Mahmood H. Shubbak,Simon Thorne

DOI: https://doi.org/10.48550/arXiv.1602.05231

2016-02-17

Abstract:Heavy use of spreadsheets by organisations bears many potential risks such as errors, ambiguity, data loss, duplication, and fraud. In this paper these risks are briefly outlined along with their available mitigation methods such as: documentation, centralisation, auditing and user training. However, because of the large quantities of spreadsheets used in organisations, applying these methods on all spreadsheets is impossible. This fact is considered as a deficiency in these methods, a gap which is addressed in this paper. In this paper a new software tool for managing spreadsheets and identifying the risk levels they include is proposed, developed and tested. As an add-in for Microsoft Excel application, "Risk Calculator" can automatically collect and record spreadsheet properties in an inventory database and assign risk scores based on their importance, use and complexity. Consequently, auditing processes can be targeted to high risk spreadsheets. Such a method saves time, effort, and money.

Software Engineering

Daniel Kulesz

DOI: https://doi.org/10.48550/arXiv.1111.6878

2011-11-30

Abstract:Thanks to the enormous flexibility they provide, spreadsheets are considered a priceless blessing by many end-users. Many spreadsheets, however, contain errors which can lead to severe consequences in some cases. To manage these risks, quality managers in companies are often asked to develop appropriate policies for preventing spreadsheet errors. Good policies should specify rules which are based on "known-good" practices. While there are many proposals for such practices in literature written by practitioners and researchers, they are often not consistent with each other. Therefore no general agreement has been reached yet and no science-based "golden rules" have been published. This paper proposes an expert-based, retrospective approach to the identification of good practices for spreadsheets. It is based on an evaluation loop that cross-validates the findings of human domain experts against rules implemented in a semi-automated spreadsheet workbench, taking into account the context in which the spreadsheets are used.

Software Engineering

Ben G. Rittweger,Eoin Langan

DOI: https://doi.org/10.48550/arXiv.1009.2775

2010-09-15

Abstract:The paper examines in the context of financial reporting, the controls that organisations have in place to manage spreadsheet risk and errors. There has been widespread research conducted in this area, both in Ireland and internationally. This paper describes a study involving 19 participants (2 case studies and 17 by survey) from Ireland. Three areas are examined; firstly, the extent of spreadsheet usage, secondly, the level of complexity employed in spreadsheets, and finally, the controls in place regarding spreadsheets. The findings support previous findings of Panko (1998), that errors occur frequently in spreadsheets and that there is little or unenforced controls employed, however this research finds that attitudes are changing with regard to spreadsheet risk and that one organisation is implementing a comprehensive project regarding policies on the development and control of spreadsheets. Further research could be undertaken in the future to examine the development of a "best practice model" both for the reduction in errors and to minimise the risk in spreadsheet usage.

Software Engineering

Pat Cleary,Dr David Ball,Mukul Madahar,Simon Thorne,Christopher Gosling,Karen Fernandez

DOI: https://doi.org/10.48550/arXiv.0806.0189

IF: 6.4588

2008-06-01

Human-Computer Interaction

Abstract:There is an overlooked iceberg of problems in end user computing. Spreadsheets are developed by people who are very skilled in their main job function, be it finance, procurement, or production planning, but often have had no formal training in spreadsheet use. IT auditors focus on mainstream information systems but regard spreadsheets as user problems, outside their concerns. Internal auditors review processes, but not the tools that support decision making in these processes. This paper highlights the gaps between risk management and end user awareness in spreadsheet research. In addition the potential benefits of software agent technologies to the management of risk in spreadsheets are explored. This paper discusses the current research into end user computing and spreadsheet use awareness.

Raymond R. Panko

DOI: https://doi.org/10.48550/arXiv.0802.3457

2008-02-24

Abstract:Fifteen years of research studies have concluded unanimously that spreadsheet errors are both common and non-trivial. Now we must seek ways to reduce spreadsheet errors. Several approaches have been suggested, some of which are promising and others, while appealing because they are easy to do, are not likely to be effective. To date, only one technique, cell-by-cell code inspection, has been demonstrated to be effective. We need to conduct further research to determine the degree to which other techniques can reduce spreadsheet errors.

