.ThisimpatienceposeschallengesforITdepartments.WhentheITdepartmentcannotmeetusers’expectations,theyaremorelikelytoexplorealternativeoptions.
Aspreadsheetisapowerfultoolthatinmanycasesisaviablealternativetolengthysoftwaredevelopmentcyclesforuserswhorequireresultsimmediatelyorneedtokeepaheadofthecompetition.Asaresult,spreadsheetsareeverywhere.Theyenableuserstoquicklyperformanalysisthatotherwisewouldbedifficultortime-consuming.
Theabilityoftheusertodevelopandconfigurepowerfulsolutionsinaspreadsheetenvironmentwithoutappropriatetrainingorawarenessisintroducingahighdegreeofspreadsheet-relatedriskintothecorporateenvironment.Thislevelofriskwillgrowwiththeincreasinguseandcomplexityofspreadsheets.
Thekeyreasonsbehindthegrowinguseofspreadsheetsinclude:• Theyareflexibleandeasytouse.• Immediateresultsaregenerated,withpotentiallyveryshort
developmentperiods.• Itiseasytobecomereasonablyproficientintheuseofa
spreadsheet(thoughitislessstraightforwardtobecomereasonablyproficientintheirdesignanddevelopment).
• Theycanbeconfiguredtothepersonalrequirementsoftheuser.• Theyarereadilyaccessiblebynearlyallusers,astheyareusually
astandardcorporatedesktopapplication.• Spreadsheetscansupportthedownloadandanalysisofdata
fromcoresystems.• Overtime,usershavebecomemoreadvancedintheiruse
ofspreadsheets.• Spreadsheetsoftwareitselfhasbecomeincreasinglypowerful
overtheyears,openingupgreaterfunctionalitytousers.
2.Whatisspreadsheetriskmanagement?Afundamentalproblemwithspreadsheetsisthatuntraineduserstendtoplaceunduetrustintheintegrityoftheanalysisthatispreparedinthem.AsusersbecomemoreIT-literate,thenumberofspreadsheetsinuseisincreasing,andtheyarebecomingsignificantlymoresophisticated.
Manycompaniesrelyonspreadsheetsasakeyapplicationthatsupportsoperationalandfinancialreportingprocesses.Thepurposesofsuchspreadsheetsarewidespread,fromperformingcomplexmodellingtomaketradingdecisions,toaccountingreconciliations,tocalculatingemployeebonuses.
Spreadsheetriskmanagementhelpsensurethattheriskpresentedbyspreadsheetsisunderstoodandappropriatelymitigated.
3.Whydospreadsheetspresentarisk?Spreadsheetscanprovideabroadspectrumofsolutionstotheuser.Thefollowingtablecontainssometypicalexamplesofspreadsheetusesandhowtheycangowrong:
Use Whatcangowrong
Billing Amajortelecomorganisationinvestedmillionsincorebillingsystemstosupporttheirkeyrevenueearningstream:billingcustomersforcallsmade.Forcertaincorporatecustomers,however,thebillingrules,whichwereoftencomplex,changedfromyeartoyear.
Thebillingteamconcludedthatforthesecorporatecustomers,itwastoodifficultforITtochangethesystemsonayearlybasis.Therefore,flexiblespreadsheetsweredesignedthatwoulddownloaddatafromthecoresystemsandcalculatetheinvoices.
Thebillingrulesweretoocomplexforspreadsheetownerstoconstantlycheckforpossibleusererrors.Asaresult,errorsweresoonidentified.
Whilelostrevenuewasrecoveredfromtherelevantcorporatecustomers,thereputationalimpactonthetelecomorganisationisdifficulttoquantify.Hadadetailedreviewofthespreadsheetsnotbeenperformed,therevenueleakagewouldhaveremainedundetected.
Reporting Anaccountingconsolidationpackageprovidedareportingfunctionthatcouldnotbeconfiguredtosupportthechangingreportingrequirementsofthefinancedepartment.
SpreadsheetswerebuiltthattookthefinancialreportinginformationfromappropriatelycontrolledEnterpriseResourcePlanningandconsolidationsystemsoftware,manipulatedthedataandprovidedreportingtoseniormanagement.
Controlsaroundthesystemswereregularlyreviewedandassessedasoperatingeffectively.Thespreadsheetwasneverinscopeforthereviewsasitwasownedwithinfinancebytheindividualsresponsibleforreporting.
Whenthespreadsheetswerereviewedindetail,asignificanterrorwasidentifiedinthecalculationofyear-endaccruals–aresultofanerrorwithinanumberofthecalculationsperformedoutsideofthesysteminthespreadsheet.
Significantinvestmenthadoccurredtoensurethatsystemswereappropriatelyconfiguredandcontrolled.ThisinvestmentwasentirelyunderminedbythecreationofspreadsheetstoproducereportsthatshouldhavebeenconfiguredinthecoreITsystems.
![Page 7: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/7.jpg)
�
Use Whatcangowrong
Pricing AcommoditiestradingfirmpricedandmanagedexposureonitsoptionstradingbookthroughacomplexspreadsheetthatincludedacodedMonteCarloalgorithm.
Thespreadsheetwasproducedbyatraderwithadvancedspreadsheetknowledge.Thetraderalsooperatedadditionalmanualcontrolsthatprovidedassurancethatthespreadsheetwasaccuratelycalculatingpriceandexposurelevels.
Whenthetradermovedtoanotherorganisation,thespreadsheetwasinheritedbyanewoptionstraderwhowasnotanadvanceduserofspreadsheets.Thistradermadesomeassumptionsaboutthespreadsheet’soperation.Overtime,errorswereintroducedintoformulasandexposurelevelsweretrackedinaccurately.Optionswereincorrectlytradedandmonth-endprofitandlossanalysisshowedasignificantlossontheoptionsbook.
Theerrorwastrackedbacktoinaccuracieswithinthespreadsheet.Theoptionstraderhadnoknowledgeoftheerrors.
Budgeting Aconsultingfirmemployedbasicspreadsheetstopriceandbudgetclientengagements.Thespreadsheetsprovidedanalysisthatallowedtheengagementmanagerstocalculatethehoursandleveloftheteamontheengagement.Theobjectivewastoensurethatthefirmachievedacertainmarginoneachengagement.Thespreadsheets,whilerelativelysimple,hadlittleornocontroloverthecontent.Formulascouldbechangedandpricingtablesupdated.
Whenerrorswereaccidentallyintroducedintoanengagementbudgetingspreadsheet,theydidnotresultinsignificantfinancialimpactforthatparticularengagement.However,theerrorwassignificantlycompoundedwhenthespreadsheetwassharedamongalltheengagementmanagersandthemodelwasusedtopriceotherengagements.
Eventually,itwasdiscoveredthatmajorengagementshadbeenpricedinappropriatelyandthefirmwouldnotachieveitstargetmargin.Thelostmoneywasnotrecoverablefromtheclients,asfeeswerepartofalready-signedcontracts.
Inadditiontotheseexamples,asimpleInternetsearchforspreadsheeterrorsrevealsnumerousexamples,includingbudgetingerrors,financialstatementerrors,pricingerrors,andfraudorbaddecision-makingasaresultofpoorinformation.Thefinancialimpactcanbesignificant(manymillionsofpounds)andthedamagetoacompany’sreputationcanbeevenworse.
Somefrequentlyquotedexamplesinclude:
“Acut-and-pasteerrorcostTransAlta$24millionwhenitunderbidanelectricity-supplycontract.”Source: The Register
“Falsely-linkedspreadsheetspermittedfraudtotalling$700millionatAlliedIrishBank/Allfirst.”Source: EuSpRIG
“Kodak’sSEC10-Kfilingreportedamaterialweaknessinitsinternalcontrolssurroundingthepreparationandreviewofspreadsheetsthatincludeneworchangedformulas.”Source: Compliance Week
Use Whatcangowrong
Dataquality
Manyorganisationsusespreadsheetsasasimpletoolforcapturingdataonlargeprojects.AcommonexampleofthishasbeenthecapturingofdataonriskandcontrolforSarbanes-Oxleyprojects.Spreadsheetsarealsooftenusedtotrackremediationandclosureofgaps.
Businessesareoftenleftwithlargenumbersofspreadsheetsthatmustbemaintainedovertime.Organisationsthathaveadoptedthisapproachoftenwanttoextractinformationfromthetemplatesanduseit–forexample,toprepareweekly/monthlyprogressreports.
Manyorganisationsthathaveadoptedthisapproachhavefoundthattheproductionofmanagementinformationisextremelytime-consuming.Furthermore,whenthedataisconsolidatedintomonthlyreports,inconsistenciesareoftenidentified.Thesearetypicallyacombinationoftimingissuesanderrors.
Anothercommonproblemisthatthereoftenaremultipleusersofthespreadsheets.Thisresultsinsignificantversion-controlissuesasthewrongversionsarepickedupandusedortwousersattempttomakechangessimultaneously,potentiallyundoingeachother’schanges.
Thoughthedirectconsequencesofthesedataqualityissueswerenotsignificant,thecostofmanuallyproducingmanagementinformationandresolvingthequalityissueswassubstantial.
![Page 8: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/8.jpg)
�
Asspreadsheetusershavebecomemoreproficient,theirspreadsheetshavebecomemorecomplex.Spreadsheetswereneverdesignedtobeenterprise-levelapplications.However,thegrowinguseofcomplexanduser-definedfunctions,lengthymacrosandlinkstootherspreadsheetsandsystemshasledtothedevelopmentofhighlycomplicatedapplications.
4.Isthelevelofriskincreasing?Yes.Spreadsheetsarebecomingmorecomplexandusersarefindingincreasinglynovelapplicationsforthem.Usertrainingandawarenessisstilllimited,however.Asspreadsheetsbecomemorecomplex,theyaremorepronetoerror.AsusersareperceivedtobecomemoreIT-literate,morespreadsheetsarebeingusedtosupportcriticalbusinessprocesses.Acombinationofthesetwofactorsissignificantlyincreasingtheoverallriskprofileformanyorganisations.Theperceivedlevelofriskisalsorisingduetogrowingawarenessandunderstandingoftheriskthatuncontrolledspreadsheetspose,aswellasincreasedregulatoryandauditscrutiny.
5.Whataboutotherdesktoptoolsavailabletousers?Whilethisdocumentusestheterm‘spreadsheet’,theissuesandapproachesoutlinedcouldjustaseasilyapplytootherdesktoptoolsavailabletoendusers.Thesetoolsincludedatabasesoftware(e.g.MicrosoftAccess),reportingtools(e.g.CrystalReports)oranyother‘power’toolthatcanbeconfiguredbytheenduseranddependedupontosupportoperationalprocesses.
End-user-developeddatabasescanbeevenmoreriskythanspreadsheets,asinmanycasesthedatamanipulationislesstransparenttotheenduser.Reportingtoolsoftenallowuserstodevelopcustomisedreportswhich,ifthequeryisconfiguredincorrectly,canresultinusersinadvertentlyrestrictingthedatatheyreport.
However,thekeydifferencebetweenspreadsheetsandotherdesktoptoolsisthatspreadsheetsarebyfarthemostcommonlyused,andhavebyfarthebroadestendrangeofusers.
Thetechnologysolutionsreferencedlaterinthisguidetosupportthemanagementofspreadsheetsdifferfromthoseavailableforotherdesktoptools.Incertaincases,thesolutionshavesomefunctionalitythatcanbeappliedacrossmultipledesktoptools,butthisisgenerallytheexception.
