Archive for January, 2010

The Spreadsheet Risk Continuum

Published January 14, 2010 Best Practices , Breaking News , Press Articles Leave a Comment
Tags: , , , , , , , , ,

After more than 5 years of helping some of the world’s most successful global organizations reduce their risk and exposure due to uncontrolled spreadsheets, Access databases and other end-user computing (EUC) applications, it has become very clear that reducing the risk is as much about technology as it is about cultural change. Almost every company today is dealing with issues surrounding spreadsheet and EUC risk, all with varying levels of maturity. The way I see it, reducing the risk efficiently requires a few key ingredients for success, including: adopting a formal policy on End-user Computing, defining internal controls for critical spreadsheets and EUCs, incorporating best practices, and implementing new Spreadsheet Control technology. As these ingredients are put in place, the organization’s risk level eventually decreases along the Spreadsheet Risk Continuum.

Policies & Controls
In a previous post, I discussed the merits and basics of adopting a formal EUC policy. I have also discussed the latest auditor guidance on spreadsheet controls from the famous white paper published in 2004 by PwC. There about 10 key controls to consider, including: access control, version control, change control, backup and archival, input control, documentation, segregation of duties, logic inspection/analytics, development lifecycle and data integrity.

Best Practices
There are many best practices, but I will mention a few here. The first requires following a formal process when implementing Spreadsheet Control. At Prodiance, we have developed a methodology we call the Spreadsheet Management Lifecycle, which involves inventory, risk assessment, control, remediation and reporting. In addition, it is important to have users properly trained on how to efficiently develop spreadsheets. This can result in models that have have less margin for error because they are developed properly and are well documented.

Technology
The final stage in the Spreadsheet Risk Continuum involves implementing a technology solution to help make the earlier stages sustainable. Without technology, the tasks and controls  in the earlier stages become one-off projects, requiring end users to do extra work to follow policies. This manual approach often breaks down over time. So my point in all of this is the following:

To efficiently mitigate spreadsheet and EUC risk within an organization, there is a Spreadsheet Risk Continuum leading to success which requires a cultural change (e.g. policies, controls, best practices) and adoption of new technology.

What are your thoughts on this assertion?

Spreadsheet Fraud Linked to Madoff Case

Published January 8, 2010 Cases of Fraud & Errors Leave a Comment
Tags: , , , ,

Although this story surfaced in September of 2009 in the Financial Times, I thought it was noteworthy enough to list here under Cases of Fraud & Errors linked to the uncontrolled use of spreadsheets. In many cases, personal motivation, lack of adequate controls, and the autonomy granted to users to make unauthorized (or fraudulent) changes to key spreadsheets has led to cases of errors and fraud. The Madoff case is no different, but in this scenario it was perhaps the source of data (and not the actual spreadsheet) that was fraudulent.

The story summaries the inner workings of the Madoff operation and how spreadsheets were updated through queries into an old AS/400 main frame system which tracked false trades, each resulting in a 1 cent profit. Using a simple spreadsheet, his client’s accounts were all magically updated -  unbelievable!

Read the Full Story.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 22 other followers

Follow Prodiance on Twitter

Prodiance on Twitter

Follow

Get every new post delivered to your Inbox.