Information anywhere means productivity everywhere, they say. But have you spent enough time considering spreadsheet risk management? Not really, it seems: A Protiviti survey claims just one in ten accountants think their firm has processes in place to "manage spreadsheet risk".
"Hang on," I hear you cry: "Just what is 'spreadsheet risk', anyway?" At its simplest, you could define this as incorrect data entry, which may have a substantial impact on the perceived health or regulatory compliance of your company. Poor spreadsheet usage training, data entry mishaps, and lack of accountability -- ownership of data entry -- contribute.
Protiviti's Director of IT Consulting, Scott Bolderson, says: "Our research with clients has shown that 94% of an organization's spreadsheets will contain errors. Not all of these errors will result in financial loss but organizations won't know without investigating which errors could cause serious issues. Regulators are starting to apply more pressure on organizations to address the issue, recognizing the level of dependence many organizations place on calculations in spreadsheets." [See also this story on a Proviti financial skills survey, and this one on IT risks.]
Think how deeply your processes rely on data held inside those spreadsheets, and how much reliance you place upon their accuracy when assessing the health, or otherwise, of your firm. Then ponder why just 35% of the 100 ICAEW Chartered Accountants surveyed claim to have received any formal spreadsheet training.
The problem for larger firms could be about ownership; 74% of those surveyed say no department or function is tasked with looking out for such risks. And CFOs may take note that 10% of accountants think the buck stops with the finance department.
It's easy to make a spreadsheet error: a slight change in the formula or value in any inhabited cells can easily affect the data you get. Simple little errors can generate major problems. Denizon tells us such errors could include:
- Accidental copy-paste,
- Omission of a negative sign,
- Erroneous range selection,
- Incorrect data input or
- Unintentional deletion of a character,cell, range, column, or row
Companies need to conduct regular data reviews to uncover how much data is being created, how critical that data is, how accurately recorded it is being and what controls can be put in place for data checking, storage, retrieval and in some cases, destruction.
Someone needs to take charge.
In the interest of full disclosure, note that Protiviti offers solutions to address this. So given the data emanates from that firm it's clear it hopes some CFOs will choose its solutions to resolve the challenge it thinks it's seeing. But are these problems real?
Perhaps they are: Most recently, Britain's second largest drugmaker, AstraZeneca, had to reiterate its 2011 and mid-term financial forecasts after inadvertently releasing confidential company information to analysts. "Confidential company information was inadvertently embedded in a spreadsheet template sent to the sell-side analyst community that follows the company," the company said.
That's not the only horror story: Organizers of the London Olympics accidentally overbooked four swimming events (to the tune of 10,000 people) as a result of spreadsheet error. There are many more tales like this at EUSPRIG, a good repository for similar cases, and good advice on how to protect yourself from such errors.