In a whitepaper released by Clear Dynamics and Avocado Consulting, it finds that 90% of organisations continue to rely on spreadsheets for critical business processes, despite the operational, security and compliance risks this creates. 

In an era defined by automation, intelligence, security risks and cloud scalability, it’s astonishing how many core functions – pricing models, reconciliations, risk calculations, customer workflows, unit pricing, actuarial assumptions, regulatory reporting and lending decisions – still depend on tools never designed for enterprise resilience.  

This is not a minor productivity issue. Under CPS 230, it is a direct compliance exposure. 

Spreadsheets were built for flexibility, not governance. They are brilliant for prototyping but brittle at scale. Once embedded into critical operations, they become what we call the spreadsheet trap – easy to start, almost impossible to unwind, and ultimately a barrier to accuracy, compliance and growth.  

APRA has long highlighted the risk of end-user developed/configured tools (EUCs). CPG 234 (Information Security) explicitly states that regulated entities must identify, classify and assess risks arising from EUCs, particularly where they influence business decisions or support critical operations. 

Yet, organisations don’t need a regulator to tell them spreadsheets are failing. When spreadsheets underpin material processes, they introduce a well-known pattern of weaknesses, each silently driving revenue, risk or regulatory outcomes without any formal oversight, including: 

• No structured testing or lifecycle management, meaning errors can persist unnoticed for months or years. 
• Poor version control, with multiple conflicting copies circulated across teams and no clarity around which file is the current source of truth. 
• Limited access control, audit trails or change history, preventing organisations from evidencing who made changes or why decisions were made. 
• Key-person dependency, where critical business logic sits in one workbook understood by a single individual. 
• Hidden logic and undocumented assumptions, embedded in formulas, macros and manual overrides that bypass standard governance. 
• Data integrity issues caused by manual inputs or re-keying, leading to stale, inconsistent or contradictory datasets across departments. 
• Cross-department inconsistencies, where different teams work from different versions of data extracted at different times. 
• The “human API” problem, where staff manually move data between systems because spreadsheets cannot integrate or automate workflows. 
• Sensitive data exposure, as spreadsheets are copied, emailed, downloaded and stored without proper access controls or encryption. 

For financial services organisations, these weaknesses sit directly at the intersection of operational risk (CPG 230), information security (CPG 234) and data risk (CPG 235) and they undermine the organisation’s ability to meet both the intent and the practical expectations of CPS 230. 

With Australia’s regulatory environment tightening – from CPS 230 to the Privacy and Other Legislation Amendment Act 2024 – transparency, control and auditability are no longer optional. Regulators expect organisations to demonstrate resilience across their critical operations, and spreadsheets simply cannot meet those expectations at scale. 

While APRA is not banning spreadsheets outright, under CPS 230 and CPG 230, the use of uncontrolled EUCs in critical operations is increasingly indefensible. 

Under CPS 230, APRA requires regulated entities to demonstrate: 

• Resilience of critical operations 
• Documented processes, controls and audit trails 
• Clear accountability for operational risks 
• Technology and data governance that withstands scrutiny 
• Evidence that material control weaknesses are remediated 

None of these requirements can be met where spreadsheets underpin key operations. 

APRA also expects regulated entities to: