Embed Size (px)
Citation preview
w w w. s p r e a d s h e e t c o n t r o l g r o u p .c o m
Spreadsheet Control Group
CONTACTJack Avon(+44) 75 9299 [email protected]
A DIVISION OF:Isys Systems (RW) Ltd
p2
Spreadsheet Control Group is a divi-
sion of Isys Systems (RW) Ltd, a UK
based firm operating worldwide since
1999.
While Isys Systems is primarily about
the design and development of re-
porting and modelling through data-
base and spreadsheets, Spreadsheet
Control Group is more about the con-
sumption of those spreadsheets and
maintenance of the physical and con-
tent within.
We provide the answer of who should
ultimately hold responsibility for mis-
sion critical spreadsheets in your or-
ganisation.
Why even consider spreadsheet con-
trols? Of 250 companies employ-
ing 1000+ staff 75% were not able to
identify where and how spreadsheet
responsibility was governed in their
organisations. More concerning
however, was their clear lack of un-
derstanding as to why responsibility
was required when it came to spread-
sheets. In fact of that polled group,
10% believed spreadsheets were the
responsibility of Finance, while 5%
expected IT to be responsible. There
were some 3% who felt it was Internal
Audit, with 8% citing Risk Manage-
ment.
For the answer you need to under-
stand who manages your data?
Spreadsheets are closely related to
data management and thats where
we at Spreadsheet Control Group be-
gin our journey into driving your con-
trol process for spreadsheets.
Executive Summary
Where does the responsibility for managing spreadsheets lie in organisations? Our experience at Spreadsheet Control Group suggests management tends be somewhere between IT, Finance and Risk Management.
p3
Contents
Executive Summary ................................................................................................... 2
About Us............................................................................................................................. 4
Spreadsheet Control Group .................................................................................. 6
End User Computing Environment ................................................................ 8
Fraud ..................................................................................................................................... 10
Engagement Timeline .............................................................................................. 12
Case study A .................................................................................................................... 14
Case study B .................................................................................................................... 15
Risk ......................................................................................................................................... 16
p4
About Us
Our consultants have worked globally for over 20 years building spreadsheets models and performing model reviews for organisation across several industry sectors.
Spreadsheets SAP
Databases Microsoft Dynamics
Oracle SQL server
Isys Systems (RW) Ltd was formed by
Spreadsheet Control Group founder Jack
Avon in 1999 with the aim of establishing
standard best practice spreadsheet pro-
cesses and enabling customers to have con-
fidence in their spreadsheet outputs.
In 2002, Isys Systems worked with O2, Nokia
and NTL Broadcast to develop the payment
mechanism that would enable pay-per-view
tariffs for customers to watch online video
and television. That pay mechanism has
been adopted across the globe on platforms
like Netflix, Amazon prime video and BBC
iPlayer.
Isys Systems worked with AOL during 2002
to 2004 to develop an automated minute-by
-minute billing systems for internet data ser-
vices which was later adopted in the indus-
try for monitoring and charging customers
for internet usage.
Isys Systems has continued to work with
clients like National Grid, Hauwei, Fujitsu
Services, VISA, British American Tobacco
and several others to develop best practice
spreadsheets for use in tenders and Merg-
ers and Acquisitions.
In 2008 Isys Systems created an operational
spreadsheet model for Lloyds Bank that was
used to evaluate the risk associated with
acquiring Northern Rock Bank prior to the
banking financial crisis.
More recently Isys Systems has worked with
retail business such as Marks and Spencer,
John Lewis Partnership and Tesco PLC to
developing spreadsheet mechanisms for
data analysis and pricing.
Our services are split into 5 sections:
1. Spreadsheet Analysis
2. Spreadsheet Risk
3. Spreadsheet Controls
4. Additional
5. Training
Within these service brackets are several ac-
tivities and tasks we perform. In this manner
we are able to offer each customer the abil-
ity to make their own delivery by selecting
the activities they require. A detailed list of
these is provided in our price list upon re-
quest.
p5
Basic spreadsheets do not have data controls embedded into them, nor the logic that can provide assurance to even begin to assess or mitigate risks.
EUROPE67%
ASIA75%
MIDDLE EAST69%
To produce workable spread-
sheet controls requires not only
knowledge of the organisation
and its data, but also awareness
of data logic and how humans in-
teract with data.
Organisations use some form of
data repository such as Enter-
prise Resource Planning or Data
Warehouse to collect and organ-
ise information.
Unfortunately current reposito-
ry systems are complex and in
most cases are proprietary. This
requires specialist skills in order
to manipulate and tailor to the or-
ganisations business model. This
complexity has ushered in for the
use of spreadsheets as the meth-
od of developing analysis and re-
porting of data due to because of
the relative ease of use.
Although there are millions of
mission critical spreadsheets,
80% have little or no Logic for data
controls from which to impose
any risk mitigating solutions.
SSpreadsheets are the most
widely used method for financial reporting in
application history
The example above relates to total companies that use spreadsheets in the regions
p6
Spreadsheet Control Group
For all engagements we begin by giving the client an understanding of the four aspects of their spreadsheet environment (A-D) and internal effects on (1-4) each aspect
Erroneous DataAre you able to spot
erroneous data before its
being output, and quickly
identify where it has
come from?
RiskHow mature is the
understanding of
spreadsheet risk in your
organisation? Does
staff retention affect
spreadsheet knowledge ?
Poor ProductivityAre your spreadsheets
developed consistently
and documented to help
the review and approval?
IT ReplacementLimited user justification
for replacing
spreadsheets with other
IT applications.
A) Traceability
Are mission critical spreadsheets
transparent and able to provide
a means of tracing how data is
used?
B) Change Controls
How does your organisation deal
with changes and movements in
mission critical spreadsheets?
C) Security & Integrity
How are the day-to-day spread-
sheet security issues managed and
by whom? Is there comprehensive
security policies for spreadsheets
D) File Retention
Are there any policies of accepted
procedures for retention of spread-
sheet files?
1
3
2
4
p7
Spreadsheets are ubiquitous across all organisa-
tions represented by MS Excel (Excel) They are also
known as:
• End User Computing (EUC) Tools
• User Development Applications (UDA)
Excel is arguably the most brilliant software tool
currently developed in software history. Howev-
er even with its world wide adoption, Excel is one
of the most underrated and misused applications.
Excel is not just a spreadsheet but actually a ful-
ly fledged Rapid Development Tool (RAD), and so
even in the hands of an advanced user will only
ever utilise less than 10% of its potential.
Because of its flexibility and relatively low cost it has
an enormous user base . However, RAD users rarely
follow proper software development life-cycle, and
Excel is almost always used outside the control of
IT functions. This means there is every possibility of
misuse due to lack of proper control.
Microsoft Excel is the spreadsheet application of choice bar no other.Microsoft Excel is the most widely used business application in software history.
p8
End user computing environment
32% of all corporate data is in uncontrolled End User Computing (EUC), of which Excel is one such application.
EUC consists of not only spread-sheets but also desktop based databases and desktop busi-ness intelligence tools (BI)
The requirements for management
reporting is for fast, clear and easy de-
velopment. As a result EUC is used at
an unprecedented level everyday.
EUC is almost always user de-fined therefore not consistent across an organisation which inherently lacks:
• Change controls.
• Version controls.
• Data security.
• Integrity
With these issues EUC will almost al-
ways carry high data risks and instill
low confidence from end users.
EUC is more about the human programming nuances that come with their own issues.
Research into human interaction with
spreadsheets has continually shown
that it is human nature to make mis-
takes at some time whatever the
skill level. We all have an “Error Floor”
which is the point reached when er-
rors will be made, and for of most us
that is at 5.4%. Meaning 1 in every 19
repetitive tasks will result in an error.
Anyone for spreadsheet test-ing?
A symptomatic problem for spread-
sheets is they are rarely if ever tested.
Does anyone know what spreadsheet
testing is? (We do). It is inconceivable
that critical software could be de-
ployed without testing, but why don’t
corporations institute spreadsheet
testing processes as a matter of doing
business?
p9
Having worked with several varities of spreadsheets, examples of issues include:
PPREVENTATIVE
SPREADSHEET POLICY
do you need to prevent issues from spreadsheets before they materialise?
RREACTIVE
SPREADSHEET POLICY
Do you want to know when an issue in spreadsheets arises so you can react?
• Failure to comply with regulatory rules causing
breakdown in national infrastructure deals.
• Miscalculated pension payments causing errors in
pension pots.
• Misaligned salary calculations that have raised
gender and race equality investigations with La-
bour Tribunals.
• Using implicit rather that explicit assumptions in
spreadsheets causing a FTSE200 organisation to
file for insolvency.
• Hard coded figures with no traceability causing a
major national state pension gap of several hun-
dreds of millions of Pounds.
• Spreadsheet mis-pricing by a major UK retailer
causing the underselling of millions of store items
and affecting their bottom line.
p10
Fraud
Could the addition of spreadsheet controls have given signals of the widening fraud of Bernie Madoff?
ERRORS PER USER (NO CONTROLS)
ERRORS PER USER (CONTROLS)
90%
10%
WHERE THERE IS A CHANCE, SOMEONE WILL TAKE IT
Bernie Madoffs Ponzi Scheme relied on fictitious trades based on historical blue chip account data.
To put it simply, Bernie Madoff carried with
him an IBM AS400 computer which he used
to trade using commission gains. Madoff
used the AS400 to work backwards on old
historical stocks (so no real trade happened)
until he had made his commission gain.
Madoff would then use a spreadsheet to di-
vide those trades with the gains amongst
his clients automatically. That way leaving
an untraceable trail of how those gains were
attained with which historical stocks. Mad-
off would then get his staff to make out false
confirmation statements of the trades to
the clients, without the staff even realising
they were implicit in the fraud.
p11
and self auditing capabilities into the spreadsheet. This
would create an audit trail and add further file monitor-
ing and locking capability (Security and Integrity).
Lastly would discover whether there were any additional
spreadsheets stored and how they were used into shap-
ing the final spreadsheet. Crucially, were these spread-
sheets used to inform external parties and were they
compliant with any regulatory laws (Retention). We
would almost certainly see a fail on this retention control.
What are the most common spreadsheet services required by organisations to-date?
Spreadsheet Risks
Spreadsheet Controls
Spreadsheet Patching & Rebuild
At Spreadsheet Control Group, when look-
ing at risks we take into account key signals
of spreadsheet risks. Below are some (but
by no means all) key indicators of spread-
sheet risks:
• Judicious use of hidden Rows and
Columns.
• Broken links to external sources.
• Use of invisible cells (white on white).
• Dates which are out of sync from data
sources.
• Use of blank Rows and Columns to
format worksheets with data.
• Inconsistent naming conventions, car-
rying duplicated names.
• Formula plugs and runaway referenc-
es.
How would Spreadsheet Control Group interact with Bernie Madoff?
We would need to understand the trades that entered into
his spreadsheet by validating the data source (AS400) with
another well known source of data. This would then pro-
vide a means of recording Traceability into his spreadsheet
which would present the first issue point in the controls.
The next stage would be to establish the frequency and size
of movements in the spreadsheet against the source data,
the authority to enact those changes, and when (Change Control). Again this would be a point of control issue be-
cause any changes would need to be traced to the actual
data and also to an individual to secure a pass for control.
This would be followed by an examination of the security
and integrity of the Excel files, by adding user logging
FFANNIE MAE
$1.3BN SPREADSHEET ERROR MISREPORTED
SHAREHOLDER EQUITY
KKODAK
$9M WAS PAID TO AN EMPLOYEE SEVERANCE
DUE TO FAULTY SPREADSHEET CALC
p12
Week1 Week2 Week3
1
4
2
5
3
6
Engagement Timeline
We understand ‘mission critical’, and as such we use agile processes to implement controls. Our typical timeline on a service is as follows:
1Due Diligence
Critical evaluation of the
spreadsheet environment
and the organisations cul-
ture towards spreadsheets
is pursued.
