In my previous Industry Insight I discussed establishing a spreadsheet review group. I concluded by saying that the group is critical to mitigating the risks within the organisation and providing the required skills to business to be able to comprehensively review the spreadsheet that are important to them.
In the fourth instalment of this Industry Insight series, I examine the method of preparing an inventory of spreadsheet risks once the high-level analysis has been completed and the spreadsheet review group is established. The aim of spreadsheet risk management is to improve the quality of the spreadsheets used and thereby reduce the risks.
It is important to remember that attempting to document every spreadsheet in an organisation may be impractical.
Adrian Miric, MD, Miricle Solutions
In the high-level analysis outlined in part two, I established that businesses should have established where higher risk spreadsheets reside. In this stage of preparing an inventory of risks, users will become more specific about where these potentially risky spreadsheets are to be found. It is important to remember that attempting to document every spreadsheet in an organisation may be impractical. If it makes the auditors happy and is feasible, then it can be tackled but it is important to remember that above all else the task must be approached in a practical way. Departments containing spreadsheets clearly defined as important to the organisation should be documented.
A recent PricewaterhouseCoopers report maintains that the following should be considered when evaluating the risks associated with these spreadsheets:
- Complexity of the spreadsheet and calculations;
- Purpose and use of the spreadsheet;
- Number of spreadsheet users;
- Type of potential input, logic and interface errors;
- Size of the spreadsheet;
- Degree of understanding and documentation of the spreadsheet requirements by the developer;
- Uses of the spreadsheet`s output;
- Frequency and extent of changes and modifications to the spreadsheet; and
- Development and testing of the spreadsheet before it is used.
The spreadsheet review group should begin with these points.
Other departments may contain many spreadsheets and see the creation of many new ones. In this case it is more important to reach the spreadsheet developers than it is to control the individual spreadsheets. This is due to the overriding majority of spreadsheet errors being human-generated, a fact supported by research. By helping people to build better spreadsheets and by providing them with the right tools to find a greater percentage of errors faster, the organisation faces far less risk.
In the final Industry Insight, I will address what can be done to reduce the risks of both the identifiable spreadsheets and the key spreadsheet developers.
Share