Are spreadsheets putting businesses at risk?

What links a billion-dollar reporting mistake by a global oil company, an accounting error by outsourcing specialist Mouchel, and an arithmetical error overstating the strength of the UK construction industry by the Office of National Statistics? The answer is spreadsheet risk, and control errors with data management.

Spreadsheets are used everywhere, by companies of all sizes and across all sectors. As with anyone working in a complex data environment, users can be dealing with a mass of different information across multiple platforms, applications and tools.

In particular, users within banks, insurance companies, financial services and actuarial firms rely heavily on the use of spreadsheets, but don’t always have the time to complete regular checks to ensure spreadsheet accuracy. Transparency, control and validation of critical business data is an increasingly serious concern for these sectors and they are facing up to the fact that they need to tackle the data risk issue as a matter of urgency.

Spreadsheet errors can include budgeting errors, financial statement errors, pricing errors, fraud and bad decision-making as a result of poor information. These errors can lead to significant financial and reputational losses. Tackling data risk issues quickly becomes a challenge which lies outside the knowledge of IT departments as the data that poses a risk is held and generated in spreadsheets or Access databases.

These are increasingly called end user computing applications (EUCs), or user-developed applications (UDA). As technology continues to develop rapidly, users’ demands increase and their expectations become high. These demands pose a challenge for IT departments and when IT departments cannot meet users’ expectations, users are more likely to explore other options.

After a spate of high profile instances of data mismanagement leading to regulatory fines for lack of effective risk management and control of end user spreadsheet activity, it is not surprising that most major financial institutions now have programs to address these risks with a significant number having implemented global control solutions.

The issue was recently highlighted in the FSA’s Solvency II Internal Model Approval Process, which noted that spreadsheets in many organisations are not controlled by IT but by other business or control areas, and thus do not form part of their corporate governance processes.

While it is encouraging to see the FSA and major institutions treating spreadsheet risk as a serious issue, there are still vast numbers of organisations leaving themselves open to the danger of financial and reputational risk by not establishing an ownership policy.

The purposes of spreadsheets are extensive, from performing complex modelling for trading decisions to accounting reconciliations and financial reporting. A typical corporate network would reveal thousands to millions of spreadsheets in use. The most pressing question that needs answering is: who manages these spreadsheets and ensures that the results they produce are valid?

On their own, user-developed applications such as spreadsheets and Access databases have demonstrated the flexibility to support many processes over recent decades. However, it is becoming clear that without careful monitoring and management they may lack the robustness to meet the demands of increasing compliance with regulation such as Solvency II in Europe.

So rather than attempt to eliminate spreadsheets from the business, companies need to accept that spreadsheets need to be used – but that in order to satisfy the regulators, they need to know when and where spreadsheets are being used.

The first step is therefore to understand what they have, where it is and how it is connected to their business applications. Using the right tools, they can automatically scan their networks to intelligently locate key spreadsheets and Access databases. This builds a complete dependence tree that demonstrates the relationships between files with multiple connections.

Companies are typically surprised not just by how many spreadsheets they are using across the business but also how they are connected – firms can discover many hundreds, sometimes thousands of individual spreadsheets feeding into hubs that support core business processes.

By allocating direct responsibility and establishing a unified risk management process, organisations can start to mitigate the threats they face. In some companies spreadsheet risk is not even on the agenda; it is only when a serious financial mistake occurs that this subject is given priority.

Despite a desire to replace spreadsheets with robust, centrally managed applications, spreadsheets are here to stay and provide a wide range of business critical applications. They are by far the most common end user developed tools. However, it is crucial that there are adequate controls in place to mitigate potential risks.

Businesses must take a lead on the introduction of new measures such as providing automated solutions to give clear visibility of business-critical spreadsheet activity and replace slow unreliable manual checks. In combination with end-user training, this will ensure that spreadsheets are used reliably and efficiently where they are necessary.

Just as importantly it will ensure that the IT road map for improving systems is clearly focused on the most important business requirements – as everyone can now see what is really happening in their world of unstructured financial data.

Ralph Baxter is CEO of ClusterSeven. Ralph is responsible for corporate vision and projecting best practice in end user computing (EUC) within the business and advisor community. He is an energy and utilities specialist and pioneered ClusterSeven’s thought leadership in this technology sector. He brings an insider’s view of governance and compliance issues as a former committee member of ISSIG, the information security section of the Institute of Internal Auditors (IIA). Ralph’s career has spanned 20 years in the energy sector, beginning with BP in the Far East. He was part of the founding team at Kirkland (now Dragon Oil). More recently, Ralph ran the external IT business and eCommerce of Lattice Group, (formerly part of BG Group and British Gas). He holds a First Class degree in Natural Sciences from Churchill College, Cambridge University.