2Mission Critical
The attributes of Mission
Critical are applied to
isolate all the spreadsheets
that are candidates for
controls.
3Analysis
This is the boring stuff that
we do in back-office to
completely analyse each
Mission Critical worksheet.
p13
Week4 Week5 Week6
4Go/No Go Reviews
We only commence with
implementation once the
customer has agreed the
scope and the level of con-
trols and spreadsheets. This
is a formal implementation
request.
5Implementation
Spreadsheets are imple-
mented with controls dash-
boards, version controls
and risk assessments, on a
priority basis and rolled out
for testing.
6Backup/Monitoring
A suitable plan for covering
backups and monitoring
spreadsheet change con-
trols are agreed with the
customer.
p14
Case Study A
During an engagement with a large UK utility company, Spreadsheet Control Group enabled the company to make a number of discoveries:
w w w. s p re a d s h e e t c o n t ro l g ro u p .c o m
Software License lapseThere were over 1000 software licence,
agreements of which just over half were
inactive, stored on an SQL Server. The
SQL server was subsequently decommis-
sioned and all agreements (Including in-
active) were transferred to a spreadsheet
and used for payments.
Microsoft & OracleThe software agreements with both Mi-
crosoft and Oracle for some 15,000 users
contained massive duplications which
meant payments were being made for
duplicated users.
Span of ControlThe spreadsheet that contained all the
licence agreements was also used for
annual agreement renewals, and also for
calculation of sales bonuses. The change
control on the spreadsheet was in the
hands of one individual.
01
02
03
p15
Case Study B
A National infrastructure department were using a payment model created many years ago by someone who had left the organisation, and they were faced with a knowledge gap.
The very first action we took was to quar-
antine the spreadsheet and restrict any fur-
ther use, pending a deep review. There are
always major risks with using spreadsheets
where there is a knowledge problem, as it is
likely they have not been used as intended.
Following the review we documented the
spreadsheet and implemented a risk mea-
sure into the model to check for spread-
sheet creep. Following the risk analysis the
client was faced with a serious issue as there
was millions of Pounds shortfall in the pen-
sion funding.
www.spreadsheetcontrolgroup.com
p16
RiskThere are various challenges when
faced with a risk assessment of
spreadsheets. Amongst these are:
• The experience and knowledge
of the analyser and also under-
standing of spreadsheet nu-
ances.
• There are no real quantifiable
methodologies for spreadsheet
risk assessments available in
the public domain yet.
• A major part of any spreadsheet
risk assessment will be subjec-
tive and thus is dependent on
the experience of the assessor.
• Any spreadsheet analysis is
largely manually intensive. The
ability to examine thousands
of cells and build overall risk
assessments requires specific
skills.
Are spreadsheets worth quantifying for risk?Not all spreadsheets are mission critical and therefore do not impact the bottom line.
Spreadsheet risk assessment is al-
ways based on:
• Spreadsheet Complexity
• Spreadsheet Materiality
• Spreadsheet Application
p17
RiskWith any risk assessment we must
allow clients to choose whether they
require:
Preventative measures
Or
Reactive measures
Preventive measures include:
Continuous monitoring of spread-
sheet changes, institution of flags
and alerts, policy changes monitor-
ing.
Reactive measures include:
Restriction of access to spreadsheet
sectors, user logging details collec-
tion, spreadsheet lock-downs.
Internal Controls
External controls
w w w. s p re a d s h e e t c o n t ro l g ro u p .c o m
Spreadsheet Complexity
• Number of formulas
• Formula complexity
• Spreadsheet complexity
• Number of worksheets
• Types of external links
Spreadsheet Materiality
• Contains sensitive or personal data
• Highest output for 12 months
Spreadsheet Application
• Sheets upload into IT Systems.
• File is the source of data for other
spreadsheets
• Supports statutory disclosures
RISK ANALYSIS
The criteria of analysis for risk are spreadsheet Complexity, Materiality and Application
