Services  Industries  Insights  Careers 

Blog: Risk
  UK-EN  

Posted: 28 Mar. 2023  5 min. read

Spreadsheet Controls
Are your spreadsheets exposing your
organisation to unmitigated risks?

 Martin Davitt  Charles Lamb

     Save for later

Every organisation has many checks and

controls: these can range from manual
checks all the way up to automated system
controls. A significant number of controls
will involve spreadsheets which are being
used to support critical business decisions
and processes. There have been stories in
the media of incidents or near-misses
where a problem with a spreadsheet has
:
 threatened to cause a material issue for an
organisation - and these stories only cover
the problems which are actually detected
and become public. Given these incidents,
robust controls over spreadsheets is an
important consideration for organisations
of all sizes.

There are clear benefits to using

spreadsheets, but challenges come in
keeping on top of the risk that each
individual spreadsheet poses. The
challenges then multiply if new
spreadsheets are being created constantly
within the organisation. If the risks
associated with individual spreadsheets are
not well understood, then an organisation
cannot understand, and therefore cannot
effectively mitigate, the aggregate risk they
are faced with.

What are the Risks?

Fundamentally, the principal risk is the risk
of an error in a spreadsheet’s output. This
risk manifests from many different places
however, which all need to be considered
to properly address it:

Does the spreadsheet have a clearly

defined purpose? Without a clear
purpose, a spreadsheet’s design may
not be fit for purpose, its inputs may be
inappropriate and its outputs may be
used in situations where it is not
:
 appropriate to do so.

How was the spreadsheet built? Does

the organisation have a dedicated and
experienced modelling resource that
maintains good practice and templates,
or was it built when needed by someone
in finance who picked up their
spreadsheet skills over time starting
from a blank spreadsheet?

How was the spreadsheet tested? If

the spreadsheet has not been robustly
tested, then there could be errors
present that were not noticed during
development.

Beyond the immediate risk of the accuracy

of a spreadsheet’s output, there are
operational risks that organisations need to
consider, especially regarding spreadsheets
intended for long term recurring use:

Who is accountable for the

spreadsheet’s output? Without a clear
line of accountability, there is a risk that
if an issue is identified with a
spreadsheet, it could be hard to track or
follow up the issue to ensure that the
spreadsheet has been updated to
remedy the issue.

Is knowledge of the spreadsheets

concentrated? Often spreadsheets will
contain complexities and intricacies that
are only understood by their developers
or regular operators (including complex
macros). If these individuals depart, or
:
 are otherwise unavailable, there could
be a risk of a knowledge gap leading to
inappropriate operation of the
spreadsheet by a replacement.

Are assumptions appropriate? – All

spreadsheets make use of assumptions
in deriving their outputs, and the
appropriateness of assumptions may
change over time. It is important that
the assumptions used are appropriate
for the question being asked and are
congruent with other assumptions
included in the spreadsheet. Unless all
of these are well understood by the
user, even small changes can result in
outputs which drive inappropriate
decision making.

What Controls address the

Risks?
The foundation for ensuring the use of
spreadsheets does not expose an
organisation to unmitigated risk is codifying
an appropriate Spreadsheet Risk
Management Framework. The framework
defines what a spreadsheet is, how they are
to be assessed for risk, and the processes
and controls that set out how the risk
management strategy works day to day in
the organisation. Every organisation’s
framework will be different, and reflective
of their particular ways of working and the
challenges of their sector, but in general a
:
 framework and these supported processes
will cover:

Organisation and Governance –

Governance plays an essential role in
spreadsheet risk management, and
therefore approval from an appropriate
governance body (typically the Board
Risk Committee), with senior
stakeholders receiving periodic reports
regarding compliance, is recommended.
In addition, functional spreadsheet risk
roles that report directly to senior
stakeholders (e.g. CRO) who are
responsible for the framework and the
governance should be established.
Governance includes ensuring
development of a spreadsheet
validation capability / function
responsible for the independent
validation of business critical
spreadsheets.

Spreadsheet Risk Quantification –

guiding thinking about the quantitative
techniques for spreadsheet risk
assessment and mitigation regarding
data: the sensitivity to errors or absence
of variables, the sensitivity of outputs
and impact of erroneous use.