Software Engineering,Human-Computer Interaction

Ray Panko

DOI: https://doi.org/10.48550/arXiv.1602.02601

2016-02-03

Abstract:Research on spreadsheet errors is substantial, compelling, and unanimous. It has three simple conclusions. The first is that spreadsheet errors are rare on a per-cell basis, but in large programs, at least one incorrect bottom-line value is very likely to be present. The second is that errors are extremely difficult to detect and correct. The third is that spreadsheet developers and corporations are highly overconfident in the accuracy of their spreadsheets. The disconnect between the first two conclusions and the third appears to be due to the way human cognition works. Most importantly, we are aware of very few of the errors we make. In addition, while we are proudly aware of errors that we fix, we have no idea of how many remain, but like Little Jack Horner we are impressed with our ability to ferret out errors. This paper reviews human cognition processes and shows first that humans cannot be error free no matter how hard they try, and second that our intuition about errors and how we can reduce them is based on appallingly bad knowledge. This paper argues that we should reject any prescription for reducing errors that has not been rigorously proven safe and effective. This paper also argues that our biggest need, based on empirical data, is to do massively more testing than we do now. It suggests that the code inspection methodology developed in software development is likely to apply very well to spreadsheet inspection.

Software Engineering

Soheil Saadat

DOI: https://doi.org/10.48550/arXiv.0805.4211

2008-05-28

Abstract:The use of uncontrolled financial spreadsheets can expose organizations to unacceptable business and compliance risks, including errors in the financial reporting process, spreadsheet misuse and fraud, or even significant operational errors. These risks have been well documented and thoroughly researched. With the advent of regulatory mandates such as SOX 404 and FDICIA in the U.S., and MiFID, Basel II and Combined Code in the UK and Europe, leading tax and audit firms are now recommending that organizations automate their internal controls over critical spreadsheets and other end-user computing applications, including Microsoft Access databases. At a minimum, auditors mandate version control, change control and access control for operational spreadsheets, with more advanced controls for critical financial spreadsheets. This paper summarises the key issues regarding the establishment and maintenance of control of Business Critical spreadsheets.

Software Engineering,Human-Computer Interaction

Markus Clermont,Christian Hanin,Roland T. Mittermeir

DOI: https://doi.org/10.48550/arXiv.0805.1741

2008-05-13

Abstract:Amongst the large number of write-and-throw-away spreadsheets developed for one-time use there is a rather neglected proportion of spreadsheets that are huge, periodically used, and submitted to regular update-cycles like any conventionally evolving valuable legacy application software. However, due to the very nature of spreadsheets, their evolution is particularly tricky and therefore error-prone. In our strive to develop tools and methodologies to improve spreadsheet quality, we analysed consolidation spreadsheets of an internationally operating company for the errors they contain. The paper presents the results of the field audit, involving 78 spreadsheets with 60,446 non-empty cells. As a by-product, the study performed was also to validate our analysis tools in an industrial context. The evaluated auditing tool offers the auditor a new view on the formula structure of the spreadsheet by grouping similar formulas into equivalence classes. Our auditing approach defines three similarity criteria between formulae, namely copy, logical and structural equivalence. To improve the visualization of large spreadsheets, equivalences and data dependencies are displayed in separated windows that are interlinked with the spreadsheet. The auditing approach helps to find irregularities in the geometrical pattern of similar formulas.

Human-Computer Interaction

Bill Bekenn,Ray Hooper

DOI: https://doi.org/10.48550/arXiv.0807.2997

2008-07-19

Abstract:A new MS Excel application has been developed which seeks to reduce the risks associated with the development, operation and auditing of Excel spreadsheets. FormulaDataSleuth provides a means of checking spreadsheet formulas and data as they are developed or used, enabling the users to identify actual or potential errors quickly and thereby halt their propagation. In this paper, we will describe, with examples, how the application works and how it can be applied to reduce the risks associated with Excel spreadsheets.

Human-Computer Interaction,Software Engineering

David Nixon,Mike O'Hara

DOI: https://doi.org/10.48550/arXiv.1001.4293

2010-01-25

Abstract:It is now widely accepted that errors in spreadsheets are both common and potentially dangerous. Further research has taken place to investigate how frequently these errors occur, what impact they have, how the risk of spreadsheet errors can be reduced by following spreadsheet design guidelines and methodologies, and how effective auditing of a spreadsheet is in the detection of these errors. However, little research exists to establish the usefulness of software tools in the auditing of spreadsheets. This paper documents and tests office software tools designed to assist in the audit of spreadsheets. The test was designed to identify the success of software tools in detecting different types of errors, to identify how the software tools assist the auditor and to determine the usefulness of the tools.

