Spreadsheet Risk Management: A Best Practice Approach

Henry Umney |

We live in a world where everything is online, instantly available anywhere, at any time. Everything is streamlined and seamless.

Yet even with applications being easily available online, the Excel spreadsheet remains widely in use, despite being a 40-year-old technology.

There are numerous stories of businesses being caught out using spreadsheets without proper controls, whether it be forcing companies to restate their earnings after an announcement to the financial markets or by having a material impact on fighting the COVID pandemic.

Are You Overexposed? Spreadsheet Risk and Regulatory Compliance

An in-depth webinar on EUCs and Shadow IT

Nevertheless, people still use Excel to manage a range of business issues and processes. In fairness, people are not foolish; there are still many excellent reasons to use it.

It is a widely accepted data format, allowing people to exchange data quickly and easily. You do not require complex or scarce technical skills to enrich or utilize data in an Excel spreadsheet. It can integrate into a range of applications and is so powerful that users can create their own business applications – End User Computing (EUC) applications – where they need to solve problems faster than their IT department can help.

Excel’s value – and shortcomings – have not been lost on senior management, company stakeholders, and industry regulators. Expectations of how Excel spreadsheets need to be managed are rising quickly, with companies potentially being penalized if they do not observe industry best practice in managing their spreadsheets.

Industry best practice management of Excel spreadsheets has often been led by accountants, who are many times the Excel power-users in a business. They understand the business implications of poor-quality results created by flawed spreadsheets.

The ICAEW’s guidelines for spreadsheet usage

The UK’s Institute of Chartered Accountants for England and Wales (ICAEW) has long advocated the best practice use of spreadsheets for businesses of all sizes. It recently published a brief titled ‘How to Review a Spreadsheet‘ which details how users at all levels can better assess and manage their most critical business spreadsheets.

The ICAEW recommends multiple sub-reviews as part of a comprehensive overall file review. It poses a series of questions at each stage, including:

Initial Review:

  • What is the purpose of the spreadsheets?
  • What is the level of risk associated with the spreadsheet?
  • How competent is the author?
  • Has the spreadsheet been subject to previous reviews?
  • What is the lifecycle of the spreadsheet?
  • What controls have been used?

Structural Review:

  • Is the spreadsheet fit for purpose?
  • Is there documentation to support the spreadsheet?
  • Are there key sheets in the spreadsheet?
  • Does it utilize external sources?
  • Is there complexity involved?

Data Review:

  • Is the data valid?
  • Does the spreadsheet data need testing?
  • What is the impact of stressed data on the results? Is this reasonable?

Analytical Review:

  • Do the overall results look reasonable?
  • What trends does the data show?
  • What are the results of ratio analytics?
  • Are the results of parallel computation similar?

Detailed Review:

  • Have the formulas been tested?
  • Has the spreadsheet been independently reviewed?

The ICEAW’s review model also highlights the need for diagnostic tools to highlight errors and omissions in a spreadsheet so that they can be swiftly addressed.

How can technology mitigate spreadsheet risk?

Few users, auditors, board directors, or regulators would dispute these points.

The challenge for companies is how best to implement a spreadsheet risk management framework that supports these types of reviews. Given the way spreadsheets are used – typically without review and the management controls generally found in corporate IT applications – this is very challenging without the right tools sets in place.

Some of these points require a user to sanity check a spreadsheet they receive for the first time. Other issues require technology capabilities that assure a business-critical spreadsheets’ accuracy, quality, and integrity.

Technology capabilities allow users and managers to systematically check spreadsheets for issues like proper documentation, missing data, calculation errors, or flawed formulas. At organizations where spreadsheets are widely used in various applications, checking these spreadsheets at scale is essential if the best practice expected by managers and regulators is to be applied.

Technology capabilities allow users and managers to systematically check spreadsheets for issues like proper documentation, missing data, calculation errors, or flawed formulas.

How do you create this technology architecture?

The first step is creating a spreadsheet inventory. This provides a foundation for centralizing the management, review, and visibility of the critical spreadsheet estate used in the business. It also provides a repository for the documentation essential for defining and controlling the core spreadsheets used in a company.

The next phase – discovery – is where companies find the mission-critical spreadsheets they need to manage in the business.

The key here is to find the most significant spreadsheet used, defined by a range of parameters, including who uses a file, how often it is changed, what other applications and data sources it is linked to, and other relevant criteria. Clearly, user input can be included here too.

The last phase is the proactive monitoring of the critical spreadsheets so that issues related to missing data, flawed calculations and formulas or stale data can be captured and addressed.

This capability provides a solid technical foundation for managing spreadsheet risk and will complement the qualitative aspects of managing spreadsheets, as illustrated by the ICAEW best practice guidelines.

Mitratech offers a powerful and proven spreadsheet risk management solution that helps mitigate the risks and issues highlighted by the ICAEW. Learn more here.

Manage your Shadow IT spreadsheets

With ClusterSeven, take control of the End User Computing assets hidden across your enterprise that can create hidden risk.