6.Whyhasspreadsheetriskmanagementsuddenlybecomeimportant?
Spreadsheetriskalwayshasbeenimportant.However,asdiscussedinanswerstopreviousquestions,thereareindicationsitisbecomingmoresignificant.
TheUK’sH.M.Customs&Excise,inits‘Methodology for the Audit of Spreadsheet Models’(2001),saidthat“thecomplexityandfunctionalityofspreadsheetshasreachedlevelsofsophisticationthatfewcouldhaveimaginedevenfiveyearsago.Theconsequentthreatposedtobusinessesbysuchpowerful‘end-user’applications,mainlyinthehandsofuntrainedusers,isimmense”.Thisobservationhascontinuedtoholdtrueintheyearssinceitspublication.
Itisalsofairtosaythatrecentregulatorycomplianceinitiativeshaveforcedorganisationstoconsiderthespreadsheetrisktowhichtheyareexposed.Inparticular,guidanceproducedinsupportoftheSarbanes-OxleyActhasadvisedorganisationstospecificallyconsiderspreadsheetrisk.Regulatorybodiesandexternalauditfirmshavedetectedtheincreasingexposuretospreadsheetriskandaretakingactiontoensureitisaddressed.
7.Dotechnologysolutionsexistthatcanassistwithmanagingspreadsheetrisk?
Yes.Thesection‘Technologyenablingeffectivespreadsheetriskmanagement’providesmoredetailaboutthetypesofsolutionsavailable.
![Page 9: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/9.jpg)
�
Executive ownership and governance
8.Whoisaccountableforeffectivespreadsheetriskmanagement?Seniormanagement(‘theexecutive’)including,butnotlimitedtotheboard,isultimatelyaccountable,onbehalfoftheorganisation,fortheeffectivemanagementofallrisk,includingspreadsheetrisk.Thisexecutiveaccountabilityisusuallytotheshareholders(whereapplicable)andtheregulatorybodiesgoverningtheindustryandenvironmentinwhichtheorganisationoperates.
Theexecutivemustunderstand:• Whatistherisk?• Wheredoestheriskexist?• Howsignificantistherisk?• Whoiscurrentlydealingwiththerisk?• Whenwillthisriskbemanagedtoanacceptablelevel?
Giventheever-increasingdependencyonspreadsheets,aswellastheexternalfocusonthem,theexecutiveisincreasinglyawarethatspreadsheetriskisanareaofexposurethatshouldbeactivelymanaged.Thispotentiallytime-consumingtaskshouldleveragemanyoftheriskmanagementprocessesalreadyinoperation,includingcurrentcomplianceefforts.
9.Whatdothemajorlegislativeactshavetosayaboutspreadsheets?
Themajorlegislativeactsinexistencetoday,namelySarbanes-Oxley,CompaniesAct,Turnbull,BaselandMiFID,donotfocusspecificallyonspreadsheetrisk.However,effectivemanagementofspreadsheetriskisrequiredtosatisfytherequirementsofeachoftheseregulations.
Legislationtendstoprovidemoregenericstatementssuchas,“Aneffectivesystemofinternalcontrol…”(Turnbull).Thisensuresabroadsweepofrequirementsthatwillcoverasmanyscenariosaspossiblewithinadiversecommercialenvironment.Therefore,organisationsandthemonitoringbodies(e.g.externalauditfirms,regulatoryauthorities)arerequiredtointerpretthelegislationanddeterminehowitsrequirementsshouldbeappliedtoeachorganisation.
Whathasbecomeclearoverthelastfiveyearsisthattheregulatorybodiesandauditfirmsarebecomingincreasinglyawareofthepotentialexposuretospreadsheetriskthatcanexistinanorganisation.Infact,thisissuebecamesosignificantduringtheSarbanes-Oxleycompliancepeakbetween2004and2006thatthemajorauditfirmsreleasedvariouspapersandguidancetoensureorganisationswereawarethatspreadsheetriskmanagementwasanareatheywouldbefocusingonspecifically.Inmanyorganisations,theyfoundthatmanagingspreadsheetriskwasanissueforwhichnooneintheorganisationwastakingaccountability.
Spreadsheetriskmanagementisthereforearequirementforallorganisationsthataresubjecttotheseregulations.Theonlyscenarioinwhichthiswouldnotapplyiswhenanorganisationhasnosignificantbusinessprocessessupportedbyspreadsheets.
Infact,theonlywayanorganisationwithoutaneffectivespreadsheetriskmanagementstrategycanbeconfidentitisnotexposedtosignificantriskistopreventusersfromhavingaccesstotheapplication.Thisisclearlynotapracticalsolutionformostorganisations.
10.Howcantheexecutivedefineandcommunicatetheirspreadsheetriskmanagementrequirements?
Typicallythisisachievedbycreatingaspreadsheetriskmanagementpolicythatstateswhattheexecutiveexpectsfromtheorganisation.Then,theorganisationwillneedtodefinehowitimplementsthepolicyinaspreadsheetriskmanagementoperatingmodel.Thisoperatingmodelshouldsetoutaccountability,rolesandresponsibilities,processes,controlsandminimumcontrolstandards.
Whendefiningsuchrequirements,theexecutiveshouldtakeintoaccountprocessesinplacetoensurecompliancewithanyexistingpolicies.Ifthereisnotaneffectivecomplianceprocessinplace,itislikelythespreadsheetpolicywillbecomeanotherineffectivepieceofpaperonthepileofexistingpolicies.Furtherguidanceonimplementinganeffectivegovernance,riskandcomplianceprogrammecanbefoundinProtiviti’sEnterprise Risk Management FAQ Guide.
Ifclearandregularassuranceisprovidedtotheexecutiveonotherpolicies,theexecutivecanbemoreassuredthatintroducingaspreadsheetriskmanagementpolicywillbeaneffectivevehicleforensuringtheorganisationcanbegintoeffectivelymanagespreadsheetrisk.
11.Whoshouldoperatespreadsheetriskmanagementprocesses?BecausetheITdepartmentprovidestheinfrastructureandsoftwarecriticaltotheoperationofthespreadsheets,itisobviouslyresponsibleforensuringthatthisaspectofthetechnologyiseffectivelycontrolled.However,theITdepartmentcannotbeheldsolelyresponsibleforoperatingriskmanagementprocessesaroundindividualspreadsheets.
Spreadsheetsaredesigned,implemented,updated,tested(sometimes)andmadeoperationalbytheownersandusersofthosespreadsheets.Thisiswhyspreadsheetsaresoprevalent,andthisshouldnotchange.However,spreadsheetownersshouldberesponsibleforoperatingeffectivespreadsheetriskmanagementprocesses.
Theexecutiveshoulddefine,onbehalfofthebusiness,whatconstituteseffectivespreadsheetmanagementprocesses.Theexecutivealsoshouldensureappropriatemonitoringisputinplacetoensurecompliancewiththeseprocesses.
![Page 10: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/10.jpg)
�
Itisimportantthatorganisationsdonotletresponsibilityforspreadsheetriskmanagementfallbetweenthegaps.ThebusinesssideoftenconsidersspreadsheetstobeIT’sresponsibilityandremovesthemfromthescopeofanyriskmanagementwork.ThesamegoesforITprofessionals,whooftenconsiderspreadsheetstobeownedbythebusinessside.Clearly,ifnobodyistakingresponsibilityforspreadsheetriskmanagement,theexecutivehasaproblem.
Theorganisationcanresolvethisconfusionbydefiningclearrolesandresponsibilitieswithinthespreadsheetriskmanagementoperatingenvironment.
TheITdepartmentmaybeabletoprovidesolutionstoassistwitheffectivespreadsheetriskmanagement.Inthisscenario,theITdepartmentwouldbecomeaccountablefortheeffectiveoperationofthesesolutions;therefore,theresponsibilityforeffectiveriskmanagementmaybesharedbetweentheITdepartmentandthespreadsheetowners.
Inpractice,co-operationbetweenbusinessandITiscriticaltotheoperationofaneffectivespreadsheetriskmanagementenvironment.
12.Whyshouldwereportonspreadsheetrisktoseniormanagementandtheexecutive?
Creatingareportingprocessthatdemonstratesaneffectivespreadsheetriskmanagementprocessiscriticalforthefollowingreasons:• Itallowsoperationalmanagementandtheexecutiveto
understandthekeyriskstotheorganisation,thesignificanceofthoserisksandtheworkinprogresstomanagethoserisks.
• Bettertransparencyofspreadsheetriskmanagementdrivesbetterbehaviouramongoperationalpersonnel.
• Demonstrationofeffectiveriskmanagementprocessesiscriticalforsatisfyinglegislativerequirements.
Failingtoimplementadiscreteprocessforreportingontheeffectivenessofthespreadsheetriskmanagementenvironmentisamissedopportunity.Ensuringthereistransparencyovertheeffectivenessofthewholeoperationalriskmanagementenvironmentisagoalanyorganisationshouldlooktoachieve.
Manyorganisationsalreadyhavesomeformofoperationalriskmanagementreportingprocessinplace.Inthesecases,thecriticalstepistheintegrationofthespreadsheetriskmanagementprocessesintothecurrentassessmentandreportingapproach.
13.Whatshouldtheriskresponsibilitiesofaspreadsheetownercover?
Thespreadsheetownershouldberesponsiblefortheidentificationandassessmentofoperationalrisksthatexistinthespreadsheetstheyown.
Infulfillingtheseresponsibilities,thespreadsheetownershouldbeprovidedwithguidanceonwhatisexpectedandgivenaccesstothetoolsnecessarytoensuretheirassessmentofrisksandcontrolsisconsistentwiththerestoftheorganisation.
Thespreadsheetownershouldberesponsiblefortheidentificationandoperationofappropriatecontrolsthatmitigatetherisktoanacceptablelevel.Theyalsoshouldberesponsibleforacceptingspreadsheetriskwithindefinedlimitsofauthority.Limitationsontheamountofrisktheycanacceptshouldbeagreeduponwithseniormanagementortheexecutive.
14.WhatshouldbetheroleoftheITdepartment?Ithasbeenemphasisedthatthespreadsheetownersareresponsibleforcontrollingtherisksassociatedwiththeirspreadsheets.
However,thereisanassumptionthattheITinfrastructurerelieduponbythespreadsheetownersisavailableandsecure.ThisistheresponsibilityoftheITdepartment.Alackofcontroloverthisinfrastructuretypicallyhasanimpactontheavailabilityorsecurityofspreadsheets(aswellasapervasiveimpactacrossothertechnologywithintheorganisation).
Whenassessingtherisksassociatedwithaspreadsheet,thespreadsheetownermightchoosetorelyonthecontrolsoperatedbytheITdepartment.Forexample,aspreadsheetmaybeneededeverydaytoprocesskeytransactions.Theavailabilityofthespreadsheetisthereforecritical,andthespreadsheetownerwillwishtoestablishthatthespreadsheetwillbeavailableandcanberecoveredintheeventofanyproblems.TheownerwillhavetoestablishtheeffectivenessofthesecontrolsthroughinteractionwiththeITdepartment.
Anotherexampleinvolvesaccesstothespreadsheet.Thespreadsheetownermaydeterminethatthespreadsheetshouldberestrictedtocertainindividuals.Therefore,ITmayneedtosetupastoragelocationthathasrestrictedaccessandensuretheserestrictionsaremaintainedunlessfurtheraccesshasbeenauthorisedbythespreadsheetowner.
