Professional Documents
Culture Documents
As used in this document, Deloitte means Deloitte LLP and its subsidiaries.
Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
2
Spreadsheet Management
Not what you figured
Given the ubiquity of electronic spreadsheets in the
workplace, you may not realize that 2008 is only the
30th anniversary of the launch of VisiCalc, the precursor
to all modern electronic spreadsheet applications. And
Excel, Microsofts spreadsheet program, has been widely
available for only 20 years. Prior to 1978, electronic
spreadsheet programs ran on mainframe behemoths
beyond the reach of any user except giant manufacturers,
banks, and investment firms.
Today, however, spreadsheet applications underlie
countless business functions, from calculating accounting
estimates, tracking workflow processes, to key financial
reporting. At the executive level, spreadsheets can offer
an instant, concise corporate snapshot that often drives
critical decisions with major implications to the big picture.
Excel and other spreadsheet programs reside on over 90%
of computer desktops globally. While that represents an
impressive accomplishment for software developers, it
should jangle the nerves of executives. Why? Because every
user who accesses a spreadsheet represents a potential risk
to the integrity of the data it contains.
Spreadsheets are applications, just as every other electronic
tool in the business arsenal, and as such, their underlying
structure and code are largely unknown to all except the
most sophisticated user. With spreadsheets, all users are
simultaneously owner, developer, programmer, tester,
and user. Programmers are trained in structural analysis
and programming methods most spreadsheet users
are not. Most applications have application level-security
spreadsheets frequently do not. With no intrinsic audit
trail, spreadsheets can change every time they are opened.
And spreadsheet applications can contain internal errors
http://www.informationweek.com/story/showArticle.jhtml?articleID=196901868&cid=RSSfeed_IWK_Security
Overview
The primary advantages of spreadsheets namely
their ostensible simplicity and the ability to share and
freely modify the files also pose the greatest risks.
Spreadsheets are standalone files and therefore practically
devoid of system-wide controls. Almost any employee can
create, access, manipulate, and distribute spreadsheet
data. As a result, almost any employee can make a critical
error while manually entering data or configuring formulas.
There is, however, a Risk Intelligent approach to the
management of spreadsheets that can substantially
mitigate systemic and application flaws, both human and
electronic. Installation of effective, auditable controls
surrounding critical spreadsheets and their use can have
a direct impact on financial reporting and compliance. A
carefully structured approach to managing spreadsheets
can help protect critical spreadsheets. Implementing
a controlled environment can be achieved, albeit with
challenges, which can be more clearly identified in
addressing the following questions:
2,908
41.9 %
29.3 %
11.3 %
17.5 %
Identify critical
spreadsheet
population
Inventory
spread
sheets
Risk rank
based on
complexity &
magnitude
Perform
baseline
Evaluate/
develop
policies &
procedures
Implement/
evaluate
controls
www.eusprig.org/2006/spreadsheets-in-clinical-medicine-warning.pdf
2,804
70.1%
23.3%
0.3%
6.3%
Complexity
Risk Rank
Magnitude
Rudimentary
Light
Intermediate
Advanced
Critical
Low
Medium
High
High
Material
Low
Medium
Medium
High
Immaterial
Low
Low
Low
Low
Figure: Example of how to assign risk levels based on complexity and magnitude attributes.
Goal
Disposition
Control
Integrity
Detective
Integrity
Detective
Integrity
Preventive or
Detective
Availability
Preventive
Availability
Preventive
Integrity
Preventive
Integrity
Preventive
Controls to protect
spreadsheet baselines
Which of the following best describes the
spreadsheet management method for your
company?
Votes received:
2,679
25.8%
12.3%
30.2%
19.6%
12.1%
10
2,797
33.9%
42.7%
14.6%
19.7%
8.8%
11
Law or regulation
Issuing authority
Primarily applies to
Basel II
International
California SB 1386
State of California
U.K.
DoD 5015.2
U.S.
Government contractors
U.S.
Securities Firms
U.S.
Financial institution s
HIPAA
U.S.
U.S.
U.K.
Patriot Act
U.S.
Sarbanes-Oxley
U.S.
Public companies
Conclusion
Spreadsheet Management Solutions are straightforward,
but they are not easy.
Implementation of SMS can be a critical process in risk
management controls for compliance and security.
However, they also command substantial resources and
management engagement to be successful. An important
first step is to identify when and how SMS tools should be
installed. Some criteria include:
as a component of Sarbanes-Oxley readiness or testing
projects
at any critical step in operations that rely upon
spreadsheets
during any large systems implementation, replacement,
or restructuring
for controls around the storage and maintenance of
data subject to regulatory requirement (e.g., HIPAA)
in the context of privacy reviews involving personally
identifiable information stored in spreadsheets
when using financial data management software (e.g.,
Hyperion)
as a part of any business process review involving
spreadsheets.
12
Contacts
Eric Hespenheide
Partner
Global Leader, Internal Audit Services
Deloitte & Touche LLP
+1 313 396 3163
ehespenheide@deloitte.com
John Peirson
US Managing Partner
Internal Audit Transformation
Deloitte & Touche LLP
+1 612 397 4714
jpeirson@deloitte.com
Michael Juergens
Principal
Deloitte & Touche LLP
+1 213 688 5338
michaelj@deloitte.com
Thomas Donohue
Senior Manager
Deloitte & Touche LLP
+1 714 436 7735
tdonohue@deloitte.com
Sarah Adams
Director
National IT Internal Audit Leader
Deloitte & Touche LLP
+1 212 436 3308
saradams@deloitte.com
13
www.deloitte.com
Copyright 2009 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu