The financial reporting community has wised up in recent years to the risks that come with relying on spreadsheets, but their use is so common and pervasive in Corporate America it can be tough to identify and mitigate all the related risks.

“Spreadsheets are a terrific tool, but you need to make sure you have appropriate controls and transparency around them,” said Kurt Underwood, managing director at Protiviti. The firm produced something of a checklist for the financial reporting staff to consider in a recently produced guide, “Spreadsheet Risk Management: Frequently Asked Questions.”

Protiviti says spreadsheets have been stretched far beyond originally intended uses—in complex financial models and for enterprise-level applications, for example—leading to problems as minor as calculation errors or as major as poor decision making. Problems with unchecked spreadsheet use are increasingly coming to light as internal control over financial reporting has become a more focused and regulated effort.

The FAQ guide tries to touch on the myriad risks companies need to consider and address as they continue to rely on spreadsheets. The guide covers implementing a spreadsheet control framework, creating a library of critical spreadsheets, assessing spreadsheet controls and risk exposure, getting assurance over critical spreadsheets, and resources and technology available to help control spreadsheet risks.

Underwood says the guide is extensive because it reflects the depth and breadth of questions the firm has faced in real client situations over the past few years. “This has been such an under-addressed area the last six to eight years,” he said. “The FAQ is large because the end-user population is developing applications, and the technology is so easy to use. A lot of forumulas and macros go unchecked, unverified, and untested. You have effectively an application that has avoided all the rigor of a software development process.”