The need for spreadsheet controls

By Sanjay Agrawal

There is increasing acceptance that spreadsheets play an integral part in the financial services industry and are central to most companies’ financial processes. In many cases, they are inextricably embedded into a company’s core operations and financial reporting and are used to drive critical decision making. Often, they serve as vital connecting links between disparate enterprise systems.

The reasons for the tremendous popularity of spreadsheets are self-evident.  Spreadsheets offer unparalleled flexibility and ease of use for quickly creating and modifying virtually any type of financial model including trading, budgeting, planning, forecasting, actuarial, capital requirements, fund management, or financial risk management to name just a few.  Compared to the alternative - that of using large, "hard-wired" enterprise systems that are difficult to modify, the widespread use of spreadsheets becomes all the more obvious.

As the use and complexity of spreadsheets continues to proliferate, so too is the awareness of the increasing business and compliance risks associated with them.  For one, spreadsheets were intended to be an individual user tool and not designed to support enterprise collaborative processes.  They are often created by individual users with varying levels of expertise, and over time become embedded in the company's core financial processes.  Hence, they do not undergo a rigorous and structured development process that an I.T. program of similar size and criticality might go through.  Secondly, studies of spreadsheets have consistently shown that 30-40% of all spreadsheets contain errors. Thirdly, spreadsheets often contain broken links as they are increasingly intertwined with spreadsheets and databases of other users or departments and grow to become quasi-enterprise systems.  

Consequently, horror stories about business losses and risks resulting from spreadsheet error or fraud continue to emerge with surprising regularity.  These range from financial losses, loss of stock value, loss of reputation and/or market share, vulnerability to fraud, regulatory fines and penalties for non-compliance.  The £3.6 bn loss at Société Générale, one of the world‟s leading banks, and a $ 691 million trading loss at Allied Irish Bank are just 2 examples of bank losses due to the use of uncontrolled spreadsheets.  More examples can be viewed at www.spreadsheetcontrols.org under the category of "Spreadsheet Errors".

The need for a Spreadsheet Governance, Risk and Control (GRC) framework in financial services first started receiving serious attention after the passage of the Sarbanes-Oxley Act of 2002, and has continued to grow since then.  Recent regulations such as Solvency II, Basel III, the Model Audit Rule and the overall regulatory climate continue to ratchet up the focus on spreadsheet controls.  For example, the Solvency II regulation and its use of the Quantitative Impact Study 5 (QIS 5) spreadsheet brings spreadsheets front and center in ensuring that companies have an adequate Spreadsheet GRC framework in place to ensure data integrity.  In June 2010, the Institute of Internal Auditors released a Global Technology Audit Guide for "Auditing User-development Applications."  The IIA describes the need for such a guide with: "Because management relies on UDAs (i.e. spreadsheets), which can be a significant part of financial reporting and operational processes, as well as related decision making; the internal auditor must determine and review UDA risks and build an audit of UDAs into the annual internal audit plan as appropriate."  Hence, spreadsheet controls are increasingly in the minds of senior management and audit management committees.

In CIMCON's experience, it is not uncommon for a large, global financial services firm to have well over a million spreadsheets.  Hence, where does one begin to implement a spreadsheet control framework?  Based on its years of experience, CIMCON has developed the following spreadsheet life cycle methodology and enabling technology to mitigate spreadsheet risk.

Step 1: Perform Spreadsheet Inventory and Risk Assessment.  The first step to taking control of spreadsheets is to quantify the problem by creating a centralized inventory of the spreadsheet estate.  CIMCON's XLRisk^TM software can be scheduled to automatically scan network drives and create a central database. It further categorizes all spreadsheets as high, medium or low risk based on configurable risk criteria and weights. 

Step 2:  Spreadsheet Analysis and Error Detection.  The next step is to perform a detailed analysis of these high risk spreadsheets and check for any errors.  This would be analogous to a code review of a software program.  CIMCON's XLAudit^TM software provides highly visual diagnostic and documentation tools to quickly identify any errors, inconsistencies or broken links in the spreadsheet.

Step 3:  Control Framework.  Now that the high risk spreadsheets have been verified to be error-free, a controls framework can be implemented. CIMCON'S SOX-XL software provides a highly flexible platform to implement such controls with minimal or no end-user impact.   This includes cell level audit trails, security, versioning and file comparisons to speed spreadsheet reviews and approvals. 

The above methodology and tools have been developed as a result of CIMCON Software's 12 years of experience and pioneering work in the area of spreadsheet controls and management.  CIMCON is a recognized market leader with consistently top rankings from analysts, customers, consultants and industry experts. 

Spreadsheet controls are fast becoming mainstream for all the reasons described above and the increasing realization that it's a small price to pay for the convenience, cost, ease of use and flexibility offered by spreadsheets.  For more information on the state of spreadsheet management, please visit www.spreadsheetcontrols.org, a thought leadership portal maintained by CIMCON Software that contains the latest articles, analyst research, regulatory news, best practices, tools, and tips.

About

Sanjay Agrawal is a Director at CIMCON Software, Inc., a recognized market leader and top ranked firm in spreadsheet controls and management.  Over 230 companies around the world use CIMCON's spreadsheet controls and compliance technology to reduce spreadsheet risks.