Software Engineering,Human-Computer Interaction

Eric Perry

DOI: https://doi.org/10.48550/arXiv.0809.3016

2008-09-17

Software Engineering

Abstract:There have been many articles and mishaps published about the risks of uncontrolled spreadsheets in today's business environment, including non-compliance, operational risk, errors, and fraud all leading to significant loss events. Spreadsheets fall into the realm of end user developed applications and are often absent the proper safeguards and controls an IT organization would enforce for enterprise applications. There is also an overall lack of software programming discipline enforced in how spreadsheets are developed. However, before an organization can apply proper controls and discipline to critical spreadsheets, an accurate and living inventory of spreadsheets across the enterprise must be created, and all critical spreadsheets must be identified. As such, this paper proposes an automated approach to the initial stages of the spreadsheet management lifecycle - discovery, inventory and risk assessment. Without the use of technology, these phases are often treated as a one-off project. By leveraging technology, they become a sustainable business process.

Ghada AlTarawneh,Simon Thorne

DOI: https://doi.org/10.48550/arXiv.1703.09785

2017-03-23

Computers and Society

Abstract:This paper discusses the risks and potential impacts of spreadsheet errors in scientific research data in a Neuroscience research centre in the UK. Spreadsheets usage in neuroscience, or indeed any medical discipline, is a largely unreported area of spreadsheet research. This paper presents a case study exploring the possible risks and impacts of spreadsheet errors in the neuroscience research centre at the University of Newcastle. Data was collected using an online questionnaire with 17 participants and two detailed semi-structured interviews. The analysis highlights that errors in research data may lead to severe impacts such as misleading science and damaged personal and organisational reputations. In addition, many risks factors arise from using spreadsheets such as inadequate design and a lack of training. Spreadsheets are used widely in business and the impacts and risks in these fields have been studied and highlighted in detail. However, scientific research and spreadsheets have also a significant relationship that has not been clarified. The paper also draws out the similarities in spreadsheet practice between the scientific and business communities.

D. Price

DOI: https://doi.org/10.48550/arXiv.0711.4613

2007-11-28

Computers and Society

Abstract:Her Majestys Revenue & Customs (HMRC) was born out of the need to create a UK tax authority by merging both the Inland Revenue and HM Customs & Excise into one department. HMRC encounters spreadsheets in tax-payers systems on a very regular basis as well as being a heavy user of spreadsheets internally. The approach to spreadsheet risk assessment and spreadsheet audit is by the use of trained computer auditors and data handlers. This, by definition, limits the use of our specialist spreadsheet audit tool to such trained staff. In order to tackle the growing use of spreadsheets, a new way of approaching the problem has been piloted. The aim is to issue all staff who come across spreadsheets with a simple to use analysis and risk assessment tool, based on the departmental software SpACE (Spreadsheet Audit & Compliance Examination).

Grenville J. Croll,Raymond J. Butler

DOI: https://doi.org/10.48550/arXiv.0710.0871

2007-10-03

Computers and Society

Abstract:There is overwhelming evidence that the continued and widespread use of untested spreadsheets in business gives rise to regular, significant and unexpected financial losses. Whilst this is worrying, it is perhaps a relatively minor concern compared with the risks arising from the use of poorly constructed and/or untested spreadsheets in medicine, a practice that is already occurring. This article is intended as a warning that the use of poorly constructed and/or untested spreadsheets in clinical medicine cannot be tolerated. It supports this warning by reporting on potentially serious weaknesses found while testing a limited number of publicly available clinical spreadsheets.

Miguel A. Ferreira,Joost Visser

DOI: https://doi.org/10.48550/arXiv.1211.7100

2012-11-30

Abstract:We present a pragmatic method for management of risks that arise due to spreadsheet use in large organizations. We combine peer-review, tool-assisted evaluation and other pre-existing approaches into a single organization-wide approach that reduces spreadsheet risk without overly restricting spreadsheet use. The method was developed in the course of several spreadsheet evaluation assignments for a corporate customer. Our method addresses a number of issues pertinent to spreadsheet risks that were raised by the Sarbanes-Oxley act.

