Posts Tagged 'end-user computing risks'

White Paper: Automating Spreadsheet Controls for Solvency II Model Compliance

Spreadsheets, Access databases and other user-developed applications (UDAs) are front and center to Solvency II model development, providing flexibility and ample opportunities to optimize capital requirements. Absent the proper governance framework, these UDAs can be subject to a variety of unacceptable risks, including calculation errors due to faulty programming logic, non-compliance with the intent of the directive, and even fraudulent activity. This white paper examines the newly published governance mandates for Solvency II models, and offers a proven technology solution and best practices to help insurers and reinsurers in the European Union improve compliance while mitigating risk and driving significant process improvement.

Target Audience
CFOs, controllers, CIOs, COOs, CEOs, Chief Actuaries, VP IT Security & Risk, Certified Fraud Examiners, auditors, risk and compliance executives, spreadsheet developers, Solvency II project teams.

>>Download White Paper


Enterprise Spreadsheets & the “Titanic Effect” – Do We Have a Problem?

In a recent webinar, I presented some data from the internet about the cost of spreadsheet errors, and proposed that based on the articles published to date, the problem is at least $11.5 Billion. That is, of the articles published on the internet to date about errors, non-compliance, and fraud due to uncontrolled and unmonitored spreadsheets, the issue has collectively cost companies at least this much. To quantify this amount (in approximate figures), you could compare it to the following:

>> National US debt: $12 Trillion

>> Cost of U.S. healthcare bill: $1.1 Trillion

>> Cost of spreadsheet errors: $11.5 Billion

>> Cost of NASA space shuttle Endeavor: $1.7 Billion

Enterprise Spreadsheets – The $11.5 Billion Problem
OK, so it turns out that spreadsheet errors are an order of magnitude off from the real big issues threatening our economy today, but at $11.5+ Billion, the cost of these errors due to risks associated with mission critical spreadsheets is significant, and must be dealt with at a corporate level. Yet, most companies are not really addressing the issue to the extent they should. I call this the “Titanic Effect.”

When it comes to Spreadsheet and end-user computing (EUC) risk, most companies “don’t know what they don’t know.” They can’t see the risk or the scope of the problem until it’s too late. Yet, spreadsheets are used everywhere within their business – monthly and quarterly close, account reconciliations, actuarial processes, underwriting, tracking and executing trades, tracking inventory and cost, tracking revenue and pipeline, executive compensation, 401k contributions, journal entries, and the list goes on. Just like the Titanic – a supposedly “unsinkable” ship which hit an iceberg and suffered a catastrophic failure – most businesses are cruising along smoothly until they notice there is a problem (e.g. a material error, a fraud case, audit deficiencies, material weakness, etc.). By the time the problem occurs it’s too late. Spreadsheet and end-user computing risk is the same way – many organizations have not evaluated or assessed the risk, so they don’t even know if their mission critical spreadsheets being used to close the books on a monthly, quarterly or annual basis even have errors in them. To check my math, you can visit the EuSpRIG web site and Cases of Fraud & Errors on this blog, and simply add up the costs.

Understanding the Risks & Exposure to Your Organization
So what you need is an assessment to uncover the problem – just like going to the doctor for an X-Ray, CAT Scan or an MRI. Ask yourself these simple questions:

  • When was the last time an auditor checked your key financial and operational spreadsheets for errors?
  • What processes and tools do you have in place to make these routine checkups happen within your business?

If you’re like most companies, you might not have good answers to these questions. So, then it’s time for a check-up. To get started, you can peruse this blog for articles on auditor guidance and best practices, or check out the leading technology solution to address spreadsheet and EUC risk, the Prodiance Enterprise Risk Manager (ERM) System.

Take the Poll
Good luck, and be sure to take the poll below to let us know what your view is!

Prodiance and ThinkIT Join Forces to Deliver ERM Solutions through Lean First! Methodology

ThinkITPleasanton, Calif. and Norwalk, Conn.Prodiance Corporation, a leading provider of Governance, Risk and Compliance (GRC) software solutions, and ThinkIT, a leading IT strategy and consulting company that applies its Lean First! methodology to streamlining and automating business processes, today announced a formal partnership and comprehensive Enterprise Risk Management solution to automate internal controls for mission critical spreadsheets, Access databases, and other end-user computing (EUC) applications. The joint solution combines best of breed technology from Prodiance with professional services and domain expertise in LeanFirst! delivery methodology from ThinkIT to help firms improve internal controls while driving process efficiency.

“As an integration of Lean and SixSigma and other quality improvement programs, LeanFirst! is a methodology for aligning business and IT objectives, leveraging process improvement and reducing complexity and risk through simple metrics based outcomes,” said David Lee, Partner at ThinkIT. “We are very eager to combine Prodiance, the best of breed technology for spreadsheet control, with our unique experience in LeanFirst! to deliver faster results for clients.”

“The combination of ThinkIT’s leadership in process re-engineering and Prodiance’s experience in Enterprise Risk Management solutions made this the perfect partnership,” said Dr. Soheil Saadat, president and CEO at Prodiance. “By partnering with ThinkIT, we’re empowering customers to embed critical risk management controls into everyday business processes through best practices and technology automation.”

About Prodiance
Prodiance delivers Governance, Risk and Compliance (GRC) software solutions to help mitigate risk, increase transparency, and automate internal controls over End User Computing applications such as spreadsheets, databases and BI reports which comprise a significant portion of mission critical data within organizations. Prodiance leverages over 20 years experience in delivering innovative technology solutions for highly regulated markets. Leading global organizations in more than 15 countries across 5 continents representing a wide variety of industries – banking, insurance, capital markets, energy, telecommunications, manufacturing, media and entertainment, food and beverage, health care, pharmaceutical, and education – have chosen Prodiance as trusted partner to achieve their strategic goals. Prodiance Corporation is an independent, privately held company based in Pleasanton, California with offices in London, Chicago, Philadelphia, New York, The Netherlands, and Shanghai. Additional news and information about Prodiance solutions, products and services is available at or by calling +1.925.460.9191.

Prodiance PR Contact:
Eric Perry
Vice President, Marketing
Tel: +1-925-460-9191

About ThinkIT
ThinkIT is a global consulting company that specializes in the delivery of business solutions through innovative use of technology and process “lean-engineering.” Our philosophy is “Lean first then Digitize!” Whether your goals are to improve productivity, reduce costs, drive top line growth, increase customer loyalty, and/or instill strong controllership best practices, the ThinkIT team will deliver results backed by verifiable metrics and aligned to the goals of your business. For more information, please visit

ThinkIT PR Contact:
David Lee
Tel: +1-203-569-4142

OMB Circular A-123 and Spreadsheet Controls

I recently came across OMB Circular A-123 and thought it was worth a discussion regarding the intersection of this government regulatory mandate and the topic of Spreadsheet Controls. So, here is a quick run down of what you need to know for government entities. Keep in mind this summary is focused on spreadsheet use in financial reporting and close the books activities within government agencies.

First, the Office of Budget and Management (OMB) Circular A-123 is the federal government’s version of SOX. Like SOX 404, it requires that management that management establish effective internal controls over the financial reporting (ICFR) process. Further, it requires that such controls and the assessment process should be documented. As with SOX, material weaknesses (e.g. material misstatements due to spreadsheet errors) can result in non-compliance, and the OMB can request audit opinion if needed to enforce corrective actions. It also recommends a risk assessment to identify areas at risk (e.g. uncontrolled spreadsheets used in financial reporting). In addition, Circular A-123 recommends continuous monitoring and testing to improve the control environment. As specified, “appropriate internal control should be integrated into each system…” which implies an automated approach is preferred over manual controls. With automation, effective controls can be embedded into the business process so that they become part of doing business as usual.

Control activities recommended in Circular A-123 include: policies, segregation of duties, access control, documentation, accurate information processing (e.g. data integrity), input/output control, safeguarding of records (e.g. critical spreadsheets and EUCs), monitoring of controls (e.g. reporting & dashboards). These are all standard control requirements which are consistent with SOX guidelines. That said, spreadsheets controls are not specifically called out, but as with SOX, the NAIC Model Audit Rule, Solvency II, Basel II, and OCC guidelines and similar regulatory mandates, we do know that external auditors are scrutinizing the spreadsheet environment, especially when they see a heavy reliance on uncontrolled spreadsheets.

So, my recommendation on OMB Circular A-123 is to follow Big 4 auditor guidance on Spreadsheet Controls. As a government entity, to be prepared for an audit, you need to be able to answer a few questions with certainty and appropriate documentation:

  • Have you created an inventory of spreadsheets, Access databases and other end-user computing applications?
  • If so, have you performed a risk assessment to determine which ones are considered high risk (e.g. those that directly impact financial, regulatory and management reporting)?
  • For the high risk spreadsheets, what controls are currently in place?

If you can pass this test, then you have taken a proactive approach to mitigating the risks associated with uncontrolled spreadsheets. For more details on controls recommended by Big 4 auditors, I recommend reading my previous post on Spreadsheets and SOX 404 Compliance which references guidance from PwC.

