160 likes | 397 Views
Spreadsheet Management Maturity Model. Philip Howard Research Director – Bloor Research. Why spreadsheet governance is important. Prevent errors that can impact financial and operational accuracy Prevent fraud Reduce disk space and associated costs Ensure compliance
E N D
Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research
Why spreadsheet governance is important • Prevent errors that can impact financial and operational accuracy • Prevent fraud • Reduce disk space and associated costs • Ensure compliance • Improve business process efficiency • Prevent fines • Prevent reputational damage • Improve decision making • Reduce audit fees • Enables various IT processes
Maturity Models • To identify where you are today • To identify where you want to get to • To identify the steps between • NB: not all organisations want to get to the same end point
Spreadsheet MMM • Not just about spreadsheets • Any end-user computing (EUC) resources such as Access databases, Crystal Reports, PowerPoint presentations and so on • Differs from other maturity models in that there are both personnel and corporate maturity levels
Personnel maturity Inexperienced users Tend to be self-taught Enthusiastic users Junior personnel develop expertise Experienced users Junior personnel become senior Trained users Formal training and best practices
Maturity Stage 1 Inexperienced users 1. Denial • Organisations do not understand extent of reliance on EUCs • Users are self-taught and do not make use of external resources • Transition to stage 2 typically because of a significant event such as a significant/material error, financial restatement, fraud, auditor scrutiny or forthcoming compliance audit
Maturity Stage 2 Inexperienced users 1. Denial Enthusiastic users 2. Manual • Manual governance based on access, change and version control, which may cause change management issues • No accuracy testing • May be custom macros for basic controls and auditing—not easy to support and unsustainable in long run • May include risk assessment • Transition to stage 3 because manual controls breaking down, experienced staff get promoted or because of compliance requirements.
Maturity Stage 3 Inexperienced users 1. Denial Enthusiastic users 2. Manual Experienced users 3. Remedial • Use of formal remediation tools and methodologies either via audit forms or via diagnostic software • May include end user training on spreadsheet compliance (e.g. for SOX) • Transition to stage 4 often as result of auditor or consultant recommendation
Maturity Stage 4 Inexperienced users 1. Denial Enthusiastic users 2. Manual Experienced users 3. Remedial Experienced users 4. Recognised • Identification of critical spreadsheet assets • May adopt use of automated discovery, inventory management and risk assessment software • Ideally, should come before stage 3 but most companies only discover risks due to links and dependencies after remediation has started • Stages 3 and 4 often help to build business case for more advanced stages
Maturity Stage 5 Inexperienced users 1. Denial Enthusiastic users 2. Manual Experienced users 3. Remedial Experienced users 4. Recognised Trained users 5. Captured • Can capture and/or have eliminated errors and ad hoc processes • Logic and formula errors indentified and fixed • Controlled development processes and end users trained in development best practices • Process controls to detect and/or prevent errors
Maturity Stage 6 Inexperienced users 1. Denial Enthusiastic users 2. Manual Experienced users 3. Remedial Experienced users 4. Recognised Trained users 5. Captured Trained users 6. Formalised • Formal development, control and risk mitigation processes • Segregation of duties, change request management, test and signoff on changes and new models, routine review and approval processes • May be issues with existing processes. Balance between collaboration and control may vary by department or, indeed, spreadsheet
Maturity Stage 7 Inexperienced users 1. Denial Enthusiastic users 2. Manual Experienced users 3. Remedial Experienced users 4. Recognised Trained users 5. Captured Trained users 6. Formalised Trained users 7. Managed • Automated monitoring and/or control environment • Management reporting on EUC control process • This stage involves cultural shift: about implementing better business processes not just collecting data about spreadsheets
Maturity Stage 8 Inexperienced users 1. Denial Enthusiastic users 2. Manual Experienced users 3. Remedial Experienced users 4. Recognised Trained users 5. Captured Trained users 6. Formalised Trained users 7. Managed Trained users 8. Integrated • Spreadsheet processes and alerts part of broader GRC framework • Automated integration of spreadsheet data with central applications to eliminate error-prone practices
Conclusion • Spreadsheet management is iterative and evolving • Spreadsheet management is ongoing • Spreadsheet management is integral to governance, risk and compliance • Spreadsheet management should be treated as a part of data governance • Spreadsheet management is a part of optimising business processes • A maturity model helps you to understand where you are and where you’re going