Spreadsheet Risks in Banks

No other industry perhaps handles such large volumes of critical financial data more than the banking industry. For decades now, spreadsheets have become permanent fixtures in the front-line reporting tool sets of banks, providing organised information when and where needed.

But as banks enter into a period of heightened credit risks, elevated levels of fraud, and greater regulatory scrutiny, many are wondering if continued reliance on spreadsheets is a wise decision for banks today.

The downfall of Lehman Brothers which eventually led to its filing for Chapter 11 bankruptcy protection on September 15, 2008, served as a wake up call for many institutions across the globe to make a serious examination of their own risk management practices. But would these reforms include evaluating the security of user developed applications (UDAs), the most common of which are spreadsheets, and putting specific guidelines as to when they can – or cannot be – used?

Banks and Spreadsheet Use

Banks have been known to utilise spreadsheets systems for many critical functions because most personnel are well-acquainted with them, and the freedom of being able to develop customised reports without needing to consult with the IT department offers flexibility and convenience. In fact, more than having a way to do financial budgeting and analysing customer profitability, even loan officers and trade managers have become reliant on spreadsheets for risk management reporting and for making underwriting decisions.

But there are more than a few drawbacks to using spreadsheets for these tasks, and the sooner bank executives realise these, the sooner they can adopt better solutions.

General Limitations

Spreadsheets are far from being data base systems and yet more often than not, they are expected to act as such, with figures constantly added and formulas edited to produce the presumably right set of reports.

In addition, data integrity is always a cause for concern as most values in spreadsheets are entered as manual inputs. Even the mere misplacement of a comma or a negative sign, or an inadvertent ?edit? to a formula can also be a source of significant changes in the outcome.

Confidentiality risk is also another drawback of the use of spreadsheets in banks as these tools do not have adequate?access controls to limit access to only authorised individuals. Pertinent financial information that fall into the wrong hands can lead to a whole new set of problems including the possibility of fraud.

Risks in Trading

For trading transactions, spreadsheets can prove to be of immense use – but only for small market volumes. As trade volumes increase and the types vary, spreadsheets are no longer a viable solution and may likely become more of a hindrance, with calculations taking longer in the face of bigger transaction amounts and growing transaction data.

And in trading, there is always the need for rigorous computational functions. Computing for the Value at Risk (VaR) for large portfolios for instance, is simply way beyond the capabilities of spreadsheets. Banks that persist in using them are increasing the risk of loss on those portfolios. Or, they can be opening up?opportunities for fraud?as Allied Irish Bank (in the case of John Rusnak – $690 million) learned the hard way.

Risks in Underwriting

Bankers who use spreadsheets as their main source of information for underwriting procedures also face certain limitations. Loan transactions require that borrowers? financial data be centralised and easily accessible to risk officers and lending officers involved in making decisions. With spreadsheets, there is no simple and secure way of doing that. Information can be pulled from different sources – individual tax returns, corporate tax documents, partnership documents, audited financial statements – hence there is difficulty in verifying that these reports adhere to underwriting policies.

Spreadsheet control and monitoring

Financial institutions which are having difficulty weaning themselves from the convenience and simplicity that spreadsheets offer are looking for possible control solutions. Essentially, they want to find ways that allow them to continue using these UDAs and yet somehow eliminate the?spreadsheet risks?and limitations involved.

Still, the debate goes back and forth on whether adequate control measures can be implemented on spreadsheets so that that the risks are mitigated. Many services have come forward to herald innovative solutions for better spreadsheet management. But at the end of the day, there really is no guarantee that such solutions would suffice.

More Spreadsheet Blogs


Spreadsheet Risks in Banks


Top 10 Disadvantages of Spreadsheets


Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry


How Internal Auditors can win the War against Spreadsheet Fraud


Spreadsheet Reporting – No Room in your company in an age of Business Intelligence


Still looking for a Way to Consolidate Excel Spreadsheets?


Disadvantages of Spreadsheets


Spreadsheet woes – ill equipped for an Agile Business Environment


Spreadsheet Fraud


Spreadsheet Woes – Limited features for easy adoption of a control framework


Spreadsheet woes – Burden in SOX Compliance and other Regulations


Spreadsheet Risk Issues


Server Application Solutions – Don’t let Spreadsheets hold your Business back


Why Spreadsheets can send the pillars of Solvency II crashing down

?

Advert-Book-UK

amazon.co.uk

?

Advert-Book-USA

amazon.com

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

Is Change Management a Myth or a Possibility

The theory that it is possible to manage organisational change (Change Management) in a particular direction has done the rounds for quite some time, but is it true about Change Management. Was Barrack Obama correct when he said, ?Change will not come if we wait for some other person or some other time. We are the ones we have been waiting for. We are the change that we seek.?
Or, was business coach Kelly A Morgan more on the button when she commented, ?Changes are inevitable and not always controllable. What can be controlled is how you manage, react to, and work through the change process.? Let us consult the evidence and see what statisticians say.