Inbothoftheaboveexamples,ITimplementstherequiredcontrols.However,thesecontrolshavebeendefinedbythespreadsheetowner,whomustassesstheadequacyofthesecontrolsagainsttherisksheisseekingtoaddress.
![Page 11: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/11.jpg)
�
15.Whatshouldbetheroleofoperationalriskdepartments?Operationalriskdepartmentsexistwithinmanyorganisations.Typically,matureoperationalriskmanagementframeworksalreadyhavebeenimplementedandprocessesaroundtheseframeworksarewellestablishedandoperatingeffectively.Ariskmanagementframeworkcannotbemature,however,ifitdoesnotconsideralltherisktowhichtheorganisationisexposed.
Therefore,thechallengefortheoperationalriskdepartmentistoensuretheriskframeworkencompassesandensureseffectivespreadsheetriskmanagement.Oneoptionistoincorporatethespreadsheetriskmanagementpolicyintotheoverallriskframework.Doingsoallowsspreadsheetrisktobeconsideredwithinanexistingriskmanagementgovernancestructure,ratherthanconsideringspreadsheetriskmanagementasanindependentactivity.
16.Whatshouldbetheroleofinternalaudit?Inmanyorganisations,itistheresponsibilityofinternalaudittoprovidealevelofindependentassurancetotheexecutivethatriskwithintheorganisationisbeingmanagedeffectively.Internalauditshouldfocusonthespreadsheetriskmanagementcontrolsinoperation.Typically,inorganisationsthatarestartingtoreviewtheeffectivenessofspreadsheetriskmanagement,thecontrolswillbeineffective,necessitatinggapanalysisandremediation.Iftherearenooverarchingcontrolsinoperation,internalauditoftencanhelpgettheseissuesontheexecutive’sagenda.
Internalauditshouldingeneralavoiddoingdetailedtestingofindividualspreadsheetsforintegrity.Performingreviewsofindividualspreadsheetsislikelytofocustheorganisationonresolvingissueswithinindividualspreadsheetsratherthanaddressingtherootcauseoftheproblem:ineffectivespreadsheetriskmanagementcontrols.One-timeintegritytestingofindividualspreadsheetsisimportanttoensuretheyareoperatingasintended,butthistestingdoesnotnecessarilyneedtobeperformedbyinternalaudit.
![Page 12: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/12.jpg)
�
Creating a library of critical spreadsheets
17.Howdowemeasurerisk?Spreadsheetcriticalityisdefinedasthelikelyimpacttotheorganisationofanerroroccurringinthespreadsheet.Ideally,anyspreadsheetriskshouldbeevaluatedintermsofitslikelyfinancialimpact.However,afinancialquantificationisoftentoocomplextoimplementduringtheinitialassessmentofcriticalspreadsheets.Therefore,organisationshaveemployedamoregeneralscaleforestimatinglikelyimpact.Anexampleisprovidedbelow:• Low:Nokeybusinessdecisionsaremadebasedonthe
informationcontainedwithinthespreadsheet.Errorsthatoccurwouldbeofembarrassmentorhindrancetothosedirectlyassociatedwiththespreadsheet,butwouldhavenoreallong-termimpactonthebusiness.
• Medium:Anerrorinthespreadsheetoradelayinpreparingthespreadsheetmayresultinsignificantlosstothebusiness.Informationcontainedinthespreadsheetmaybesensitiveandemployeescouldexploittheinformationiftheyhadaccesstoit.
• High:Anerrorinthespreadsheetoradelayinpreparingthespreadsheetmayresultinamateriallosstothebusiness.Informationcontainedinthespreadsheetishighlysensitiveandinappropriatedisclosurecouldbeexploitedbymarketsorcompetitors,orcouldbeinbreachoflegislation(e.g.theUKDataProtectionActortheUSHealthInsurancePortabilityandAccountabilityActorGramm-Leach-BlileyAct).
Todeterminewhichspreadsheetsposethehighestriskwithintheorganisation,theinherentriskofaspreadsheetmustbeassessed.Inherentriskisdefinedas:‘Therisktoanorganisationintheabsenceofanyactionsmanagementmighttaketoaltereithertherisk’sprobabilityorimpact’(InstituteofInternalAuditors).Aspreadsheet’sinherentriskis,therefore,acombinationofitscriticality(impact)totheorganisationandtheinherentlikelihoodoferrorinthespreadsheet,whichisderivedfromacombinationofthecomplexityandthedesignofthespreadsheet.
Todeterminethecomplexityofaspreadsheet,thefollowingkeycharacteristicsshouldbereviewed:• Spreadsheetsize.• Complexityofformulas.• Volumeoflinkagestoothercells,tabsandspreadsheets.• Volumeofdata.• ExistenceofVisualBasiccode.
Thiscanbeatime-consumingprocessforlargespreadsheets,butsoftwaretoolscanautomaticallyscanspreadsheetfilesandproduceascorebasedonapredefinedscaleofcomplexity.
However,thelikelihoodoferrorinvolvesspreadsheetdesignaswellascomplexity.Assessingdesigninvolvesreviewingeachspreadsheetinturnandidentifyingcharacteristicsofbaddesignthatcouldincreaseaspreadsheet’slikelihoodoferror.Examplesofbaddesignincludehard-codingofnumbersorassumptionsintoformulasandinconsistentoroverwrittenformulaswithinacolumnorrow,whichresultinahigherlikelihoodoferror.
Calculatingtheinherentriskofspreadsheetsallowstheorganisationtofocusanysubsequenteffortonthosespreadsheetswiththehighestrisk.Aneffectivewaytoillustratethespreadsheetriskprofileistheuseofariskmap.Figure1showsasimpleexampleofariskmap:
Thebusinessshouldfocusmostofitseffortsonthespreadsheetswithahighcriticalityandhighlikelihoodoferror,asshowninbrowninFigure1.However,itisimportantthattheorganisationdoesnotignorespreadsheetswithlowlikelihoodoferrorbuthighcriticality.Someofthesespreadsheetsmayneedtobecontrolled,astheoccurrenceofanerrorcouldhaveasignificantimpactontheorganisation.SuchspreadsheetsareshowncircledinthetopleftofFigure1.
Eventhesimplestspreadsheetsoftencontainerrors,asisillustratedbythebudgetingexampleinQuestion3.Inourexperience,simplespreadsheetsareoftensubjecttoverylimitedornotestingandasaresult,areoftenmorepronetosignificanterrorsthancomplexspreadsheets,whichmaybemorethoroughlytested.
Likelihoodoferror
Crit
ical
ity
5
8
2
1
7
3
4
10
9
6
Figure1:Simpleexampleofaspreadsheetriskmap
Key:
Spreadsheet
![Page 13: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/13.jpg)
�
18.Howdowestarttoidentifythepotentiallycriticalspreadsheets?Thereareanumberofwaystostarttheprocessofidentifyingthecriticalspreadsheets,including:• Automatedscanningtools.• Questionnaires.• Processdocumentation(whereavailable).• Interviewsorworkshops.
Thebestwaytostartisusuallybyperforminganautomatedscanofthenetworktoidentifypotentialspreadsheets.Thiswillquicklyidentifyanypotentiallycomplexspreadsheetsinuseaswellaspartsofthebusinessmostreliantonspreadsheets.
However,themosteffectivewayofidentifyingcriticalspreadsheetsistoholddiscussionswithkeyindividuals,processownersanddepartmentheads.Anyinitiativetoimplementaneffectivespreadsheetriskmanagementmodelshouldstartwiththeareasperceivedtobethemostdependentonspreadsheets,havesignificantoperationalimportance,orhavehadpreviousspreadsheetincidents.
Whendiscussingthespreadsheetsindividualsaredependenton,itisoftenusefultostartfromthepremisethatdependentspreadsheetsarethosethat,ifdeleted,wouldeithertaketoolongtore-create(insomecases,justonehourredevelopingaspreadsheetcanbetoolong)orcouldnotbere-createdatall.Theoutputofanautomatedscanalsocanbehelpfulwhenholdingthesediscussionstoensureallcomplexspreadsheetscurrentlyinusearediscussed.
Thenextstageistoidentifythespreadsheetsthat,ifinaccurate,wouldhaveanegativeimpactontheorganisation.Thiscanbeachallenge,astheindividualwillwanttoconsiderothercontrolsinoperationthatmitigatetherisk.However,itisimportantthattheindividualfocusesonpotentialfinancialimpactinthecontextofinherentrisk(i.e.withoutcontrols).Thisissothattheorganisationcanensurethat,whentheassessmentofcontrolsisperformedlaterintheprocess,eitherthecontrolsfullymitigatetheinherentriskortheresidualriskisunderstoodandaccepted.
19.Whichpartsoftheorganisationcanhavethegreatestdependencyoncriticalspreadsheets?
Thefunctions/divisionsthataremostdependentwillvarybyorganisation.Thereare,however,somekeyriskindicators(KRIs)thatcanbeusedtoquicklyprioritiseeffortsonpartsoftheorganisationthatmostlikelyhaveanincreaseddependencyonspreadsheets.Theseindicatorsinclude:• Ahighvolumeofspreadsheets,ratherthanformalapplications,
areknowntosupportcriticalprocesses.• Spreadsheetsareusedtomanipulatedatapriortoinputinto
anapplication,orafteroutput.• Knownincidents,includingerrororactualfinanciallosses,
haveoccurredasaresultofspreadsheets.• Spreadsheetsareusedasinterfacesbetweensystems.• Calculationsareperformedinspreadsheetsbecausetheyare
toocomplextobeperformedinsystems.• Processesortransactionschangetomeetmarketrequirements
(thisoftenindicatesthatcoreapplicationscannotsupportchangingbusinessrequirementsaswellasspreadsheetscan).
Inaddition,financeand‘frontoffice’functionsareoftenusersofcriticalspreadsheetsduetothenatureoftherolestheyperform.
20.Howcanweensurethatweidentifyallpotentiallycriticalspreadsheets?
Itisnotpossibletobecompletelysurethatallcriticalspreadsheetshavebeenidentified,butanorganisationcanscanthefileserversforallspreadsheetfiles.Typicalsearchescanrevealmillionsofspreadsheets,manyoldandobsolete.Simpleanalysiscanhelpfocusonthepotentiallycriticalspreadsheets.Inconsideringanysuchanalysis,organisationsshouldbeawarethatcost-effectivetoolsexistthatautomatealargepartoftheworkandgreatlydecreasethetimeandeffortrequired.
Analysisshouldbeperformedonthe‘lastmodified’datetoidentifyspreadsheetsthathavebeenactiveinthelastsixmonths(or12months,dependingontheorganisation’sriskappetite).Analysiscouldthenfocusonthespreadsheetsthatexceedacertainsize(largerspreadsheetsaretypicallymorecomplexandthereforeoftenhaveahigherinherentrisk).Itisalsoworthtryingtoidentifywhethermultiplespreadsheetsareactuallydifferentversionsofthesamespreadsheet,whereauserregularlysavesthespreadsheetwithadifferentdateorversionnumber.Manyoftheleadingautomatedscanningtoolsautomaticallytakethesefactorsintoaccount.
Fordiscussionswithusersregardingtheircriticalspreadsheets,itisusefulasacompletenesschecktohavealistofspreadsheetstheusersarecurrentlyrecordedasowningandhaverecentlyused.Duringthesediscussions,itisoftendiscoveredthatsomespreadsheetsarebeingusedasworkaroundsforsystemsorreportsthatdonotmeettheneedsofthebusiness.Informationregardingworkaroundsforineffectivesystemsisworthcapturing,asitcanbefedintothechange/enhancementprocessesforthesesystems.
![Page 14: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/14.jpg)
�0
Theothercommontypeofcriticalspreadsheetisonethatformspartofthecontrolenvironmentaroundthecorebusinessprocess(e.g.aspreadsheetcontainingcontroltotals,checksorreconciliations).Thesespreadsheetsareimportantastheyarebeingreliedupontoidentifypotentialerrorsinthesecorebusinessprocesses.
Simplespreadsheetsusedtorecordpersonalinformationshouldnotbeoverlooked.Thesespreadsheetsarenotlikelytobedeemedcriticaltotheorganisation,butaccessmayneedtobetightlycontrolledinordertomeetprivacystandardsinmanycountries.
21.Whataboutspreadsheetsthathavelinkstootherspreadsheets?
Theorganisationneedstoensurethatanydependenciesbetweenspreadsheetsareidentifiedandrecorded.(ItispossibletolinkspreadsheetstogetherbyreferencingcellsinanotherspreadsheetorthroughVisualBasiccodecreatedinaspreadsheet.)
Ifaspreadsheetiscritical,butalsodependentontheaccuracyofinformationcontainedinanotherspreadsheet,theorganisationneedstorecordthespreadsheetthatisprovidinginput.Discussionswithindividualsoftenwillidentifyonlythetop-levelspreadsheet.However,thistoplevelmaybedependentuponanetworkofsub-spreadsheets.Itisnotuncommontoobservemultiplelayersoflinkedspreadsheets.
Toolsexistthatautomaticallyidentifyanyspreadsheetsthatfeedinformationtoaselectedspreadsheet;theyalsocansearchVisualBasiccodeforkeyfunctionnames.Thisisessentiallyacompletenesscheck,butaveryimportantone,inthatitcanensureallcriticalspreadsheetshavebeenrecorded.Generally,aspreadsheetthatprovidesinformationtoaseparatecriticalspreadsheetwillitselfbecritical.Theinformationcollatedcanbeusedtocreateamapordiagramthatisusefultoillustratethedependenciesanddataarchitecture.
![Page 15: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/15.jpg)
��
Implementing a spreadsheet control framework
22.Whatisaspreadsheetcontrolframeworkandwhyisitimportant?
Aspreadsheetcontrolframeworkisthestructureanorganisationimplementstodefinethespreadsheetrisksandtheassociatedcontrolsthatshouldbeconsidered.
Acontrolframework:• Ensuresminimumstandardsareclearlydocumentedand
consistentlycommunicated.• Identifiesstandardrisksandcontrolsthatcriticalspreadsheets
intheorganisationcanbemeasuredagainst.• Providestheopportunitytore-evaluatetheminimumstandards
andensureamendmentstoexecutiveorlegislativerequirementscanbeincorporatedcentrallyintotheframeworkandrolledoutacrosstheorganisation.
Theeffectiveimplementationofaspreadsheetcontrolframeworkshouldbeassessedthroughmanagementassuranceprocessesorthroughindependentevaluation(e.g.byinternalaudit).
23.Whatarethetypicalkeycomponentsofaspreadsheetcontrolframework?
Thecontrolframeworkshouldidentifythekeyorganisation-levelrisksthatspreadsheetsarerequiredtobeassessedagainst,suchasfinancial,reputationalandregulatory.Controlobjectivesshouldbedefinedagainsteachofthesehigh-levelrisks.
Giventhesimilaritiesbetweenspreadsheetdevelopmentandapplicationdevelopment,itisappropriatetoleverageanindustry-recognisedITcontrolframework.Byusingexistingframeworks,theorganisationcanselectthecontrolobjectivesthatapply,butalsoprovidealevelofassurancethatallpossibleareasofriskandcontrolhavebeenconsidered.OneframeworktoconsiderusingisControlObjectivesforIT,orCobiT.
Thereasonforhavingcontrolobjectivesisthatspreadsheetownerscanassesseachofthehigh-levelrisksfortheirspreadsheetsandthenassesshowthecurrentcontrolsachievetheassociatedcontrolobjectives.
Someofthecontrolobjectivesmaybedeemedmandatoryorkey,andshouldbedefinedclearlyinthespreadsheetpolicy(e.g.spreadsheetsecurity).Forothercontrolobjectivesnotclassifiedasmandatory,theultimatedecisionaboutwhichobjectivesapplymaybelefttothespreadsheetowner.Thecontrolsobjectivesthatapplywilldependonthelevelofriskandthecriticalityofthespreadsheet.
Atypicalsetofcontrolsthatcouldbeincorporatedintotheframeworkaresuggestedbelow.Theextenttowhichthesecontrolsmustbeappliedwillvaryonacase-by-casebasis:• Accesscontrol:Definingandmaintainingappropriateuser
accessrightsandrestrictions,includingsegregationofdutieswhereapplicable.
• Backups:Backupofspreadsheetsanddatatoensurecontinuityandavailability.
• Changecontrol:Controllingchangesthataremadetothespreadsheet,includingadequatetestinganddocumentationofchanges.
• Datainputvalidation:Ensuringcompletenessandaccuracyofdatainputs.
• Dataintegrityandsecurity:Preventingunauthorisedmodificationofthespreadsheetandprotectingsensitivecellsfromaccidentalchangeordeliberatemanipulation.
• Developmentcontrol:Controllingthedevelopmentprocess,testinganddeploymentofnewspreadsheets.
• Documentation:Appropriatedocumentationmaintainedtodescribetheowner,businessobjectives,functions,changehistory,assumptions,externallinksandanyotherrelevantinformation.ThiswouldextendtodocumentingmacrosorVisualBasiccodeifapplicable.
• Independentreview:Documentedindependentreviewofspreadsheetlogicandchanges.
• Versioncontrol:Ensuringthatonlythecurrentversionofthespreadsheetisused,andspecificpreviousversionscanberetrievedorre-createdifrequired.
TheITGovernanceInstitute,inits‘IT Control Objectives for Sarbanes-Oxley, 2nd Edition’,providesasetofillustrativekeycontrolsforend-usercomputing,whichincludesspreadsheets.Thesecontrolsconsistof:• Existenceofandadherencetopoliciesandprocedures.• Documentationandregularintegrityreviewofend-user
computingapplications.• Backupandsecurestorageofapplicationsanddata.• Securitytopreventunauthorisedaccess.• Independentverificationtoensurecompletenessandaccuracy
ofinputs,processingandoutputs.
Theguidealsoprovidesasampleapproachforspreadsheets,consistingofthefollowingthreestages:• Createaninventoryofspreadsheetsinvolvedinthefinancial
reportingprocess.• Performariskassessment(impactandlikelihood)offinancial
statementerror.• Implementandassessspreadsheetcontrols.
AlthoughthisapproachisdesignedforSarbanes-Oxley,itisconsistentwithProtiviti’sapproachtospreadsheetriskmanagement,whichcanbeappliedregardlessofriskmanagementobjectivesandnatureofspreadsheetusage.
![Page 16: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/16.jpg)
��
24.Whenisaspreadsheetnotfitforpurpose?Incertainscenariosspreadsheetscanbetoocomplex,inwhichcasetheorganisationshouldconsidermigrationofthespreadsheetintoastructuredapplicationcontrolledbytheITdepartment.
Examplescenariosinwhichthisoptionshouldbeconsideredinclude:• Thespreadsheetcontainsmasterdatausedtofeedcalculations
andreports.• ThespreadsheetmakesuseofalargeamountofVisual
Basiccode.• Therearemultipleusersofthesamespreadsheet.• Thespreadsheetisusedasaninterfacebetweentwosystems.• Thespreadsheetisslowandoftenrequiresregularrestarting.
Transitioningthespreadsheetintoamoreformalapplicationdevelopmentenvironmentwillsignificantlyreducetherisk.Thecost/benefitofthisactionwillneedtobeassessed.Whiletheoverallriskprofileisreduced,theremaybeasignificantcostassociatedwiththedevelopmentandongoingmaintenanceofsuchanapplication.
![Page 17: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/17.jpg)
��
Assessing spreadsheet controls and current risk exposure
25.Doweneedtoassessthecontrolsinoperationacrossallourspreadsheets?
Itisnotusuallynecessarytoassesscontrolsacrossallspreadsheetsinuse.However,theextenttowhichtestingisrequiredwilldependonthelevelofrisktheorganisationiswillingtoaccept.Typically,spreadsheetswithalowlevelofinherentrisk(seeQuestion17formoreinformationonriskassessmentapproaches)aregenerallynotincorporatedintoaformalspreadsheetriskmanagementmodel.Fortheselower-riskspreadsheets,werecommendthatspreadsheetownersaremadeawareoftheirresponsibilitiestowardspreadsheetriskmanagement,butthattheorganisationdoesnotrequirethemtoperformformalriskandcontrolassessmentsontheirspreadsheets.
26.Howdoweconsistentlyassesscontrolsacrossspreadsheets?Consistentspreadsheetcontrolassessmentisfacilitatedbyhavinganeffectivespreadsheetcontrolframeworkagainstwhicheachspreadsheetriskcanbeassessed.FurtherguidanceonthekeyrequirementsofaspreadsheetcontrolframeworkisprovidedinresponsetoQuestion23.Keyaspectsofcontrolthatneedtobeconsideredinclude:designstandards,changemanagementcontrols,baselineintegritytestingperformed,documentationretained,accesscontrolsandcontrolsoverbackup.
KeyaspectsoftheoverallcontrolenvironmentarelikelytobedependentonIT.Inparticular,ITislikelytoberesponsibleforgeneralcontrolsoveraccesstothenetworkandbackupofthenetwork.Theassessmentofthesecontrolsshouldbeperformedcentrallyandreflectedinthespreadsheetriskmanagementpolicyandguidelines.
However,thespreadsheetownerwillstillneedtotakeresponsibilityfordefiningthespecificaccessrightsforthespreadsheet.ThespreadsheetowneralsowillneedtoassesswhethertheservicelevelsofferedbyITandthestandardbackup/restoreprocessesmeettherequirementsofthebusiness.
Figure2showsatypicalsplitbetweenindividualspreadsheettestingandpervasiveITtesting.Theuseoftechnicalmanagementsolutionscanincreasetheabilitytopervasivelyorcentrallytestspreadsheetcontrols(seethesection‘Technologyenablingeffectivespreadsheetriskmanagement’).
Figure2
Spre
adsh
eet
owne
r-m
anag
edc
ontr
ols •Designmethods.
•Initialtesting(baselining).
•Changemanagementcontrols.
•Documentation.
•Spreadsheetpasswords.
•Definitionofaccessrequirementsof
networkfolder.
A separate assessment of control requirements should be performed for each individual spreadsheet. This is likely to be performed by the spreadsheet owner.
Spreadsheet risk management policy should provide guidance on aspects of control that need to be assessed by each spreadsheet owner.
Spreadsheetriskmanagementpolicy
Perv
asiv
e
IT-d
epen
dent
con
trol
s •Networksecurity.
•Networkchangemanagement.
•Backupandrestore.
•ITdisasterrecovery.
