Part 4- How to prepare spreadsheet risk inventory
In the previous column we discussed establishing a spreadsheet review group. We concluded by saying that the group is critical to mitigating the risks within the organisation and providing the required skills to business to be able to comprehensively review the spreadsheet that are important to them.
In this, the fourth installment of the column, we examine the method of preparing a spreadsheet risk inventory once you have completed your high level analysis and the spreadsheet review group is established.
The aim of spreadsheet risk management is to improve the quality of the spreadsheets used and thereby reduce the risks. In the high-level analysis outlined in part two we established that businesses should have established where higher risk spreadsheets reside. In this stage of preparing an inventory of spreadsheet risks, users will become more specific about where these potentially risky spreadsheets are to be found. It is important to remember that attempting to document every spreadsheet in an organisation may be impractical.
If it makes the auditors happy and is feasible then it can be tackled but it is important to remember that above all else the task must be approached in a practical way. Departments containing spreadsheets clearly defined as important to the organisation should be documented.
A recent PricewaterhouseCoopers report maintains that the following should be considered when evaluating the risks associated with these spreadsheets:
- Complexity of the spreadsheet and calculations;
- Purpose and use of the spreadsheet;
- Number of spreadsheet users;
- Type of potential input, logic and interface errors;
- Size of the spreadsheet;
- Degree of understanding and documentation of the spreadsheet requirements by the developer;
- Uses of the spreadsheet’s output;
- Frequency and extent of changes and modifications to the spreadsheet; and
- Development and testing of the spreadsheet before it is used.
The spreadsheet review group should begin with these points.
Other departments may contain many spreadsheets and see the creation of many new ones. In this case it is more important to reach the spreadsheet developers than it is to control the individual spreadsheets. This is due to the overriding majority of spreadsheet errors being human-generated, a fact supported by research. By helping people to build better spreadsheets and by providing them with the right tools to find a greater percentage of errors faster, the organisation faces far less risk.
In the final article we will address what can be done to reduce the risks of both the identifiable spreadsheets and the key spreadsheet developers.