Also, you can access the complete OMB Circular A-123 here.

UK’s FSA Fines BlueBay £140,000 for Spreadsheet Cut/Paste Fraud

new fraud case just surfaced in the Financial Times involving spreadsheets. This time, a fund manager at BlueBay Asset Management named Simon Treacher “carefully cut out and pasted different figures on to seven original broker quotes”.  The quotes (i.e. spreadsheets) were then provided to administrators who were valuing the assets in the UK-based fund he managed.

The result: an artificial boost in valuation of the fund by $27 million. Nice, unless your an investor. When BlueBay discovered the mis-markings, they closed down the fund, which lost 80% of its value as a result. Then came the fines and damage to company reputation and image.

Bottom line: all firms are at risk when uncontrolled and unmonitored spreadsheets, Access databases and other EUCs are used in critical processes such as reporting on book values. If you combine the autonomy of users who can make changes to spreadsheets, personal motivation, and the current economic environment, then you have the perfect storm for spreadsheet fraud. The best way to mitigate the risk of spreadsheet fraud is to develop a culture of awareness and a new controls to mitigate it.

Last month I wrote about The Spreadsheet Risk Continuum in which spreadsheet and EUC risk can efficiently be mitigated through by adopting a formal policy on EUC control, defining internal controls for EUCs, leveraging best practices, and deploying new technology. It’s worth a read for any organization evaluating their EUC risk.

For more details on the BlueBay fraud case, you can access the full story at

The Spreadsheet Risk Continuum

After more than 5 years of helping some of the world’s most successful global organizations reduce their risk and exposure due to uncontrolled spreadsheets, Access databases and other end-user computing (EUC) applications, it has become very clear that reducing the risk is as much about technology as it is about cultural change. Almost every company today is dealing with issues surrounding spreadsheet and EUC risk, all with varying levels of maturity. The way I see it, reducing the risk efficiently requires a few key ingredients for success, including: adopting a formal policy on End-user Computing, defining internal controls for critical spreadsheets and EUCs, incorporating best practices, and implementing new Spreadsheet Control technology. As these ingredients are put in place, the organization’s risk level eventually decreases along the Spreadsheet Risk Continuum.

Policies & Controls
In a previous post, I discussed the merits and basics of adopting a formal EUC policy. I have also discussed the latest auditor guidance on spreadsheet controls from the famous white paper published in 2004 by PwC. There about 10 key controls to consider, including: access control, version control, change control, backup and archival, input control, documentation, segregation of duties, logic inspection/analytics, development lifecycle and data integrity.

Best Practices
There are many best practices, but I will mention a few here. The first requires following a formal process when implementing Spreadsheet Control. At Prodiance, we have developed a methodology we call the Spreadsheet Management Lifecycle, which involves inventory, risk assessment, control, remediation and reporting. In addition, it is important to have users properly trained on how to efficiently develop spreadsheets. This can result in models that have have less margin for error because they are developed properly and are well documented.

The final stage in the Spreadsheet Risk Continuum involves implementing a technology solution to help make the earlier stages sustainable. Without technology, the tasks and controls  in the earlier stages become one-off projects, requiring end users to do extra work to follow policies. This manual approach often breaks down over time. So my point in all of this is the following:

To efficiently mitigate spreadsheet and EUC risk within an organization, there is a Spreadsheet Risk Continuum leading to success which requires a cultural change (e.g. policies, controls, best practices) and adoption of new technology.

What are your thoughts on this assertion?

Spreadsheet Fraud Linked to Madoff Case

Although this story surfaced in September of 2009 in the Financial Times, I thought it was noteworthy enough to list here under Cases of Fraud & Errors linked to the uncontrolled use of spreadsheets. In many cases, personal motivation, lack of adequate controls, and the autonomy granted to users to make unauthorized (or fraudulent) changes to key spreadsheets has led to cases of errors and fraud. The Madoff case is no different, but in this scenario it was perhaps the source of data (and not the actual spreadsheet) that was fraudulent.

The story summaries the inner workings of the Madoff operation and how spreadsheets were updated through queries into an old AS/400 main frame system which tracked false trades, each resulting in a 1 cent profit. Using a simple spreadsheet, his client’s accounts were all magically updated –  unbelievable!

Read the Full Story.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 22 other followers

Follow Prodiance on Twitter

RSS Microsoft GRC Blog

  • An error has occurred; the feed is probably down. Try again later.

Prodiance on Twitter