Audit Spreadsheet Risk

Audit spreadsheet risk or simply audit risk, like human spreadsheet risk, can be a source of material financial and business cost to companies; thanks to erroneous financial models or spreadsheets. There are three types of audit risk: control risk, detection risk and inherent risk.

Control risk in a spreadsheet sense, is the risk that a spreadsheet misstatement could arise, but may not be discovered and corrected or averted by a company’s internal spreadsheet controls i.e. error or alert checks. Whilst detection risk is the likelihood of a company’s peer review or spreadsheet audit processes could fail to uncover the occurrence of a material spreadsheet error.

Finally, inherent risk is the risk related to the type of industry, business or transaction, which the financial model or spreadsheet is used for. For example, a company in a highly cyclical industry such as mining will possess spreadsheets to model a project or the corporate plan. These spreadsheets will contain greater inherent risk, as opposed to a spreadsheet modelling a business in a more vanilla, predictive and stable sector like consumer goods or food.

20131214_171134 v3


Control Risk

The main reasons for control risk are:

Recommended solutions to managing control risk are:

  • Implementation and adoption of a thorough, disciplined review or audit of spreadsheets;
  • Mandatory error and alert checks, which verify source financial data, cross check key metrics and recalculate important forecast and financial measures; and
  • Improved corporate governance, in terms of adequate training and supervision of model developers and users.


Detection Risk

The primary causes of detection risk are:

Recommended solutions to managing detection risk are:

  • Enact a detailed, methodical spreadsheet review or audit,
  • Guarantee the existence of error and alert checks throughout the model, and
  • Only utilise experienced accounting and finance professionals


Inherent Risk

The principal causes of detection risk are:

Recommended solutions to managing detection risk are:


Overall takeaways

In order to minimise spreadsheet audit risk, spreadsheet or model developers must consider three audit risk areas: inherent risk, detection risk and control risk. These risks will be alleviated if spreadsheet developers and users implement a thorough review of their models; adopt error and alert checks throughout their spreadsheets; and verify all inputs, calculations and outputs are correct and commercially attainable.