What are Ungoverned Spreadsheets? Hint – YOU Have Them!

Society has become so adapted to spreadsheet software and its many varied uses that it has become as commonplace as the cell phone.  It could be argued to be the greatest, most powerful, most important software application of all time.  What that also means is it gets taken for granted as an everyday tool.  Countless spreadsheets are used in the financial and actuarial arenas to develop data that is critical in the presentation of a company’s financial statements.  What should make an auditor or a responsible audit committee member shudder is the fact that with such daily proliferation of spreadsheet usage there exists in most instances no internal controls that have been formally instituted by companies to monitor what could be a potential monster to the financial statement development.  Sure, you may have some secondary test footing formulas built in, but that hardly suffices as a structured control assessment process to confirm the spreadsheet’s accuracy.

A number of classic examples can be cited of major public financial issues that can be directly related to basic spreadsheet faults.  When Barclays sent over its offer to buy up Lehman Brothers in the wake of the firm’s September 2008 collapse, it did so using an Excel spreadsheet.  The developers of the spreadsheet, which contained details of Lehman’s assets and what Barclays was willing to buy, hid, rather than deleted, several hundred cells.  But when a junior law associate at Cleary Gottlieb Steen & Hamilton converted the Excel file to a PDF format and e-mailed it over to the bankruptcy court, the hidden parts of the spreadsheet reappeared.  The result? Along with the parts of Lehman that Barclays wished to purchase, the British bank was also forced to swallow losses on an additional 179 toxic deals it never intended to buy.

The London Whale financial debacle involving JPMorgan Chase eventually led to $6+ billion trading losses for the bank, traders being fired, top execs being hauled before Congress, and the FBI and other agencies investigating the mess.  Subsequent internal reports studying the trading losses pointed to the model that was intended to monitor and limit the amount of risk the London traders were taking.  That model consisted of a series of Excel spreadsheets, which had to be completed manually through a copy and paste process.  It turns out one key measure was added when in fact it should have been averaged.  The result?  JPMorgan risk officers were led to believe the credit derivatives were half as risky as they actually were…all due to a simple spreadsheet miscue.

Though these are a few examples of huge financial loss boondoggles, the key point is they occurred from basic spreadsheet errors due to a lack of validation controls to mitigate risk.  In other words, they “got comfortable” with the process.  We all face this same challenge, albeit on a smaller but potentially material scale.  JLKR is therefore concentrating some of its efforts in this area, and questioning/recommending to all of our clients that they begin looking at the volume of spreadsheet exposure that exists in their various environments with the goal of pinpointing those critical spreadsheets that need more risk-mitigating controls.  For those spreadsheets, some form of change management controls should be instituted, consistently applied and documented to their internal control narratives provided to the auditors.