What the Melcrum Report Tells Us

Melcrum are ?internal communication specialists who work alongside leaders and teams around the globe to build skills and best practice in internal communication.? They published a report after researching over 1,000 companies that attempted change management and advised:

? More than 50% report improved customer satisfaction

? 33% report higher productivity

? 28% report improvements in employee advocacy

? 27% improved status as a great place to work

? 27% report increased profitability

? 25% report improved absenteeism

Sounds great until we flip the mirror around and consider what the majority apparently said:

? 50% had no improvement in customer service

? 67% did not report increased productivity

? 72% did not note improvements in employee advocacy

? 73% had no improved status among job seekers

? 73% did not report increased profitability

? 75% did not report any reduction of employee absenteeism

This shows it is still a great idea to hear what all parties have to say before reaching a conclusion. You may be interested to know the Melcrum report gave rise to the legend that 70% of organisation change initiatives fail. This finding has repeated numerous times. Let’s hear what the psychologists have to say next.

There is a certain amount of truth in the old adage that says, ?You can lead a horse to water but you cannot make him drink.? Which of us has not said, ?Another flavour of the week ? better keep heads down until it passes? during a spell in the corporate world. You cannot change an organisation, but you can change an individual.

At the height of the Nazi occupation of 1942, French philosopher-writer Antoine de Saint-Exup?ry said, ?A rock pile ceases to be a rock pile the moment a single man contemplates it, bearing within him the image of a cathedral?. Psychology Today suggests five false assumptions change management rests upon, THAT ARE SIMPLY NOT TRUE.

1. The external world is orderly, stable, predictable and can be managed

2. Change managers are objective, and do not import their personal bias

3. The world is static and orderly and can be changed in linear steps

4. There is a neutral starting point where we can gather all participants

5. Change is worthy in itself, because all change is an improvement

Leo Tolstoy wrote, ?Everyone thinks of changing the world, but no one thinks of changing himself.? A prophet can work no miracles unless the people believe. From the foregoing, it is evident that change management of an organisation is a 70% impossibility, but encouraging an individual to grow is another matter.

A McKinsey Report titled Change Leader, Change Thyself fingers unbelieving managers as the most effective stumbling stones to change management. To change as individuals ? and perhaps collectively change as organisations ? we need to ?come to our own full richness?, and as shepherds lead our flock to their ?promised land?, whatever that may be. Conversely, herding our flock with a pack of sheepdogs extinguishes that most precious thing of all, human inspiration.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Choosing Routes for ESOS Compliance

Along the introduction of Energy Savings Opportunity Scheme in UK is the quick emergence of various companies that offer ESOS compliant services. While some energy audit providers can help, qualified businesses should understand what their compliance options are, how these routes work and learn both the pros and cons in order to carefully take their pick.

Independent ISO 50001 Certification

ISO 50001 comprises the integration and application of processes geared to motivate energy saving and overall improvement. Simply stated, it is a framework that drives the organisation’s governance to realise energy saving strategies by allocating resources and participating in energy management. The good thing about ISO 50001 is that it includes an energy review that documents ideas and opportunities to save more energy.

However, ISO 50001 does not obligate organisations to cover 90% of their overall energy consumption. In case of partial coverage, the company needs to undergo additional energy assessments to evaluate all the significant energy consumption areas.

In order for an ISO 50001 certification to be valid, it must be certified by the United Kingdom Accreditation Service (UKAS), by an accreditation body which is a member of the International Accreditation Forum, or by a body accredited by another EU member state?s national accreditation body.

Display Energy Certificates and Green Deal Assessments

These two kinds of energy assessment reports can also contribute to ESOS compliance. Both of them are carried out by qualified lead assessors and valid for 10 years. However, they are only based on the building structures and services. They do not cover the overall significant areas in energy consumption. Since these reports are valid for 10 years, they would be used for two ESOS reporting periods. Thus, they would not be as current as the ISO 50001 certification. Aside from that, the assessments are purely based on energy efficiency and anyone can qualify to use the software that produce the certifications after taking the accreditation course.

Energy Audits

A successful energy audit leads to better understanding of the company?s energy consumption, identify alternatives, determine cost-effective energy saving opportunities and stimulate energy efficiency. Energy audits are beneficial to the organisation. What makes it complex is that the organisation applying it, needs to clearly define the scope and type of energy audit to use in order to comply with ESOS. Furthermore, the organisation also has to identify the teams that would be competent enough to do the audit work for the building, transport and industrial area, respectively.

Each route is not formed equal. Thus, organisations have the option to either choose one or combine the routes and meet their company needs. The options mentioned are different approaches to ESOS and the core value is to grab the opportunity towards acquiring more savings through efficient energy system.

How Ecovaro Can Help

Ecovaro is passionate about making a difference. We are knowledgeable when it comes to ESOS legislation and regulation, ISO 50001 energy management system, DECs and Green Deal Assessments. More than that, we recognise the great impact of efficient management system to your organisation. And with this, we provide an enthusiastic team of software engineers and expert project managers to offer you our professional help at reasonable price. Ecovaro comes to you fully equipped with services tailored to your organisation’s energy management needs.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today