Audit spreadsheet risk or simply audit risk, like human spreadsheet risk, can be a source of material financial and business cost to companies; thanks to erroneous financial models or spreadsheets. There are three types of audit risk: control risk, detection risk and inherent risk.

Control risk in a spreadsheet sense, is the risk that a spreadsheet misstatement could arise, but may not be discovered and corrected or averted by a company’s internal spreadsheet controls i.e. error or alert checks. Whilst detection risk is the likelihood of a company’s peer review or spreadsheet audit processes could fail to uncover the occurrence of a material spreadsheet error.

Finally, inherent risk is the risk related to the type of industry, business or transaction, which the financial model or spreadsheet is used for. For example, a company in a highly cyclical industry such as mining will possess spreadsheets to model a project or the corporate plan. These spreadsheets will contain greater inherent risk, as opposed to a spreadsheet modelling a business in a more vanilla, predictive and stable sector like consumer goods or food.

 

Control Risk

The main reasons for control risk are:

• Lack of spreadsheet checks (error and alert) and controls (cross-checks, summaries or dashboards);
• Poor spreadsheet development;
• Lack of corporate governance surrounding the development and operation of a spreadsheet; and
• Lack of or no spreadsheet review.

Recommended solutions to managing control risk are:

• Implementation and adoption of a thorough, disciplined review or audit of spreadsheets;
• Mandatory error and alert checks, which verify source financial data, cross check key metrics and recalculate important forecast and financial measures; and
• Improved corporate governance, in terms of adequate training and supervision of model developers and users.

 

Detection Risk

The primary causes of detection risk are:

• Insufficient or inadequate spreadsheet review,
• Poor attention to detail,
• Person undertaking spreadsheet review lacks expertise, and
• The financial model is over-engineered and too complex

Recommended solutions to managing detection risk are:

• Enact a detailed, methodical spreadsheet review or audit,
• Guarantee the existence of error and alert checks throughout the model, and
• Only utilise experienced accounting and finance professionals

 

Inherent Risk

The principal causes of detection risk are:

• Incorrect or inaccurate spreadsheet assumptions or inputs,
• Lack of broad stakeholder buy-in, and
• Modelling, strategic planning or forecasting not realistic, viable or commercially relevant

Recommended solutions to managing detection risk are:

• Achieve greater and broader stakeholder buy-in during the creation and operation of a spreadsheet,
• Forecast assumptions and inputs need to be properly vetted, tested and re-checked, and
• A detailed peer review of spreadsheet assumptions and outputs must be performed

 

Overall takeaways

In order to minimise spreadsheet audit risk, spreadsheet or model developers must consider three audit risk areas: inherent risk, detection risk and control risk. These risks will be alleviated if spreadsheet developers and users implement a thorough review of their models; adopt error and alert checks throughout their spreadsheets; and verify all inputs, calculations and outputs are correct and commercially attainable.