Enterprise Spreadsheet Control: Managing the Material Risks Within
In many respects, spreadsheets represent the perfect business tool. They are extraordinarily flexible, remarkably powerful and yet common enough to be leveraged with little training or experience. However, the attributes that make spreadsheets so beneficial also come with an inherent level of risk.
Spreadsheets are highly susceptible to error because of the manual manner in which they are created and maintained. To make matters worse, spreadsheets can be easily leveraged for the commission of fraud. Error and fraud lead inexorably to heightened scrutiny and spreadsheets have therefore become increasingly prone to inquiry by auditors and subject to regulation.
In an attempt to meet these challenges a market for spreadsheet control solutions has developed over the past few years. So what, specifically, is driving organisations to begin adopting spreadsheet control solutions in ever increasing numbers?
Spreadsheets are rarely treated as enterprise resources even though they are often used to manage critical data, which is, in turn, often used to make critical decisions. Put simply, spreadsheets seldom have the proper levels of control applied to mitigate the risks they present to an organisation. For example, within accounting and finance groups, data initially managed on spreadsheets is often used as input to general ledger and corporate reporting platforms that drive business decisions.
Ninety per cent of organisations surveyed by Fiserv believe that spreadsheets do represent a material risk, but these same organisations all indicate that they have only the most rudimentary controls in place to mitigate this risk. As a result, spreadsheets appear to represent one of the last unaddressed forms of IT related risk.
Error and fraudulent activity associated with spreadsheet use can have direct, negative and often material impact on the bottom line of organisations. Mitigation of risk via reduction in the level of errors and the ability to perpetrate fraud using spreadsheets is a significant driver in the adoption of spreadsheet control solutions.
PricewaterhouseCoopers has estimated that between 30% and 90% of all spreadsheets have at least one major error, and that the chance of error approaches 100% for spreadsheets with more than 200 items. KPMG has added that 5% of all errors found within spreadsheets are of a material nature. For example one recent and newsworthy example was the incorrect inclusion of 179 contracts in Barclay’s acquisition of Lehman Brothers’ assets based on a spreadsheet error.
A quick Google search on ‘spreadsheet fraud’ returns approximately 831,000 hits. Some higher-profile incidents include an estimated US$2-3m fraud perpetrated by bank tellers who were able to manipulate large deposit tickets and the spreadsheets used to track them, in order to hide the amounts skimmed from the deposits. The CFO of a major technology company hid commission entries by hiding a key cell in a spreadsheet used to manage commissions. The result? A loss of nearly US$500m in market capitalisation when the scam was uncovered.
Incidents like these have prompted auditors to turn a focused and critical eye towards the use of spreadsheets. Existing regulations are increasingly applied to spreadsheets on a worldwide basis. Sarbanes-Oxley section 404 in the US requires management and outside auditors to report on the adequacy of internal controls. The Turnbull Report on Internal Control in the UK and Australia’s ASX ‘Principle 7’ mandates similar internal controls and risk management requirements. In addition to establishing and documenting control processes as they pertain to spreadsheets, all these compliance mandates look to ensure that proper controls are in place around the role spreadsheets play in the financial process. The capital adequacy requirements found in Basel II impact spreadsheet use too, given the large role spreadsheets play in providing data into these calculations.
Error reduction, fraud prevention, the mitigation of risk and the capability to meet the challenges of regulatory compliance are key drivers in the adoption of spreadsheet control solutions. Interestingly, these factors alone are typically not enough to spur the purchase of these solutions. Seventy per cent of those surveyed by Fiserv say that the proposed purchase of a spreadsheet control solution would need to pass internal ROI hurdles before gaining approval. What organisations also need to see is how automation of the control around spreadsheets has the capacity to translate into significant efficiency-generated savings. Since control solutions also serve to automate spreadsheet processes, such as version comparisons, direct labour cost savings can often be achieved. Similarly, the ability to drive down errors and fraud has the potential to significantly reduce operational losses.
The obvious question at this juncture is what type of specific functionality is needed in order to meet the control, audit and efficiency requirements of enterprise spreadsheet use. It is easiest to consider solution attributes in terms of five distinct, yet highly integrated, categories.
Even the smallest of firms can have spreadsheets that number into the tens of thousands. Identifying all spreadsheets across the organisation is a major challenge in and of itself. Automation of this process is imperative with any spreadsheet control solution. Clearly though, not all spreadsheets require the same level of audit and control. To separate the needles from the haystack it is critical that firms have the automated ability to determine those spreadsheets that are deemed worthy of focused management. This separation is made based on an analysis of each spreadsheet in terms of its perceived materiality, complexity, and potential organisational impact as inputs into an overall risk profile. Individual spreadsheet analysis can then be aggregated so that an enterprise wide risk appraisal can be understood by those responsible for audit, compliance and risk management.
Spreadsheets themselves provide precious little in the way of enterprise security. Most come with the ability to password protect entire spreadsheets, workbooks and even data at the cell level. However, this type of security relies entirely on individual users to implement it and model organisations can mandate, but not impose, proper security measures. Fiserv found that the most common type of security employed by the institutions surveyed was to place spreadsheets in secure drive. These firms also admitted that any individual with access to such drives had potential free rein to action the spreadsheets housed there because there was no good way to implement further controls. Automated spreadsheet control solutions approach security from an enterprise perspective by providing organisations with the ability to categorise both users and spreadsheets. Once categorised authorisations are established they permit only approved users to access and/or update specific spreadsheets.
Automated spreadsheet control solutions implement a first layer of control on spreadsheet use by creating audit trails for each user action. Understanding what changes have been made, who made them, and when they occurred is essential when you consider that spreadsheets are often used as inputs to mission critical applications and management reporting processes. Version comparison capabilities provide a second layer of control. Anyone who has worked with spreadsheets will have experienced a scenario where one or more individuals save multiple versions of a spreadsheet, each with one or more changes. Understanding what has changed and whether or not those changes represent potential errors or fraudulent activity is at best a tedious and time-consuming process. At its worst, the manual comparison of multiple versions of the same spreadsheet miss critical changes that may have an effect on the bottom line of an organisation. Spreadsheet control solutions automate the comparison of any two versions of the same spreadsheet to highlight all changes to reviewers, management and auditors so that they can determine if such changes are appropriate.
Spreadsheets, like Excel, are proficient at alerting users to formatting mistakes, for example an incorrectly structured formula. This is typically where cell level analysis begins and ends. Automated spreadsheet control solutions proactively look for anomalies at the cell level to alert users and reviewers alike of potential errors or fraud. Using rules-based analysis, these solutions identify scenarios that violate best practice standards (e.g. a numeric value within a text-formatted cell that might affect summing, or a cell in which the text and background are both formatted to be the same colour thus hiding a value that may be used in a formula or calculation elsewhere within the spreadsheet).
All of the attributes discussed above provide a level of operational efficiency via time savings or cost savings that simply cannot be achieved without an automated spreadsheet control solution. As an example, the automated discovery process saves time by automating the otherwise manual process of identifying and logging the existence of every spreadshee,t as well as the effort required to evaluate each spreadsheet in terms of risk, so that the proper level of control can be implemented. The ability to compare different versions of the same spreadsheet represents potentially massive time savings as material spreadsheets are continuously updated by multiple parties, and the analytic capabilities provide direct bottom line impact by proactively identifying and thereby reducing the number of errors within a spreadsheet. An added benefit is that this capability also serves to identify and ideally discourage fraudulent behavior.
When confronting spreadsheet-related risk, it is about the immediate priority. Has the firm already spent the time and effort to catalogue the spreadsheets across the enterprise? If so, has the inherent level of risk in each been determined? What about access control? Storing material spreadsheets on protected drives is simply not good enough any more. Are valuable and talented employees spending too much time just trying to understand changes to spreadsheets to ensure that management reporting is correct, instead of adding value via analysis to that reporting?
Most spreadsheet control solutions can be positioned as end-to-end integrated solutions or in a modular, stand-alone fashion that allow firms to take a stepped approach to solving its spreadsheet control needs. The right way forward will often be different for each organisation, with the best practice approach being an engagement with a solution provider to properly understand the most effective and efficient direction to take.
More stringent controls around spreadsheet use can also facilitate a shift in organisational structure by allowing the implementation of a shared service, outsourced or off-shored business model. Without tight controls on spreadsheets, which are often used to feed critical business intelligence and report platforms, these often more efficient business models are not realistically feasible.
Regardless of the approach, an enterprise-ready solution – one that can grow as your business grows and one ready to support multiple business lines across the organisation – is required to ensure that your organisation does not feature in a headline you’d rather not read.