Tested on an annual basis by a central team (potentially as part of an existing compliance process or internal audit programme).
Spreadsheet risk management policy defines requirements of spreadsheet owners, reflecting observations made when performing review of general controls.
![Page 18: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/18.jpg)
��
Theorganisationmustensuretheassessmentsareperformedbyapersonwiththeappropriateskills.Ifassessmentisdonebythespreadsheetowners,itisessentialthattheyconsistentlyandeffectivelyassessthecontrolsinoperationaroundtheirspreadsheets.Manysuccessfulprojectstoimplementaspreadsheetriskmanagementframeworkhaveemployedacentralteamofexpertstoprovideguidance,trainingandreviewontheassessmentsperformedbyindividualspreadsheetowners.
27.Howdoweassesswhetherthecontrolsareeffective?Thefirststepofanyassessmentistoensurethecontrolsinoperationachievetheminimumcontrolstandardsdefinedinthespreadsheetcontrolframework.Havingachievedcompliancewiththeminimumcontrolstandards,considerationshouldbegiventoanyothercontrolsthathavebeenimplemented.Theidentificationandassessmentofcontrolsshouldusethespreadsheetcontrolframeworktoensuretheassessmentconsidersallrisksandcontrolsandisperformedconsistentlyacrosstheorganisation.
Thenextstepistounderstandthelevelofresidualrisktheorganisationisexposedtowiththecontrolscurrentlyinoperation.Residualriskisanassessmentoftheexpectedimpactandlikelihoodoferrorafterallrisk-relatedactionshavebeenimplemented(e.g.controlsortransferofrisk).Theresidualriskcanbedeterminedbyconsideringboththeimpactofthespreadsheettotheorganisationandthelikelihoodoferror.
Impact:Thespreadsheetownerwillneedtoassessthepotentialfinancialimpactorconsequenceofanerrorarisinginthespreadsheetoverthenext12months–hence,thecriticalitytotheorganisation.Ifthereareothercontrolsinplacethatwouldlimitthepotentialimpact–forexample,reconciliationsthatwoulddetectanerror–theseshouldbetakenintoaccount,whetherornottheyareindependentofthespreadsheet.
Likelihoodoferror:Determinedbyacombinationofthecomplexityanddesignqualityofthespreadsheet.SeetheresponsetoQuestion17forfurtherinformation.
Ifthecalculatedresidualriskisabovethatacceptabletotheorganisation,thecontrolsareinadequate.Then,remediationactivitieswillneedtobeinstigatedtoimprovecontrolsorreducethespreadsheet’slikelihoodoferror–forexample,throughredevelopmentofthespreadsheet.
28.Candifferentapproachesbetakentoresolveanycontrolissues?Therearemanydifferentapproachesthatcanbeadoptedtoreduceresidualrisktoanacceptablelevel.Thespreadsheetriskmanagementframeworkshouldprovideguidanceandprovideexamples.Aprescriptiveapproachrarelyworks.Thespreadsheetownerwillneedtoassessthepotentialriskandthecontrolobjectives,andthenputinplaceappropriatecontrols.
Bywayofanexample,anyspreadsheetriskmanagementpolicyislikelytostatethataccesstothespreadsheetshouldberestrictedtoappropriateusers.Oneapproachmaybetoaddapasswordtothefile,utilisingthebasicsecurityfeaturesofExcel.Thisprovidesonlyabasiclevelofcontrolaspasswordsaresharedandrarelychangedandrepeatattemptsareallowed.
Anotherapproach(potentiallyadditionaltotheExcelpassword)istosetupadirectoryonthenetworkandgrantaccesstoadefinedlistofusers.Thisshouldprovideahigherlevelofcontrol,asuseraccountsaremanagedcentrallyandbetterpasswordstandardscanbeapplied.However,underthismodelalluserswithaccesstothespreadsheetdohavethesamelevelofaccess.
Anotheroptionistomakeuseofspreadsheetcontrolsoftware(seethesection‘Technologyenablingeffectivespreadsheetriskmanagement’).Suchtoolscanprovidegreaterflexibility,allowinguser-orrole-basedaccessandsegregationofdutiesinthespreadsheettobeenforced.Thesetoolsalsoprovideanaudittrailofactionsusershaveperformed.
Thespreadsheetownerwillneedtodecidewhatlevelofcontrolisrequired,takingintoaccountanyrequirementsofthespreadsheetriskmanagementpolicy.Abasicpasswordmaybeadequateforsomespreadsheetsthatdonotcontainsensitivedataandonlyhaveafewusers.Thiswillnot,however,besufficientinmanycases.
![Page 19: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/19.jpg)
��
29.Howcanweidentifycommoncontrolissuesacrosstheorganisation?
Oneofthebenefitsofimplementingaconsistentspreadsheetcontrolenvironmentacrosstheorganisationisthatitiseasiertoidentifycommoncontrolissues.Togainthisbenefit,controlsidentifiedshouldberecordedagainstcontrolobjectiveswithintheframework.Thesameshouldbedoneforanyplannedactionsthatareraisedtoreduceresidualrisktoanacceptablelevel.Bylinkingactionstocontrolobjectives,theorganisationisabletoanalysewheresignificantcontrolgapsexist.
Theactionstypicallywillbetacticalsolutionsimplementedlocallywithintheorganisation.Atthisstagethereisanopportunityfortheorganisationtoreviewthesetacticalsolutionsanddetermineifthereisamorestrategicsolutionthatwouldultimatelybemorecost-effectivetotheorganisationasawhole.
30.Howdoweensurethatcontrolissuesareresolvedandclosedwithinanacceptabletimeframe?
Foreverycontrolissueordeficiencyidentifiedaspartofthespreadsheetreview,actionplansandresponsesshouldbedevelopedanddocumented.Actionownersalsoshouldbeassignedwithresponsibilityforensuringthatactionsaredeliveredbytheagreedclosedate.Whentheactionisclosed,theriskshouldbere-evaluatedandarevisedresidualrisklevelrecorded.
Aprocessneedstobeputinplacetoensureallactionsareresolvedonatimelybasis.Thiswillbemosteffectivewhenitformspartoftheexistingissuestracking/reportingsystemmonitoredbyanappropriategroup(e.g.internalaudit,compliance,risk).
Aclearescalationpolicyshouldbedefinedtoassistactionownerswheresupportisrequiredandensuretheyaremotivatedtoresolveissuesonatimelybasis.Long-overdueactionsshouldbeescalatedthroughthechainofcommand.Thereareinstanceswhereslippageisattributabletounavoidableoperationalreasons,buttoooftentheseareusedtojustifynotaddressingknowncontrolissues.Ironically,itisoftenthecasethatcontrolissuesaretherootcauseofcontinuedoperationalincidents.
31.Whoisresponsibleforacceptingtheresidualriskthatexistswithinaspreadsheet?
Aprocessneedstobeimplementedtoensurethatappropriatelyqualifiedandauthorisedemployeesareacceptingriskonbehalfoftheorganisation.Spreadsheetownersmaybeacceptingsignificantriskassociatedwiththeirspreadsheetsratherthanimplementingappropriateactionplans.
Defininglevelsofriskauthoritymeansthatanyresidualriskabovedefinedlevelswillneedtobeescalatedtoahigher-levelauthoritywithintheorganisation;forexample,aresidualrisklevelof£100,000orbelowcanbeacceptedbythespreadsheetowners,whilearisklevelofmorethan£100,000andlessthan£500,000needstobeescalatedtothedepartmenthead.
Thereisadangerthatthisapproachwillencouragespreadsheetownerstounderestimatethelevelofriskassociatedwiththeirspreadsheets.Therefore,itisimportantthatspreadsheetriskevaluationsarereassessedbyskilledprofessionals–throughtheinvolvementofinternalaudit,forexample.
Anoptionthathasworkedforsomeorganisationsisdefiningandapplyingauthoritylimitsbasedontheinherentrisk,nottheresidualrisk.Thisshouldensurethatanyhigh-riskspreadsheetissubjecttosomeformofindependentreviewandsign-off.SeetheresponsetoQuestion17formoreinformationonassessinginherentrisk.
Thereisalsoanargumentforemphasisingtospreadsheetownersthatiftheysignificantlyunderestimatethatriskandincidentsassociatedwiththeirspreadsheetoccur,thatunderestimationwillbeconsideredamajorfailingintheirpersonalriskmanagementperformanceaswellasthatoftheirdepartment.Anyeffectivecomplianceprogrammeshouldlookforevidenceofthistypeofbehaviour.
![Page 20: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/20.jpg)
��
Gaining assurance over critical spreadsheets
32.Howcantheorganisationensurethatspreadsheetownersareappropriatelymanagingspreadsheetrisk?
Thereareanumberofoptionstheorganisationcanemploy.
Thefirstfocusesonindividualspreadsheets.Throughtheassessmentofinherentrisk,theorganisationisabletolistitsmostcriticalspreadsheets.Foreachofthemostcriticalspreadsheets,theorganisationshouldconsideranindependentreviewofallaspectsofthespreadsheetowner’sresponsibilities.Thisshouldincludetheoperationofkeycontrolsforthespreadsheetandareviewoftheriskassessmentsperformedbythespreadsheetowner.Independentreviewshouldbeperformedbyexperiencedprofessionals.Suchareviewcouldbeperformedbyaspecialistteam,internalauditorathird-partyorganisation.
Analternativeapproachisidentifyingabasicsetofkeycontrolsfromthespreadsheetcontrolframeworkthatshouldbeimplementedinallspreadsheets.Someformoftestingthenwillbeperformed,whetheraspartofaself-assessmentprocessoraspartofanindependentreview.Thisapproachprovidesalevelofassurancetotheexecutivethatatleasttheminimumcontrolstandardsarebeingachievedacrossallkeyspreadsheets.Thisapproachdoesnotnecessarilylookattheresponsibilitiesofthespreadsheetowner,butfocusesonthecontrolsinoperation.Thistendstobetheapproachtakenbymostorganisationsastheyimprovetheiroverallspreadsheetriskmanagementenvironment.
OtherpotentialoptionsareconsideredinresponsetoQuestion37.
33.Wherecontrolshavebeendeficient,howcanwerelyontheintegrityofthespreadsheet?
Thiscanbeoneofthebiggestissueswithinspreadsheetriskmanagement.Whenaspreadsheet’scontrolshavebeenevaluatedasineffective,theorganisationcannotrelyontheintegrityofthatspreadsheetuntilithasbeentestedandanadequatecontrolenvironmentestablished.
Theintroductionofcontrolsalonewillnotmeanthataspreadsheetiscompleteandaccurate.Implementingcontrolswillreducetheriskthatnewerrorsareintroducedgoingforward.However,ifthespreadsheetisinaccuratewhenthecontrolsarefirstimplemented,itwillremaininaccurate.Thereforetestingisrequiredtoobtainassurancethatcriticalspreadsheetshaveintegrity.
Thetestingofaspreadsheetcanappeardauntingorevenimpossible.However,therearetechniquesthatcanbeemployedtoprovideareasonablelevelofassuranceatminimumcost.
Beforethesetechniquesarediscussed,itisworthnotingthatanyspreadsheetcontainingVisualBasiccodeormacrosshouldbesubjecttomoreformalapplicationdevelopmenttestingofthecode.
