…optimise your it investments spreadsheet management maturity model philip howard research...
Post on 18-Dec-2015
219 views
TRANSCRIPT
…optimise your IT investments
Spreadsheet Management Maturity Model
Philip HowardResearch Director – Bloor Research
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Why spreadsheet governance is important
Prevent errors that can impact financial and operational accuracyPrevent fraudReduce disk space and associated costsEnsure complianceImprove business process efficiencyPrevent finesPrevent reputational damageImprove decision makingReduce audit feesEnables various IT processes
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Maturity Models
To identify where you are today
To identify where you want to get to
To identify the steps between
NB: not all organisations want to get to the same end point
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Spreadsheet MMM
Not just about spreadsheets
Any end-user computing (EUC) resources such as Access databases, Crystal Reports, PowerPoint presentations and so on
Differs from other maturity models in that there are both personnel and corporate maturity levels
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Personnel maturity
Inexperienced users
Enthusiastic users
Experienced users
Trained users
Tend to be self-taught
Junior personnel develop expertise
Junior personnel become senior
Formal training and best practices
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Maturity Stage 1
Organisations do not understand extent of reliance on EUCs
Users are self-taught and do not make use of external resources
Transition to stage 2 typically because of a significant event such as a significant/material error, financial restatement, fraud, auditor scrutiny or forthcoming compliance audit
Inexperienced users 1. Denial
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Maturity Stage 2
Manual governance based on access, change and version control, which may cause change management issues
No accuracy testing
May be custom macros for basic controls and auditing—not easy to support and unsustainable in long run
May include risk assessment
Transition to stage 3 because manual controls breaking down, experienced staff get promoted or because of compliance requirements.
Inexperienced users 1. Denial
Enthusiastic users 2. Manual
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Maturity Stage 3
Use of formal remediation tools and methodologies either via audit forms or via diagnostic software
May include end user training on spreadsheet compliance (e.g. for SOX)
Transition to stage 4 often as result of auditor or consultant recommendation
Inexperienced users 1. Denial
Enthusiastic users 2. Manual
3. RemedialExperienced users
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Maturity Stage 4
Identification of critical spreadsheet assets
May adopt use of automated discovery, inventory management and risk assessment software
Ideally, should come before stage 3 but most companies only discover risks due to links and dependencies after remediation has started
Stages 3 and 4 often help to build business case for more advanced stages
Inexperienced users 1. Denial
Enthusiastic users 2. Manual
3. Remedial
4. Recognised
Experienced users
Experienced users
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Maturity Stage 5
Can capture and/or have eliminated errors and ad hoc processes
Logic and formula errors indentified and fixed
Controlled development processes and end users trained in development best practices
Process controls to detect and/or prevent errors
Inexperienced users 1. Denial
Enthusiastic users 2. Manual
3. Remedial
4. Recognised
Experienced users
Experienced users
Trained users 5. Captured
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Maturity Stage 6
Formal development, control and risk mitigation processes
Segregation of duties, change request management, test and signoff on changes and new models, routine review and approval processes
May be issues with existing processes. Balance between collaboration and control may vary by department or, indeed, spreadsheet
Inexperienced users 1. Denial
Enthusiastic users 2. Manual
3. Remedial
4. Recognised
Experienced users
Experienced users
Trained users 5. Captured
Trained users 6. Formalised
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Maturity Stage 7
Automated monitoring and/or control environment
Management reporting on EUC control process
This stage involves cultural shift: about implementing better business processes not just collecting data about spreadsheets
Inexperienced users 1. Denial
Enthusiastic users 2. Manual
3. Remedial
4. Recognised
Experienced users
Experienced users
Trained users 5. Captured
Trained users 6. Formalised
Trained users 7. Managed
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Maturity Stage 8
Spreadsheet processes and alerts part of broader GRC framework
Automated integration of spreadsheet data with central applications to eliminate error-prone practices
Inexperienced users 1. Denial
Enthusiastic users 2. Manual
3. Remedial
4. Recognised
Experienced users
Experienced users
Trained users 5. Captured
Trained users 6. Formalised
Trained users 7. Managed
Trained users 8. Integrated
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010
Conclusion
Spreadsheet management is iterative and evolving
Spreadsheet management is ongoing
Spreadsheet management is integral to governance, risk and compliance
Spreadsheet management should be treated as a part of data governance
Spreadsheet management is a part of optimising business processes
A maturity model helps you to understand where you are and where you’re going
telling the Information Management storyConfidential © Bloor Research 2009 telling the right storyConfidential © Bloor Research 2010