Spreadsheets and Email: Factors in Operational Risk

I was reading PwCs 2004 whitepaper on “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act” where they state”Many companies rely on spreadsheets as a key tool in their financial reporting and operational processes. As a result, the use of spreadsheets is an integral part of the information and decision-making framework for these companies.”

Not much has changed in that respect in the last 5 years. In the paper they go on to describe that one of the standard uses of spreadsheets in business is operational- which is “spreadsheets used to facilitate tracking and monitoring of workflow to support operational processes, such as a listing of open claims, unpaid invoices and other information that previously would have been retained in manual, paper file folders. These may be used to monitor and control that financial transactions are captured accurately and completely.”. They categorize these spreadsheets as low complexity, which is true, but the risk caused by these operational spreadsheets can be very high. Not only can the operational spreadsheet itself contain an error or omission – but the lack of linkage between the process described by the spreadsheet and actual process invoked can cause a process failure that can be very difficult to uncover and fix.

The linkage between operational spreadsheets and email is pervasive in business, especially in audit processes. I guess that since the focus of the whitepaper was spreadsheets it isn’t surprising that they didn’t mention the actual operational aspects of the tracking and montoring – which is done mostly through email. So the actual operational risk is not only in the spreadsheet, but also in the human processes (i.e. email) generated by the operational information in the spreadsheet. The other risk factors of spreadsheet use defined in the whitepaper. i.e. Analytical/Management Information and Financial, have received attention both from startup vendors and the academic community (e.g. the european spreadsheets risk interest group), but operational side of spreadsheet risk and its link to process risk – seem to be completely ignored.

Except by ActionBase of course 😉


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: