What is a critical spreadsheet?
How do you define what is a critical spreadsheet in your organization? Critical SOX spreadsheets are commonly defined as any spreadsheet used in financial close reporting that may result in a material misstatement. While most organizations use that definition to meet what is, in truth, a somewhat self-regulated requirement for SOX Compliance, the definition overlooks important risk factors.
To address spreadsheet risk is effectively in your organization, you may want to broaden your definition of critical spreadsheets. Here are some additional categories:
Significant financial impact: Any spreadsheet with more than [Insert Amount] dollars’ worth of impact to the company is defined as critical. One company we work with has defined this as more than $10 Million. Along with spreadsheets used in financial close reporting, this is a common way to define critical spreadsheets.
Significant future financial impact: Any spreadsheet used in forecasting, planning or to calculate future financial impact to the organization, for instance, calculating impairment costs, or net present value.
Non-critical spreadsheets that provide data to critical spreadsheets: One of Incisive’s customers ran Xcellerator’s test for External References and found a 10 year-old feeder spreadsheet named “Ronald” no one had ever heard of that was still feeding data to a critical spreadsheet. That risk was quickly addressed, to say the least.
Customer and employee data: Spreadsheets that include customer, patient or employee data like social security numbers or credit card information should be considered critical. Most data breaches originate with employees or partners – with malicious intent or by accident. Keeping spreadsheet controls around customer lists and contact data is just good information security practice.
How do you find and manage critical spreadsheets?
Expanding the number of critical spreadsheet in an organization may feel daunting. In a recent case study, Cathay Bank’s Vice President, Strategic Risk Management Officer Kevin Moylan stated, “We considered a number of discovery methods and arranged several meetings with our critical spreadsheet users to determine which spreadsheets should be reviewed regularly for risk, but by the time we met with roughly 65 people and reviewed the information, our ability to react quickly and offer value was close to impossible.”
Cathay Bank chose Incisive’s software to help automate spreadsheet management processes and controls. Cathay Bank is able to quickly find spreadsheets on the network, address their risk, and monitor spreadsheets on an ongoing basis, using the software to help automate manual processes and conduct due diligence.
Due diligence creates confidence when you and executives need to sign off on annual compliance, and it also provides confidence throughout the year that strategic business decisions are based on good, clean data.
You can find the Cathay Bank case study here.