Spreadsheets play a greater role in the risk and compliance process than one may think, according to a recent study conducted by Forrester Consulting. Diane Robinette, CEO at Incisive Software, details the findings from the report.
The Forrester Opportunity Snapshot study reveals, despite easy manipulation and a lack of controls, nearly 50 percent of companies still rely on spreadsheets alone to do their auditing and controls — a process necessary for risk assessment and compliance management.
Almost one-third of respondents noted that their organizations use more than 10,000 spreadsheets on a regular basis. Thirty-five percent of finance and accounting departments report regular use of spreadsheets to fuel their decision-making; and nearly one in five governance, risk and compliance professionals depend on spreadsheet accuracy to inform their critical business decisions. While the majority of respondents report an elevated level of concern with the inherent spreadsheet risk, fewer than 20 percent were actively working to change their risk exposure. For boards, management teams and compliance officers that rely on spreadsheet data for reporting and key business decisions — with the assumption that the data is accurate and compliant — these results are distressing.
A Powerful Yet Precarious Tool
Excel spreadsheets stand the test of time because they are flexible and convenient. It’s a comprehensive software tool that does not depend on IT to make changes to systems, nor require workarounds or compromises. Spreadsheets are frequently used for analyzing, modeling and providing evidentiary support for key business decisions. For complex calculations where data is continuously changing and those that require the use of cell functions, Excel is often the go-to tool to get the job done.
Despite being flexible and convenient, spreadsheet-enabled processes are manually driven and, therefore, prone to errors, both accidental and intentional. The more complicated the spreadsheet, the more difficult it is to manage.
Hidden within each spreadsheet is inherent risk — risk that formulas are not repopulating correctly, risk that co-workers are using different versions of a saved spreadsheet, and risk that information is hidden behind formatting. With Excel there is no easy way locate risk or validate spreadsheet data. Meanwhile, it’s an onerous task at best to attempt to document processes along the way and prove that controls are being met for review internally as well as by examiners. For highly regulated industries such as banking and insurance and public companies, this can quickly turn into a compliance nightmare when an organization is unable to validate their spreadsheets with a high level of accuracy/completeness or explain to regulators how they were built.
Mitigating Spreadsheet Risk
Sarbanes-Oxley (SOX), Basel II and a number of other laws have cast a spotlight on spreadsheets, placing them under the increasing scrutiny of regulators. Companies cannot continue to turn a blind eye to spreadsheet risk. Banning the use of Excel is not a realistic answer. Nor is relying on manual processes. Yet, as the Forrester study reveals, most don’t know where to begin when it comes to mitigating spreadsheet risk.
Gaining control over spreadsheets isn’t as difficult as it may seem. In fact, advances in technology make it significantly easier for companies. Putting policies in place and supporting these policies with automated spreadsheet risk management technology will put companies on a compliant path. To get started, consider the following:
Know Your Risks
Because it’s impossible to manage every spreadsheet with any level of scrutiny, identify those that present the most risk to the company. An obvious place to start is spreadsheets used for external reporting. These high-risk spreadsheets should be given a heavier focus and reviewed more frequently than those with lower risk profiles. To speed the process, employ technology that locates all feeder spreadsheets, regardless of where they reside on a network, and risk-ranks them. Next, a policy should be put in place, supported by technology, to ensure a consistent model risk review.
Visibility Is Key
The ability to monitor and track workflow information over a period of time provides valuable insight into whether policy compliance is being achieved. At the same time, it’s significantly easier to identify potential risk. Spreadsheet risk management technology addresses this need by providing visibility into who and how many people are working on spreadsheets, when something changes, who made those changes and what changed. By documenting this information within the system, companies easily demonstrate policy and procedure compliance and that they have the right checks and balances in place.
Automation capabilities within spreadsheet risk management technology that test for accuracy in both formulas and calculated values are proving to be a game changer for significantly minimizing traditionally time-consuming, error-prone manual processes. Consider, for example, a single Excel worksheet which can have over one million rows and more than 16,000 columns; workbooks are exponentially larger. Relying on manual methods to test for accuracy in both formulas and calculations is not realistic. Some systems offer interactive capabilities that allow users to easily drill down into cells to see why formulas are not calculating correctly or working as expected. Identifying a lack of audit controls, accessing authority and other critical oversight mechanisms lets users know where changes need to be made to repair gaps. The result is consistent risk management oversight across all spreadsheets. Advanced troubleshooting solutions make the processes of monitoring and managing spreadsheets significantly easier as well.
Excel is complex enough by itself. Spreadsheet risk management technology should not add to user frustration. This technology should fit seamlessly into existing work streams and allow employees to continue to work the way they have always worked inside Excel. Technology exists that operates behind the scenes to significantly and reliably reduce material errors and possible fraud — and save hours associated with detailed spreadsheet review. Look for a system that can quickly pull together standard and configurable reports for audit and compliance reporting requirements.
Spreadsheet risk management solutions fill a very real void by providing insight into potential risk and errors that may be hiding in spreadsheets. Taking a modern and automated approach to spreadsheet risk moves companies toward a risk-resilient posture. In doing so, risk teams have the power to anticipate and reduce exposure, no matter what is thrown their way. And boards, management teams and compliance officers can be confident that the spreadsheet data used for reporting and key business decisions is accurate and compliant.