Software Engineering

Pak-Lok Poon,Man Fai Lau,Yuen Tak Yu,Sau-Fun Tang

DOI: https://doi.org/10.1007/s11704-023-2384-6

IF: 2.6688

2024-01-23

Frontiers of Computer Science

Abstract:Spreadsheets are very common for information processing to support decision making by both professional developers and non-technical end users. Moreover, business intelligence and artificial intelligence are increasingly popular in the industry nowadays, where spreadsheets have been used as, or integrated into, intelligent or expert systems in various application domains. However, it has been repeatedly reported that faults often exist in operational spreadsheets, which could severely compromise the quality of conclusions and decisions based on the spreadsheets. With a view to systematically examining this problem via survey of existing work, we have conducted a comprehensive literature review on the quality issues and related techniques of spreadsheets over a 35.5-year period (from January 1987 to June 2022) for target journals and a 10.5-year period (from January 2012 to June 2022) for target conferences. Among other findings, two major ones are: (a) Spreadsheet quality is best addressed throughout the whole spreadsheet life cycle, rather than just focusing on a few specific stages of the life cycle. (b) Relatively more studies focus on spreadsheet testing and debugging (related to fault detection and removal) when compared with spreadsheet specification, modeling, and design (related to development). As prevention is better than cure, more research should be performed on the early stages of the spreadsheet life cycle. Enlightened by our comprehensive review, we have identified the major research gaps as well as highlighted key research directions for future work in the area.

computer science, information systems, theory & methods, software engineering

John C. Nash,Neil Smith,Andy Adler

DOI: https://doi.org/10.48550/arXiv.0807.3168

IF: 6.4588

2008-07-20

Human-Computer Interaction

Abstract:Because spreadsheets have a large and growing importance in real-world work, their contents need to be controlled and validated. Generally spreadsheets have been difficult to verify, since data and executable information are stored together. Spreadsheet applications with multiple authors are especially difficult to verify, since controls over access are difficult to enforce. Facing similar problems, traditional software engineering has developed numerous tools and methodologies to control, verify and audit large applications with multiple developers. We present some tools we have developed to enable 1) the audit of selected, filtered, or all changes in a spreadsheet, that is, when a cell was changed, its original and new contents and who made the change, and 2) control of access to the spreadsheet file(s) so that auditing is trustworthy. Our tools apply to OpenOffice.org calc spreadsheets, which can generally be exchanged with Microsoft Excel.

Grenville J. Croll

DOI: https://doi.org/10.48550/arXiv.0806.3536

2008-06-22

Abstract:The first fully-documented study into the quantitative impact of errors in operational spreadsheets identified an interesting anomaly. One of the five participating organisations involved in the study contributed a set of five spreadsheets of such quality that they set the organisation apart in a statistical sense. This virtuoso performance gave rise to a simple sampling test - The Clean Sheet Test - which can be used to objectively evaluate if an organisation is in control of the spreadsheets it is using in important processes such as financial reporting.

Software Engineering,Human-Computer Interaction

Harmen Ettema,Paul Janssen,Jacques de Swart

DOI: https://doi.org/10.48550/arXiv.0801.4775

2008-01-30

Software Engineering

Abstract:The traditional approach to spreadsheet auditing generally consists of auditing every distinct formula within a spreadsheet. Although tools are developed to support auditors during this process, the approach is still very time consuming and therefore relatively expensive. As an alternative to the traditional "control through" approach, this paper discusses a "control around" approach. Within the proposed approach not all distinct formulas are audited separately, but the relationship between input data and output data of a spreadsheet is audited through comparison with a shadow model developed in a modelling language. Differences between the two models then imply possible errors in the spreadsheet. This paper describes relevant issues regarding the "control around" approach and the circumstances in which this approach is preferred above a traditional spreadsheet audit approach.

Raymond R. Panko

DOI: https://doi.org/10.48550/arXiv.0801.3114

2008-01-21

Abstract:In the spreadsheet error community, both academics and practitioners generally have ignored the rich findings produced by a century of human error research. These findings can suggest ways to reduce errors; we can then test these suggestions empirically. In addition, research on human error seems to suggest that several common prescriptions and expectations for reducing errors are likely to be incorrect. Among the key conclusions from human error research are that thinking is bad, that spreadsheets are not the cause of spreadsheet errors, and that reducing errors is extremely difficult.

Human-Computer Interaction