Spreadsheet Lifecycle Management –

maintaining a comprehensive inventory
covering all existing in-use spreadsheets
from all areas of the business;
classifying spreadsheets based on the
level of risk, materiality and complexity,
and defining proportionate controls
:
 around the development,
documentation, testing, maintenance,
and ongoing assurance of a
spreadsheet.

Assurance
Even the best laid control frameworks are
worth very little without continual
assurance to validate that the controls are
operating effectively. The scope of this
assurance, and the frequency with which it
is performed, is specific to each
organisation as they will have different
frameworks in place managing spreadsheet
risk and different external pressures (e.g.
regulatory reporting requirements).
Broadly, spreadsheet control assurance
activity comprises:

Spreadsheet Discovery - investigative

exercises to determine if there are
spreadsheets in use within the
organisation that have not been
captured in the control infrastructure.
For example, conversations can be held
with key process owners (e.g. in finance)
to understand what spreadsheets are in
use routinely by them, with any
spreadsheets described then cross-
checked against the organisation’s
spreadsheet inventory to verify that they
are recorded. Alternatively, automated
tools can be deployed to scan areas of
the organisation’s IT infrastructure
identifying files based on set criteria that
:
 might be considered reportable
spreadsheets, and then reviewed to
consider whether they should be/have
been recorded in the inventory.

Spreadsheet Assessment – initial and

periodic update reviews of spreadsheets
on a rolling basis, selected from the
organisation’s spreadsheet inventory.
These assessments would include
reviewing the spreadsheet’s records in
the inventory (e.g. identity of the owner,
whether all required documentation is
present, and whether a sufficient extent
of testing has been performed). It may
also extend to a review of the
spreadsheet itself using spreadsheet
logic analysis tools to verify that
required templates and good practice
have been used to build and maintain
the spreadsheet, and that the
spreadsheet conforms to its intended
specifications.

If you are experiencing challenges or have

concerns with spreadsheet risk within your
organisation and want to have a discussion
with one of our experts, please get in touch.

Let’s make this work.

To view this video, change your
analytics/performance cookie settings.
:
 Key contacts

Charles Lamb
Director

chlamb@deloitte.co.uk
+44 (0)20 7007 9801

Charles is a director in Deloitte’s dedicated business modelling &...

Read full bio 

Martin Davitt
Director

madavitt@deloitte.co.uk
+44 (0)20 7007 1523

Martin is a senior director within Deloitte’s dedicated modelling

centre...
:
 Read full bio 

Key contacts

Ololade Adesanya
Director

obadesanya@deloitte.co.uk

 

Ololade Adesanya is a Director in Deloitte’s Risk Advisory practice

and...

Read full bio 

:
 Chris Hatley
Associate Director

chatley@deloitte.co.uk
+44 (0)75 0055 9156

Chris is an Associate Director within Deloitte’s Financial Services

Risk...

Read full bio 

Recommended for you

Contact us Careers at Deloitte Submit RFP

:
 Global office directory Office locations  UK-EN 

About Deloitte

Home

Press releases

Newsroom

Deloitte Insights

Global Office Directory

Office locator

Contact us

Submit RFP

    

Services

Audit & Assurance

Consulting

Financial Advisory

Legal

Deloitte Private

Risk Advisory

Tax

Industries

Consumer

Energy, Resources & Industrials

Financial Services

Government & Public Services

Life Sciences & Health Care

:
 Technology, Media & Telecommunications

Careers

Careers Home

About Deloitte About Deloitte UK Accessibility statement Cookies Health and Safety
Modern Slavery Act Statement Privacy statement Regulators & Provision of Services Regulations
Deloitte LLP Subprocessors Supplier Standard Terms & Conditions Terms of Use

© 2023. See Terms of Use for more information.

Deloitte LLP is the United Kingdom affiliate of Deloitte NSE LLP, a member firm of Deloitte Touche Tohmatsu
Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally
separate and independent entities. DTTL and Deloitte NSE LLP do not provide services to clients. Please
see About Deloitte to learn more about our global network of member firms.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number
OC303675 and its registered office at 1 New Street Square, London EC4A 3HQ, United Kingdom. A list of
members of Deloitte LLP is available at Companies House.
: