Risk Assessment For Spreadsheet Developments: Choosing Which Models to Audit

Errors in spreadsheet applications and models are alarmingly common (some authorities, with justification cite spreadsheets containing errors as the norm rather than the exception). Faced with this body of evidence, the auditor can be faced with a huge task - the temptation may be to launch code inspections for every spreadsheet in an organisation. This can be very expensive and time-consuming. This paper describes risk assessment based on the “SpACE” audit methodology used by H M Customs & Excise’s tax inspectors. This allows the auditor to target resources on the spreadsheets posing the highest risk of error, and justify the deployment of those resources to managers and clients. Since the opposite of audit risk is audit assurance the paper also offers an overview of some elements of good practice in the use of spreadsheets in business.

💡 Research Summary

The paper addresses the pervasive problem of errors in spreadsheet applications and models, which are frequently used for critical financial, tax and operational calculations. Because errors are common and can have severe financial, regulatory and reputational consequences, auditing every spreadsheet in an organization is impractical and costly. To solve this, the author presents a risk‑based audit methodology called “SpACE” (Spreadsheet Audit and Control Environment) that was developed and applied by HM Customs & Excise tax inspectors.

SpACE consists of four sequential stages, each ending with a “stop/go” decision that determines whether the audit should proceed. The first stage, Overall Risk Assessment, evaluates the potential impact of a spreadsheet error by estimating the monetary value at risk, possible regulatory penalties, and damage to the organization’s public image. If the impact is low, the audit stops; otherwise it proceeds.

The second stage, Likelihood of Error Assessment, uses a structured questionnaire covering six domains: organisational policy, domain knowledge, specification quality, testing evidence, documentation, and data controls. Answers reveal how likely it is that an error could occur in the given model.

The third stage, Risk Identification and Scoping, requires direct access to the spreadsheet. Automated audit tools extract quantitative metrics such as the number of files, worksheets, formulas, external links, unique versus copied formulas, use of macros, hidden rows/columns, protection settings, and advanced features (pivot tables, solver, etc.). These metrics help estimate the effort required for a full code inspection and identify the parts of the model that pose the greatest risk.

The fourth stage, Testing Decision and Code Inspection, combines the impact score, likelihood assessment and effort estimate to decide whether a detailed code review is justified. When it is, the inspection focuses on high‑risk patterns: incorrect original formulas, mis‑copied formulas, hard‑coded constants, absolute references, missing precedents or dependents, formulas that reference hidden cells, error‑returning cells, and data entered as text. Data quality is also examined under the GIGO principle, ensuring that input data are complete, accurate and timely.

The paper concludes that risk assessment is central to any audit, whether of manual accounts, ERP systems or spreadsheets. Because good spreadsheet development practices are rare and errors are common, a systematic, risk‑based approach like SpACE enables auditors to allocate limited resources efficiently, concentrate on the most hazardous models, and thereby improve the overall reliability of spreadsheet‑driven decision making.