Organisations are still putting themselves at considerable financial and reputational risk by failing to properly control the way they use spreadsheets, according to new research undertaken by Protiviti. The global consulting firm polled* 100 ICAEW Chartered Accountants in December 2011.
Of those accountants surveyed, the majority (89%) said their organisations are not doing enough to prevent spreadsheet risk from occurring, admitting that there are no relevant policies and processes in place to manage this risk. This contrasts sharply with results from the same research undertaken in June 2011, which found that a much smaller 73% claimed that their organisations were not doing enough to combat spreadsheet risk.
The overriding challenge is which department should be responsible for spreadsheet risk. Three quarters (74%) of those surveyed said no department or function was tasked with addressing spreadsheet risk, while 10% believed it was the finance department’s responsibility. Other departments thought to be responsible were risk management (8%), IT (5%) and internal audit (3%).
Scott Bolderson, Director of IT Consulting, Protiviti said, “This is the second time in 12 months that Protiviti has carried out this survey with the ICAEW IT Faculty and at first glance the results are disappointing. However the high number of chartered accountants who said their organisations are not doing enough to prevent spreadsheet risk occurring could also show that awareness of this issue is increasing and people are now starting to understand the size and scale of the problem. They have therefore assessed their current practices inadequate. The overriding issue remains that no one owns the problem so it will continue to get worse as the amount of data organisations have to manage increases.
Scott Bolderson continues, “Our research with clients has shown that 94% of an organisation’s spreadsheets will contain errors. Not all of these errors will result in financial loss but organisations won’t know without investigating which errors could cause serious issues. Regulators are starting to apply more pressure on organisations to address the issue, recognising the level of dependence many organisations place on calculations in spreadsheets.”
Protiviti warns that organisations are still putting themselves at unnecessary risk through inadequate training and control. Only a third (35%) of those accountants surveyed in December had received any formal spreadsheet design or development training.
Ryan Rubin, Director of IT Security & Privacy, adds, “The spreadsheet problem highlights a critical issue but is actually the tip of the iceberg in regards to data governance and all the other data (structured or unstructured) that organisations have to manage. Data includes emails, documents, images, web pages, audio and video and databases as well as spreadsheets and by 2020 IDC estimates that the world will have generated 35.2 zetabytes of data. Organisations need to assign data owners and empower them to carry out regular data governance reviews to find out how much data their departments are creating and using, how critical this data is, and what suitable controls should be put in place to govern this data, so that they can decide how best to manage it, what they need to store securely and what they could destroy because it’s unnecessary.”
Richard Anning, Head of IT Faculty at ICAEW, stated, “The results from this second survey mirror the earlier findings. It is an area of concern that many attendees did not think their organisations were doing enough to prevent future spreadsheet errors from occurring but we are encouraged by the response from members to our new Excel Community and a willingness to engage on the issues.”
|