Spreadsheet Risk

Spreadsheets are everywhere in business. From organising the Christmas party to modelling market behaviour, there is likely a spreadsheet sitting behind it somewhere.

These sheets are part of what is referred to as  End User Computing (EUC) and become more and more critical to the continuing success of the business.

The problem is that these EUC solutions tend to be owned and operated by business areas away from IT and can cause quite significant problems.


Spreadsheets are more error-prone than enterprise applications. Studies show that 90% of spreadsheets with over 150 rows contain errors. Even if you think that you have a keen eye even experienced users can only spot 54% of errors.


The ability to audit and control changes around key data is essential for internal governance and regulatory compliance. The humble spreadsheet does not offer this level of tracking the change. Once a cell has it’s value changed, the old value along with who and when the change was committed is lost.

An unknown

Because of the nature of spreadsheets is that anyone is able to create them. IT have no knowledge of them and as such, typically no register within the business exists. There is no easy way to assess just how many EUC spreadsheets exist.

Even when you do find one understanding the businesses dependency upon it, it’s dependency upon other data and it’s owner are not always straightforward.

Poor Version and Change Control

Anyone in the business can quickly put together a spreadsheet. This starts off just being a simple list, then a calculation is added and some validation and cell formatting. The larger ones then become dependent on other external data and employ macros. The sheet starts off as a convenience and over time becomes part of the process.

This gradual change means that few people consider the need for governance around the EUC application. It is often not centralised, changes are made as needed and rarely version controlled.


Very few spreadsheets are properly secured. Even with encryption passwords are shared and do not have any complexity requirements.

Microsoft themselves even say that workbook protection is a ‘display’ feature and should not be considered a ‘security’ feature. These password protections will only stop the casual user and should not be relied upon.

Documentation and Training

The nature of EUC spreadsheets is they have been created quickly to solve a pain. Very few if any are then documented or formal training provided to those who are expected to use them.

This often ends up with the “inherited excel” problem, where the original author has left the business long ago and no one really understands how it works.

So What?

The above all lead to opening yourself up to risks. Vulnerability to fraud, increased auditing and compliance costs, inaccurate reporting, regulatory fines and penalties and more.

The first step is run a program of discovery and build a register for these EUC applications. Decide which EUCs represents a business risk and ensure the correct controls are implemented. You should also consider whether a spreadsheet is the right tool for the job.

Posted in GRC

Leave a Reply

Your email address will not be published. Required fields are marked *