Spreadsheettesting/auditingtools(seesection‘Technologyenablingeffectivespreadsheetriskmanagement’)areavailablethatwillhelptoperformanalysisofformulas,spreadsheetlinksanddata.Theoutputfromthesetoolsshouldbeanalysedandanyanomaliesinvestigatedwiththespreadsheetowner.Althoughthesetoolscannotcompletelyautomatethetestingofspreadsheets,theymaketheprocessconsiderablymoreefficientandfacilitateteststhatwouldbeimpracticaltoperformmanually.
Forthemostcriticalspreadsheets,thismechanicalprocesswillnotbesufficient.Otheroptionsincludeperformingsensitivitytesting,changingkeyparametersandpredictingtheimpactofthesechangesonthespreadsheet.Thiscanbeaneffectivefinalsteptocheckthatthespreadsheetappearstobefunctioningcorrectly.Sensitivityanalysisalone,however,willnotbesufficienttoidentifyallpotentialerrors.
Therealsomaybesignificantbenefittobuildingchecktotalsintothespreadsheettoidentifypotentialissuesearly.Ultimately,thespreadsheetownermustconfirmthatsomeonehascheckedtheaccuracyofthespreadsheetandthatitisoperatingasexpected.
34.Isitpossibletorelyonthespreadsheetriskmanagementprocesstoprovideassuranceoverthecriticalspreadsheets?
Aneffectiveinternalcontrolenvironmentreducesthelikelihoodthaterrorsorirregularitieswilloccurandremainundetected,butitdoesnoteliminatethatpossibility.Similarly,well-definedspreadsheetriskmanagementprocesseswillsignificantlyreduce–butnoteliminate–anorganisation’sexposuretospreadsheetrisk.Formanyorganisations,adherencetoawell-definedspreadsheetriskmanagementpolicywillreducetherisktoanacceptablelevel,aswellashelpingtosatisfyregulatoryrequirements.(Note,however,thattheserequirementsalsomaynecessitateanassuranceprocesstoensurethespreadsheetriskmanagementprocessisoperatingasdefined.FurtherguidanceisprovidedinresponsetoQuestion32.)
![Page 21: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/21.jpg)
��
35.Howoftenshouldspreadsheetsorthespreadsheetcontrolenvironmentbeevaluated?
Thespreadsheetriskmanagementprocessshouldbesubjecttothesameassuranceapproachasotheroperationalriskmanagementprocesses.Manyorganisationswilllooktogainannualassuranceoverthedesignandoperatingeffectivenessofthespreadsheetriskmanagementoperatingmodel.
However,formanyorganisationstheimplementationofaspreadsheetriskmanagementpolicyrepresentsasignificantchange.Asaresult,forareasofhighrisk,areaswhereahighvolumeofcomplexspreadsheetshavebeenidentifiedorareaswhereahighvolumeofcontroldeficiencieshavebeenidentifiedinthepast,theorganisationshouldconsiderincreasingthefrequencyofmanagementassurancetestinguntilthenewprocesseshavebeenembracedbythebusiness.
36.Shouldinternalauditbereliedontoprovideassuranceonbehalfofthebusiness?
Itistheresponsibilityofoperationalmanagementtoensuretheorganisationhasappropriatecontrolsinplacethatareoperatingeffectively.Theoperationalmanagementteamshouldthereforeensurethatadequateassuranceprocessesareinplace.
Internalauditmayassistmanagementinprovidingthisassurance.Theroleinternalauditplaysisentirelydependentontherelationshiptheinternalauditdepartmenthaswiththeoperationalsideofthebusinessaswellastheprioritiesoftheauditcommittee.
Ifinternalauditdoessupportoperationalmanagementbyperforminganauditorreview,itremainstheresponsibilityofoperationalmanagementtoensurethescopeoftheirreviewissufficienttoprovidethedesiredlevelofassurance.
![Page 22: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/22.jpg)
��
Spreadsheet risk indicators and reporting
37.Whatotherformsofassurancecanwerelyuponratherthanperiodiccontrolsassessments?
Manyorganisationshaverevisitedtheirregulatorycomplianceapproachtoplaceincreasedrelianceonhigh-levelmonitoringcontrolstoreducetheircostofcompliance.Technicalsolutionsformanagingspreadsheets(asdiscussedinthesection‘Technologyenablingeffectivespreadsheetriskmanagement’)canprovideamethodforimplementingequivalentmonitoringcontrolsaroundspreadsheets.
Implementingamonitoringtoolisnotanalternativetoimplementinganeffectivespreadsheetriskmanagementframework.Furthermore,beforerelyingonamonitoringtool,itisnecessarytoperformtestingtogainalevelofassurancethatthespreadsheetsareincompliancewithpolicyandfreefrommaterialerrors.Onlythencanthebenefitbegainedfromimplementingatechnicalsolutiontodetectandnotifywhenchangesaremadethatmayordobreachthepolicy.
Thisprovidesmuchgreaterassurancethanmanualassessmentsbecausesamplingisnotrequired.Consequently,resourcescanbedevotedtoensuringthepolicyandcontrolframeworkisappropriate,ratherthantoperformingcontrolstesting.
38.Aretheregenerallyacceptedkeyindicatorsofspreadsheetriskormeasuresthatshouldbeapplied?
Thereisnogenerallyacceptedsetofkeyriskindicators(KRIs)orinternationallyrecognisedstandard.
DefiningKRIsisaboutdefiningasetofmeasurableparametersthatwillprovideanindicationofanincreased/increasinglevelofspreadsheetriskinthearea.Theorganisationshouldconsiderhavingkeyoperationaldepartmentsreportthesestatisticstomanagementonaregular(e.g.monthly)basis.
Theobjectiveoftheindicatorsistoprovideamorefrequentnotificationthancontrolsassessmentsofapotentiallyincreasingexposuretospreadsheetriskasaresultofchangestothewayspreadsheetsarebeingusedtosupportthebusiness.Wheredepartmentshaveanincreasingtrend,thiscouldtriggerspecificworktobeperformedwithinthedepartmenttoensurethatspreadsheetriskcontinuestobemanagedeffectively.
Thefocusshouldbeonidentifyingtwoorthreeparametersthatcanbeeasilyreportedbutdirectlymonitorspreadsheetriskintheorganisation.Someexamplesofindicatorsthathavebeenusedatotherorganisationsarelistedbelow.Whereanindicatorusestermssuchas‘critical’or‘complex’,theorganisationsthemselvesmustdefineatwhatlevelthesetermsbecomeapplicable:• Numberof‘critical’spreadsheetsoperatedinthedepartment.• Numberof‘complex’spreadsheetsoperatedinthedepartment.• Aggregateinherentriskofalloperationalspreadsheets.• Aggregateresidualriskofalloperationalspreadsheets.• Volumeofspreadsheetriskactionplans.• Volumeofoverduespreadsheetriskactionplans.
Thelistaboveisbynomeanscomplete.However,itdoesprovideanindicationofthetypeofindicatorsthatthebusinessshouldbelookingtotrack.Itisimportantthattheindicatorsaresimpletomeasureandeasytoproducebyadepartmentonceeffectivespreadsheetriskmanagementprocessesareinoperation.Somespreadsheetriskmanagementtools–particularlythosedesignedtoperformanautomatedscanandriskassessment–canbehelpfulwhenlookingtotracksomeoftheseindicators.
39.Whatinformationisprovidedtotheexecutive/riskcommitteesregardingspreadsheetrisk?
Spreadsheetriskshouldbeasingleaspectofamuchbroaderoperationalriskreportingstructure.Itisimportantthatanyinformationprovidedtotheexecutiveisincorporatedintotheexistingriskreportingprocesses.Thisensuresthatspreadsheetriskcanbeassessedinthecontextofotheroperationalrisksthattheorganisationisexposedto,andprioritisedaccordingly.Thenatureandextentofinformationreportedwillultimatelybedrivenbythelevelofresidualrisk,whenconsideredalongsideotherkeyriskareasthebusinessisseekingtomanage.
Itisalsoimportantthattheorganisationcandemonstratethatintheeventsignificantspreadsheetrelatedissuesarise,thereareprocessesinplacetoensurethattheseissuesarebroughttotheattentionoftherelevantindividuals,andappropriatemanagementresponseactionsareinplaceandprioritised.
![Page 23: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/23.jpg)
��
Typicallyanexecutivewillwanttoknow:• Whatistherisk?• Wheredoestheriskexist?• Howsignificantistherisk?• Whoiscurrentlydealingwiththerisk?• Whenwillthisriskbemanagedtoanacceptablelevel?
Notethattheabovequestionscouldhavecomefromamuchmoregenericapproachtooperationalriskmanagement.Spreadsheetriskalsocanbeaggregatedwithothertypesofoperationalrisktoprovideanoverallriskexposuremeasureforoperationalprocesses,departments,andsoon.
Theprovisionofthisinformationalsoensuresthattheexecutiveisfullybriefedandinapositiontoanswerquestionsbyexternalauditorsandregulatorybodies.
FurtherguidanceonimplementinganenterprisewideriskmanagementprocesscanbefoundinProtiviti’sGuide to Enterprise Risk Management,availableseparately.
40.Howcanweensuremanagementandspreadsheetownerstakeonmoreaccountabilityfortheriskassociatedwiththespreadsheetsthattheyown?
Aneffectivewayofembeddingspreadsheetriskmanagementprocessesistoimplementsomeformofcertificationprocess,whichalsohelpstoensurethatspreadsheetriskownerstakeonmoreaccountability.Oneapproachistoasktheindividualsaccountableforeffectiveriskandcontrolmanagementtoconfirmtheaccuracyofthespreadsheetstheyoperateandthatallriskandcontrolassessmentsassociatedwiththespreadsheetarecompleteandaccurate.Thiscanbefurtherenhancedbyrequiringtheindividualstoconfirmthelevelofresidualriskarisingfromtheseassessments.
Havingspreadsheetownersassesscontroleffectivenessonaperiodic(e.g.quarterly)basisensurestheystarttoactivelyowntheirriskandcontrolassessmentsandareresponsibleformaintainingthemonaregularbasis.Italsopresentsanopportunityforthespreadsheetownertohighlightissuesandobtainsupportinresolvingthem.Fromamanagementperspective,thefactthatindividualswithintheorganisationarepersonallyaccountableforsigningoffonthisquarterlyreviewprovidesacertainlevelofcomfortthattheirspreadsheetriskismanaged.Usingself-assessmenttechnologycansignificantlyreducethemanagement’soverheadforsuchaprocess.
Afeworganisationshaveintroducedriskmanagementperformanceintoemployeecontracts,withindividualsmeasuredonhoweffectivelytheydeliverontheirriskmanagementresponsibilities.However,thiscanbedifficulttoimplementinmanyorganisations,andmostspreadsheetownerswilloverstatetheimportanceofspreadsheetriskmanagementgiventheirotherresponsibilities.
41.Howcanweensurethatspreadsheetriskisincorporatedintoourcurrentregulatoryreportingprocesses?
Theeffectivemanagementofspreadsheetriskisalreadyimpliedinmostoftheexistingregulatoryreportingrequirements.Ifspreadsheetsareusedwidelyandultimatelyrelieduponbythebusiness,itisnotpossibletoconcludeontheeffectivenessofinternalcontrolswithoutconsideringtheeffectivenessofspreadsheetriskmanagementcontrols.Considerwhetherandhowspreadsheetriskhasbeenassessedinthepastwhentheorganisationhasattestedtotherequirementsofexternalbodies.Istheorganisationcomfortablethatithasappropriatelyassessedspreadsheetriskwhenmakingtheseattestations?
Ifspreadsheetriskhasnotbeenformallyevaluatedinthepast,itdoesnotnecessarilymeanthattheorganisationhasmisrepresenteditsposition.Itsimplymeansthatgreatertransparencyisrequiredaroundtheorganisation’sconclusionsabouttheeffectivenessofspreadsheetriskmanagement.
Organisationsneedtoensurethatspreadsheetriskisconsideredwhenmakinganyfuturestatementtoregulatorybodies,anditisessentialfortheexecutivetounderstandthatspreadsheetriskisactivelymanagedwhensigningoffonanyattestationstatement.Ifanorganisationhasimplementedaneffectivespreadsheetriskmanagementframeworkandhasobtainedassurancethatthisframeworkisoperatingeffectively,thebusinesswillbewellplacedtoreachaconclusion.Essentially,theorganisationisrequiredtoprovideassurancetotheexecutivethatthespreadsheetriskpolicyhasbeeneffectivelyimplementedthroughouttheorganisationandthatexistingissueshavebeenidentifiedandarebeingactivelymanaged.
![Page 24: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/24.jpg)
�0
Training and awareness
42.Makingspreadsheetownersawareofthepotentialriskisdifficult.Arethereanytriedandtestedapproaches?
Increasingspreadsheetriskawarenesscanbechallengingbecausespreadsheetsaretypicallyusedbymanypeoplewithintheorganisation.
Basicawarenesstrainingshouldbeprovided,coveringtheminimumcontrolstandardsandillustratingsomebest-practicetechniques.Italsoshouldprovideindividualswithguidanceonwheretogoforfurtherinformation(suchasanonlineresourceoraspreadsheetsupportteam).Critically,theyshouldbeeducatedonkeyindicatorsthatimplysignificantinherentriskwithinthespreadsheetstheyoperate,andknowwhomtocontactwhentheseindicatorsarepresent.Usersshouldbeprovidedwithregularremindersofthekeyissuesandoftheirresponsibilities.Simplyprovidingsomeinitialtrainingandpostingastandardontheintranetisunlikelytoachievethedesiredlevelofaccountability.
AneffectiveprocessistointegratetheawarenesstrainingintotheHRjoiner’sprocess.Indoingso,allnewjoinerstotheorganisationareprovidedwiththetraining.Trainingcurrentemployees,however,remainsachallenge.Therearemanydifferentapproachestoeducatingahighvolumeofpeople,suchasthoseusedforinternalcommunications,healthandsafetyawarenessandfiredrills.
Wherecriticalspreadsheetshavebeenidentified,amoreformaltrainingprogrammewillbenecessary.Analternativetotrainingthathasworkedwellformanyorganisationsisprovidingacentralsupportteamtowalkthespreadsheetownerthroughtheprocess.Thisisnotonlymoreeffectivethanclassroomtraining,butalsohelpsthebusinessachieveconsistencyinimplementationofthespreadsheetriskmanagementframework.
43.Aretheredifferinglevelsoftrainingrequiredforspreadsheetowners?
Thisvariesandwilldependontheindividualspreadsheetowners.Spreadsheetownersshouldhavetheoptiontorequestadditionaltrainingonspreadsheetdevelopmenttechniques.Thesetypicallywouldbestandardspreadsheettrainingcoursesthatcovermoreeffectiveuseofspreadsheets.
However,specifictrainingonspreadsheetriskmanagementprocesseswillneedtobeprovidedtouserswhoownandoperatespreadsheetswithanincreasedlevelofinherentrisk.Itisalsoagoodideatoreviewthoseindividualsrequestingspreadsheetdevelopmenttraining,asthisoftenimpliestheyhaveahigherdependencyonspreadsheetsandwishtodevelopmoreeffective(andprobablymorecomplex)solutions.Thistrainingshouldprovideguidanceonevaluatingspreadsheetriskandtheeffectivenessofspreadsheetcontrols.
Analternativetotrainingistoprovideacentralsupportteamtowalkthespreadsheetownerthroughtheprocess.Thishasworkedwellformanyorganisations.Itisnotonlymoreeffectivethanclassroomtraining,butitalsohelpsthebusinessachieveconsistencyinimplementationofthespreadsheetriskmanagementframework.
44.Istheintranetaneffectivetoolforensuringawarenessofspreadsheetriskwithintheorganisation?
Theintranetisanexcellenttoolforprovidingreferenceinformationforindividuals.Ifpossible,allspreadsheetriskmanagementframeworks,processesandtrainingshouldbemadeavailableontheintranet.
However,postingdocumentsontheintranetisnotasubstitutefordeliveringtraining.Employeesshouldbeawareitexists,buttheirtrainingshouldbedeliveredthroughdiscussions,lectures,practicalexercisesandonlinetests.Amoreinteractivemethodisrequiredtoensuretheproperapproachtospreadsheetriskmanagementintheorganisationisappreciatedandunderstood.
![Page 25: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/25.jpg)
��
Resources
45.Whatarethekeyspreadsheetriskmanagementcapabilitiesthatshouldexistinanyorganisation?
Allusersofspreadsheetsneedtobeprovidedwithtrainingtodevelopabasiclevelofknowledge.Thisshouldinclude:• Awarenessofkeyspreadsheetrisks.• Understandingoftheminimumspreadsheetcontrolstandards.• Understandingofthekeyindicatorsofaspreadsheet
becomingcritical.• Knowledgeofwhomtoengagewhenaspreadsheetis
becomingcritical.
Providingthisleveloftrainingtoalluserscanbechallengingformanyorganisations.Asaresult,manybusinessesinitiallyfocusonthosepartsoftheorganisationthataremoredependentontheuseofspreadsheets.
Inadditiontothisbasiclevelofknowledge,thebusinesswillneedaccesstopeoplewithmuchdeeperskillswhocanprovidesupportandguidancetothewidercommunity.Someorganisationshavesetupcentralteamswiththesedeeperskillsthatthespreadsheetownerscandrawonwhenrequired.Unlessusersaregrantedaccesstothesetypesofpeople,itcanbedifficulttoeffectivelyrolloutthespreadsheetriskmanagementframework.Thedeeperskillsrequiredinclude:• Riskassessmentskills.• Spreadsheetdesignskills.• Advancedspreadsheetdevelopmentskills(includingVisualBasic
developmentifmacrosarewidelyusedinthebusiness).• Spreadsheettestingskills.
46.Towhatdegreeshouldtheorganisationexpecttobesourcingthird-partyskills?
Thereisnorequirementtomakeuseofthirdparties.Manyorganisationshavefoundithelpful,however,todrawontheexperiencesofotherorganisationswhenestablishingaspreadsheetriskframework.
Skilledthird-partyresourceshavebeenengagedinanumberofareas,including:• Developmentofaspreadsheetpolicy.• Identificationandassessmentofcriticalspreadsheets.• Spreadsheettesting.• Managementassurance.
Organisationshavegainedvaluefromemployingexperiencedconsultingfirmstoperformtheinitialidentificationoftheircriticalspreadsheets.Theconsultantsprovidealevelofindependentevaluationbutalsodrawontheirexperiencewithotherorganisationstoaccuratelyassesstheinherentriskandcomplexityofspreadsheets.Attheendofaprojectinwhichconsultantshavebeenemployed,itisimportantforanyorganisationtoensuretheprocesseshavebeenembeddedintheirday-to-dayoperationalprocesses.
Spreadsheettestingcanbetime-consuming,andexperiencehasshownthatitisunlikelytobeeffectivewhenperformedbythespreadsheetowners.Thereisanaturaltendencyforthespreadsheetownertotakeshortcutsandperformalessthoroughreview.Third-partycompaniesareabletoleveragespecialisedtestingtoolsthatprovideahigherlevelofassurance.Spreadsheettestingis,hopefully,aprocessperformedthroughone-offprojects,sothereisanopportunitytoagreetoarelationshipwithathirdpartytoensuretheyareavailabletoperformthisworkasandwhenrequired.
Managementassuranceexiststoensurethatappropriatespreadsheetcontrolsareinplaceandoperatingeffectively.Organisationsoftendonothavetheluxuryofinternalriskteamswiththecapacitytoperformextensivemanagementassurancework.Thealternativeistoallowthespreadsheetownerstoperformaself-assessmentofthecontrolsinoperation.Thisistypicallyagoodapproach,butonlywhenusedincombinationwithsomeformofindependentassuranceworktoensureself-assessmentsareperformedappropriately.Third-partyfirmscanprovidethiscapabilityonanannualorotherscheduledbasis.
Otherservicesprovidedbythirdpartiesinclude:• Evaluationoftechnologysolutionsinthemarketplace.• Implementationofaspreadsheetmanagement
technologysolution.• Assistinginternalauditwithspreadsheetreviews.• Trainingandawarenessonspreadsheetriskmanagement.• Developmentofappropriatecontrolframework.
![Page 26: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/26.jpg)
��
47.Shouldtheorganisationbeemployingspecificspreadsheetsupportteams?
Toeffectivelyimplementspreadsheetriskmanagementprocesses,thebusinesswilltypicallyneedtoprovidespreadsheetownerswithaccesstopeoplewithdeepexpertiseonanas-neededbasis.Thedeeperskillsrequiredinclude:• Spreadsheetriskmanagementpolicyexpertise.• Riskassessmentskills.• Spreadsheetdesignskills.• Advancedspreadsheetdevelopmentskills(includingVisualBasic
developmentifmacrosarewidelyusedinthebusiness).• Spreadsheettestingskills.
Someorganisationshavefoundthatacost-effectiveapproachistocreateasmallpoolofcentralresourcesthatthebusinesscandrawontoprovidedeeperskillswhenrequired.Thiswilldepend,however,onthecomplexityofthespreadsheetsusedwithintheorganisation.Organisationswillnotrequirespecialisedspreadsheetsupportanalystsifthespreadsheetownersarecapableofadequatelycontrollingthespreadsheetstheyoperate.
Someorganisationsemployspreadsheetsupportteamstoensurecriticalspreadsheetsaredevelopedinacontrolledyetresponsivemannertosupportbusinessrequirements.Theseteamsessentiallyoperateasarapiddevelopmentteam,typicallylocatedalongsidetheoperationalstafftheysupport.
Theuseofaspreadsheetsupportteamneedstobecarefullymonitoredtoensureallapplicationdevelopmentrequirementsdonotgothroughthespreadsheetsupportteam,ascertainrequestsshouldgothroughthemoreformalITdevelopmentenvironment.
Successfulspreadsheetsupportteamstendtooperateinfinancialservicesorganisationsandtypicallyinatradingenvironmentwheredailyanalysisanddealconstructionisperformedthroughcomplexspreadsheets.(Thisisagoodexampleofwheremoretraditionalapplicationsareseldomflexibleenoughtosupportbusinessrequirements.)Somebusinessesalsohaveusedcentralsupportteamstoprovidetrainingtothebusinessonspreadsheetriskanddrivetheimplementationofthespreadsheetriskmanagementpolicy.
48.Shouldformalprocessesexisttoensurethattheorganisationconsistentlymanagesspreadsheetrisk?
Aspreadsheetriskmanagementoperatingmodelshouldcontaindocumentedprocessesandcontrols.Processesshouldexisttoensurethatallindividualswithspreadsheetriskmanagementresponsibilitiescanfollowaconsistentprocess.
Critically,controlsalsoshouldbedefinedwithintheseprocesses.Thesecontrolswillhavedefinedcontrolownersresponsiblefortheiroperation.Havingdocumentedcontrolsensurestheorganisationisabletoevaluatetheeffectivenessofthespreadsheetriskmanagementprocesses.
Spreadsheetriskmanagementprocessestypicallyinclude:• Policydefinition.• Usertrainingandawareness.• Identificationofcriticalspreadsheets.• Individualriskassessment(assessmentofriskinan
individualspreadsheet).• Overallriskassessment(consolidationandaggregationofrisk
informationandassociatedreporting).• Controlsdefinitionandimplementation.• Controlstestingandassurance.• Certificationofspreadsheets(quarterlyorannualcertificationby
spreadsheetownersthattheyunderstandtheirresponsibilitiesandthatriskisbeingmanagedinaccordancewithpolicy).
• Compliance(processofgainingassurancethatthebusinessisincompliancewiththespreadsheetriskmanagementpolicy).
![Page 27: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/27.jpg)
��
Technology enabling effective spreadsheet risk management
49.Dotechnologysolutionsexisttohelpwithspreadsheetriskmanagement?
Thereisarelativelynewmarketfortechnicalsolutionstoassistwithspreadsheetriskmanagement.Manyofthemoreestablishedvendorshavebeenoperatinginthisareaforonlyafewyears.
VentanaResearchhasconductedresearchwithinthisareaandestimatesthatwhilethetotalmarketforenterprisespreadsheetmanagementtoolswas$15millionin2006,thiswillgrowtoanestimated$500millionby2011.Inourview,thisestimateisconservativegiventherelianceplacedonspreadsheetsbysomanycompaniesandtheincreasingscrutinyandcompliancerequirementsbeingplaceduponthem.
Thetypesoftechnicalsolutionsavailablecangenerallybecategorisedintothreegroups:1. Spreadsheetmanagement/control:Thesesolutionstypically
providechangecontrol,versionmanagement,changehistory(audittrail)andsecurityoverthosespreadsheetsmanagedbythesolution.Somesolutionscanbeusedtorestrictaccesstofunctionalityorspecificcellranges.
2. Spreadsheetsearch/discovery:Thesesolutionsperformautomatedscansofnetworksorspecificserverstogenerateaninventoryofallspreadsheetsdiscovered.Somesolutionsperformlimitedanalysistohelptheuserdealwiththelargenumberofresultstypicallygenerated.
3. Spreadsheetauditing:Theseautomatedtoolsassistareviewerwhenauditingaspreadsheet.Althoughsomeelementofmanualreviewisstillrequired,thesetools,whenusedcorrectly,greatlyimprovetheefficiencyofsuchreviews.
50.Arethereestablishedsolutionsandclearmarketleaders?Thevendorsareamixtureofnewcompanieswhoarespecialisinginthisparticularmarketandseveralexistingsoftwarevendorswhohavediversifiedtheirexistingproductrange.
Althoughsomesolutionsaremoreestablishedthanothers,themarketisstillrelativelyimmatureandgainingnewentrants.Noclearmarketleaderhasyetemerged,partlybecausetherightchoiceofsolution(orcombinationofsolutions)willdependonindividualcompanies’requirementsandgoals.
Giventherapidlychangingstateofthemarket,itisdifficulttoprovidedetailedinformationinapublicationsuchasthis.Protivitidoes,however,maintaininformationonalloftheleadingsolutionsandwouldbepleasedtoprovidefurtherinformationonrequest.Thoughthereisclearlyalargemarket,webelievethecurrentnumberofvendorsisunsustainable,andthatsomeconsolidationwilloccur.
51.Iftechnologysolutionsareimplemented,willtheyimpactallspreadsheetsoperatingwithintheorganisation?
Thespreadsheetmanagementandcontrolsolutionsaretypicallyusedonlytomanagespreadsheetsthathavebeenidentifiedasbusiness-criticalor‘inscope’.
Itistheoreticallypossibletomonitorandmanagealloftheorganisation’sspreadsheets,butitwouldnormallybeimpracticalgiventhenumberofspreadsheetsthatexistinmostorganisations.Werecommend,aspartofthesolutionimplementation,thatcarefulconsiderationbegiventodeterminingwhichspreadsheetsshouldbeincluded.Therulesfordeterminingwhichspreadsheetsareinscopeshouldbedefinedinthespreadsheetriskmanagementpolicy.
52.Arethereperformanceorusabilityissuesthatneedtobeconsideredwhenimplementingspreadsheetcontrolsolutions?
Thisdependsontheindividualsolutionandhowitoperates.Somesolutionsplacelimitationsonuserfunctionality.Othersmayincreasethetimeittakestosavelargespreadsheetsormaygeneratesignificantvolumesofdatatrafficonthenetwork.Companiesshouldensurethattheyevaluateanyusabilityandtechnicalconstraintsandrequirementsduringtheproductselectionprocess.
53.Whowouldimplementandmanagetheoperationofanyspreadsheetsolutions?
Typically,theimplementationofsuchsolutionsisrunasaproject,withadedicatedprojectteamreportingtobothbusinessandITstakeholders.Thebusinesswillwanttoensurethatthesolutionanditsassociatedprocessesmeettheirobjectives.IToftenwillrequirethesolutiontofitwiththeirtechnicalarchitectureandnotadverselyaffectnetworkperformance.ITisalsolikelytohaveresponsibilityformaintainingtheplatformgoingforward,andtherefore,willneedtobeinvolvedintheselectionandimplementationprocesses.
Often,thesolutionalsowillrequireasystemadministratorrolefortechnicalassistancewithmatterssuchassettingupnewusers.Additionally,thereislikelytobearequirementforabusinessmanagerorreviewertoensurethatchangesmadeareappropriate.Theactualroleswilldependontheobjectivesandthesolution(s)chosen.
![Page 28: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/28.jpg)
��
54.Isitasstraightforwardasinstallingthesoftwareinordertomanagetheriskortobecompliant?
Unfortunately,spreadsheetriskmanagementisnotasstraightforwardassimplyimplementingatool.Infact,theselectionandimplementationofaspreadsheetriskmanagementtoolispotentiallyoneoftheeasiestpartsoftheoverallprogramme.
Beforeimplementingatool,thebusinesswillneedtodetermineitsriskappetiteandpoliciesgoverningtheuseofspreadsheets.Then,thebusinesswillneedtoeducateallusersofpotentiallycriticalspreadsheetsandembedariskmanagementculture.Thisistypicallythemostcomplexpartofanyspreadsheetriskmanagementprogramme.
Oncethebusinesshasidentifiedthepotentiallycriticalspreadsheetsthatwillbecontrolledusingtheselectedtool,thespreadsheetownerwillneedtoperformtestingtoensurethespreadsheetisoperatingeffectively.(Thereislimitedvalueintrackingchangestoaspreadsheetthatlacksintegrityfromthestart.)
Thespreadsheetownerthenwillneedtodecidewhatactions/changesshouldbeloggedandreviewresponsibilities.Thereisnopointinbuildingupanaudittrailofallthechangesmadetoaspreadsheetifnobodyreviewsandfollowsuponthechanges.Thespreadsheetowneralsomustconsideraccesscontrolrequirements,andthespreadsheetriskmanagementtoolwillneedtobeconfiguredappropriatelytomanagethisaccess.
![Page 29: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/29.jpg)
��
Protiviti(www.protiviti.co.uk)isaglobalconsultingandinternalauditfirmcomposedofexpertsspecialisinginriskandadvisoryservices.Thefirmhelpsclientssolveproblemsinfinance,operations,technology,litigationandGRC.Protiviti’shighlytrained,results-orientedprofessionalsserveclientsintheAmericas,Asia-Pacific,EuropeandtheMiddleEastandprovideauniqueperspectiveonawiderangeofcriticalbusinessissues.
Protivitihasmorethan60locationsworldwideandisawhollyownedsubsidiaryofRobertHalfInternationalInc.(NYSEsymbol:RHI).Foundedin1948,RobertHalfInternationalisamemberoftheS&P500index.
End-usercomputingriskmanagementservicesProtivitihastheexperiencetohelpyouunderstandtherisksassociatedwithyourend-usercomputingapplications.Wecanhelpyouimplementaneffectivespreadsheetriskmanagementframeworkthatprovidesanappropriatelevelofcontrolwithoutadverselyimpactingusabilityorproductivity.Ourapproachrepresentsapragmaticresponsetoend-usercomputingriskbasedonrealbusinessneedandbuiltonpracticalexperience.
Protivitiknowswhatauditorsarelookingforinrespecttostatutoryandcompliancerequirements,andcanhelpyouinterpretandmeetthoserequirements.Weremainvendor-independentbuthavethoroughknowledgeofthesolutionsonthemarket.Withthisknowledge,wecanhelpyou:• Definespreadsheetriskmanagementpoliciesand
supportingprocesses.• Evaluatetheoptionsavailablebasedonyourspecific
requirementsandobjectives.• Createaninventoryofspreadsheetsthroughscanningortargeted
discussionswithusers.• Reviewspreadsheetstoidentifyerrorsanddevelopabase-lined
versionthatcanbecontrolled.• Implementaspreadsheetmanagementframework,including:
– Selectaspreadsheetriskmanagementtool.– Determinewhatcontrolsandsettingsshouldbeconfigured
withinthesolution.– Developprocedures,training/awarenessprogrammesand
monitoringprocesses.
About Protiviti Inc.
Wealsohelpinternalauditfunctionsaddvaluethroughauditingend-usercomputing,including:• Assessment(pilotstudyorfullassessment)oftheextentto
whichend-userapplicationssupportcriticalbusinessprocessesandtherisktheseapplicationspresenttothebusiness.
• Identificationandassessmentofcontrolsinplacearoundthedevelopment,operationandmaintenanceofend-userapplications.
• Auditsofindividualapplicationstoidentifypotentialerrorsanddesignweaknesses,usingautomatedtoolsandourspreadsheetauditmethodology.
• Remediationofidentifiedcontrolgapsandapplicationserrors.
![Page 30: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/30.jpg)
��
Contacts
EMEA(Europe,MiddleEastandAfrica)JonathanWyattManagingDirector+44(0)[email protected]+44(0)[email protected]
RobNieves+44(0)2073890445rob.nieves@protiviti.co.ukUnitedStatesEdwardHillManagingDirector+17133145010edward.hill@protiviti.comEvanCampbell+17133144974evan.campbell@protiviti.comAndrewStruthers-Kennedy+14104546879andrew.struthers-kennedy@protiviti.com
Asia-PacificSingaporeMatthewFieldManagingDirector+6562206066matthew.field@protiviti.com
AustraliaJustinTrentini+61282209502justin.trentini@protiviti.com.au
![Page 31: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/31.jpg)
![Page 32: Spreadsheet Risk Management - IIA Risk Management FAQs.pdf · Table of contents Introduction 1 An introduction to spreadsheet risk management 2 1. Why are spreadsheets so prevalent](https://reader031.vdocuments.us/reader031/viewer/2022022807/5b8f677009d3f28c298c6201/html5/thumbnails/32.jpg)
Protivitiisnotlicensedorregisteredasapublicaccountingfirmanddoesnotissueopinionsonfinancialstatementsorofferattestationservices.ProtivitiisanEqualOpportunityEmployer.
© �00� Protivitiprotiviti.co.uk+�� �0 ���0 ��0