Almost a quarter of organisations suffer losses attributed to a lack of spreadsheet controls
Organisations are putting themselves at considerable financial and reputational risk by failing to properly control the way they use spreadsheets, according to a new study1 from Protiviti and ICAEW. The global business consulting and internal audit firm surveyed accountants and finance professionals at an ICAEW event2, which revealed that three quarters (75%) said their company did not have a policy or processes in place relating to the design, development and/or control of spreadsheets.
Of those accountants surveyed, almost a quarter (23%) claims their organisation has experienced financial or reputational losses that can be directly attributed to the use of spreadsheets or poor controls governing the use of spreadsheets. More than a third (37%) of those surveyed believes their organisation has adequate risk management processes in place to mitigate spreadsheet risk and 73% said their firm was not doing enough to prevent future errors from occurring.
Ewen Ferguson, Director, Protiviti said, “It’s clear that the risks associated with the use of spreadsheets are not taken seriously enough by the vast majority of UK organisations. While a well-built spreadsheet can be a hugely powerful business tool, its flexibility also presents organisations with a significant set of risks with potentially disastrous consequences.
“Over the last three years we have seen a significant increase in the number of clients asking for help to understand and mitigate spreadsheet risk within their organisations. This is due, in part, to regulators and auditors showing far greater interest in the way spreadsheets are developed, used and controlled. Organisations themselves are also becoming increasingly aware of the risk due to their internal risk management processes.”
At the ICAEW event Protiviti highlighted some commonly quoted examples in which spreadsheet errors have had financial and regulatory implications for the companies involved:
• C&C – shares in C&C fell 15% after data was incorrectly transferred from an accounting system to a spreadsheet used to produce the trading statement. (Source: EuSpRIG)
• Credit Suisse – the FSA fined Credit Suisse £5.6 million stating that ‘The booking structure relied upon by the UK operations of Credit Suisse for the CDO trading business was complex and overly reliant on large spreadsheets with multiple entries’. (Source: EuSpRIG)
• Fidelity – A missing minus sign caused Magellan Fund to overstate earnings by $2.6 billion and miss a promised dividend. (Source: CIO World)
• TransAlta – A cut and paste error cost TransAlta $24 million when it underbid an electricity supply contract (Source: The Register)
Ewen Ferguson continues, “Some end-users feel confident enough to develop highly complex spreadsheets, often involving complicated macros, but when spreadsheets are then used or inherited by a user who doesn’t have the same level of skill or understand the risk, the results can be catastrophic and have a significant financial impact.”
Richard Anning, Head of the IT Faculty, ICAEW said, “The event was a great way to launch the ICAEW Excel Community. The findings of the survey underline the need for greater awareness and training in this area – one of the main aims of the new community.”
Protiviti is warning that organisations are putting themselves at unnecessary risk through inadequate training and internal controls. Even in a group of experienced users of spreadsheets, the majority of users had never received any training on spreadsheet design or development. Indeed, the majority (63%) of accountants surveyed said that spreadsheet risk did not fall under the jurisdiction of any particular department or function, while 15% said that it was the responsibility of the finance department.
Protiviti has a proven framework which helps identify potentially critical spreadsheets, assess the risks involved, review the controls in place and, if found lacking, implement an appropriate control framework.