Businesses lacking controls to mitigate the risks of growing spreadsheet use
Written by Staff Reporter
A new survey by software firm ClusterSeven, warns that despite End User Computing (EUC) risk being widely recognised by organisations in the UK, only a small minority of businesses are even imposing manual control policies to mitigate the potential threats.
The report, entitled ‘The Spreadsheet is Here to Stay’, suggests that EUCs are one of the key contributors of financial, regulatory, operational and reputational risk. 88% of the 160 internal audit, finance, compliance and risk management professionals questioned for the survey acknowledge the risks posed by spreadsheets and other EUCs, but only 24% are enforcing manual controls and even a smaller minority are instituting automated checks to curtail the risks. In the financial services industry in particular, nearly 57% of respondents rate ‘spreadsheet’ risk as serious or very serious.
More than 60% of organisations are relying on spreadsheets for business critical data processes, which represents a significant amount of work taking place in an unmonitored and uncontrolled business environment. Auditors (nearly 60%), regulators (40%) and risk and compliance professionals (nearly 45%) believe that this use of spreadsheets for business critical processes will increase over the next two years. This is despite the fact that financial and reputational loss due to EUC error is almost an expected outcome by organisations with early 50% of respondents expecting such an event to occur in the next two years.
Interestingly, 76% of organisations want to replace spreadsheets with a different type of business information management system, but 25% acknowledge that it is an unrealistic aspiration.
Chris Gomersall, CEO of ClusterSeven, said: “Imperfect as spreadsheets and other EUCs might be, they offer users the flexibility and agility to speedily undertake complex calculations, produce reports and develop models to meet changing business needs. Rather than negligently risk loss, organisations are better off automating and adopting management processes so that EUCs and corporate systems can safely and securely co-exist to meet the needs of the users and business alike. The alternative – using EUCs uncontrolled – isn’t a business risk work taking as potentially the penalties could be crippling.”