Spreadsheet Risk to Financial Reporting
July 14, 2016
By Stephen Kerr, MBA, CISA
This is the first in a series of blogs outlining spreadsheet risk and the steps that can be taken to minimize potential damage. Check back soon for more content.
It is well-established that alarmingly many, if not most, spreadsheets contain errors (Panko and Halverson 1996; Panko 2000, 2008). It is probable that most spreadsheet errors are not significant – otherwise they should normally be detected. It is also possible that most spreadsheets are not critical to the financial reporting process. However, occasionally a spreadsheet containing an undetected error will be used to support a financial report and, sometimes, the result will be an embarrassing error that doesn’t get noticed before it’s too late. The European Spreadsheet Risks Interest Group (”EuSpRIG”) maintains an enlightening catalog of such spreadsheet ‘horror stories’ on its website.
So, it seems, there is always at least a small probability that a spreadsheet error will spoil the day. When a spreadsheet error significantly impacts financial reporting, the board of directors, audit committee, risk committee, and C-suite will want to know what is being done to prevent a recurrence. Your organization may decide to get ahead of spreadsheet risk by being proactive, or it may wait until the need for reaction arises. Either way, the approach to take will be similar even if the urgency will not be.
- Discover and Inventory Spreadsheets
The first step is to find and catalog your existing spreadsheets (at least the ones that play any part in your financial reporting process). Tools can perform much of the work of discovering the spreadsheets stored on your corporate network and extracting basic facts (metadata) about them.
- Risk Rank Spreadsheets
Determining each spreadsheet’s risk of material misstatement will permit you to know which are ‘key’ to financial reporting, so you can invest appropriately in spreadsheet controls. This is done by calculating the product of the likelihood that an error will occur (based on factors such as the spreadsheet’s size and complexity) and the impact of such an error (based on the materiality of the amounts calculated by the spreadsheet). If the tool used for the discovery and inventory step was capable of extracting sufficient metadata, risk ranking can largely be automated.
- Validate Key Spreadsheets
Once you have determined which of your existing spreadsheets are key to financial reporting, it is important to determine whether they contain errors. Again, tools are available that will automatically report formula errors, inconsistencies, and poor design practices embedded within your key spreadsheets. Such aids can greatly enhance the productivity of a qualified spreadsheet auditor.
- Train Builders of Key Spreadsheets
Probably more than any other innovation, spreadsheets have democratized information technology. However, there is a very large gap between the skills of the apprentice and those of the master. Even masters may stand to learn a thing or two about implementing spreadsheet controls or best practices for building robust spreadsheets tolerant of change.
- Control Key Spreadsheets
Good spreadsheet controls begin with a written spreadsheet policy. A written spreadsheet design standard often supplements the policy. These documents define the controls over key spreadsheets:
- Access Controls
- Version/Logic Controls
- Input/Output Controls
- Security/Integrity Controls
- Change Controls
If a key spreadsheet can be replaced by a report from the financial management system, it is usually a good idea to do so. However, many spreadsheets exist because they fill functional gaps within or between systems. These may need to be remediated to meet new standards brought about by a spreadsheet control regime.