Eric Perry

DOI: https://doi.org/10.48550/arXiv.0809.3016

2008-09-17

Software Engineering

Abstract:There have been many articles and mishaps published about the risks of uncontrolled spreadsheets in today's business environment, including non-compliance, operational risk, errors, and fraud all leading to significant loss events. Spreadsheets fall into the realm of end user developed applications and are often absent the proper safeguards and controls an IT organization would enforce for enterprise applications. There is also an overall lack of software programming discipline enforced in how spreadsheets are developed. However, before an organization can apply proper controls and discipline to critical spreadsheets, an accurate and living inventory of spreadsheets across the enterprise must be created, and all critical spreadsheets must be identified. As such, this paper proposes an automated approach to the initial stages of the spreadsheet management lifecycle - discovery, inventory and risk assessment. Without the use of technology, these phases are often treated as a one-off project. By leveraging technology, they become a sustainable business process.

Miguel A. Ferreira,Joost Visser

DOI: https://doi.org/10.48550/arXiv.1211.7100

2012-11-30

Abstract:We present a pragmatic method for management of risks that arise due to spreadsheet use in large organizations. We combine peer-review, tool-assisted evaluation and other pre-existing approaches into a single organization-wide approach that reduces spreadsheet risk without overly restricting spreadsheet use. The method was developed in the course of several spreadsheet evaluation assignments for a corporate customer. Our method addresses a number of issues pertinent to spreadsheet risks that were raised by the Sarbanes-Oxley act.

Software Engineering

Ben G. Rittweger,Eoin Langan

DOI: https://doi.org/10.48550/arXiv.1009.2775

2010-09-15

Abstract:The paper examines in the context of financial reporting, the controls that organisations have in place to manage spreadsheet risk and errors. There has been widespread research conducted in this area, both in Ireland and internationally. This paper describes a study involving 19 participants (2 case studies and 17 by survey) from Ireland. Three areas are examined; firstly, the extent of spreadsheet usage, secondly, the level of complexity employed in spreadsheets, and finally, the controls in place regarding spreadsheets. The findings support previous findings of Panko (1998), that errors occur frequently in spreadsheets and that there is little or unenforced controls employed, however this research finds that attitudes are changing with regard to spreadsheet risk and that one organisation is implementing a comprehensive project regarding policies on the development and control of spreadsheets. Further research could be undertaken in the future to examine the development of a "best practice model" both for the reduction in errors and to minimise the risk in spreadsheet usage.

Software Engineering

Vipin Samar,Sangeeta Patni

DOI: https://doi.org/10.48550/arXiv.0803.2527

2008-03-18

Abstract:There is no denying that spreadsheets have become critical for all operational processes including financial reporting, budgeting, forecasting, and analysis. Microsoft Excel has essentially become a scratch pad and a data browser that can quickly be put to use for information gathering and decision-making. However, there is little control in how data comes into Excel, and how it gets updated. The information supply chain feeding into Excel remains ad hoc and without any centralized IT control. This paper discusses some of the pitfalls of the data collection and maintenance process in Excel. It then suggests service-oriented architecture (SOA) based information gathering and control techniques to ameliorate the pitfalls of this scratch pad while improving the integrity of data, boosting the productivity of the business users, and building controls to satisfy the requirements of Section 404 of the Sarbanes-Oxley Act.

Human-Computer Interaction

Mahmood H. Shubbak,Simon Thorne

DOI: https://doi.org/10.48550/arXiv.1602.05231

2016-02-17

Abstract:Heavy use of spreadsheets by organisations bears many potential risks such as errors, ambiguity, data loss, duplication, and fraud. In this paper these risks are briefly outlined along with their available mitigation methods such as: documentation, centralisation, auditing and user training. However, because of the large quantities of spreadsheets used in organisations, applying these methods on all spreadsheets is impossible. This fact is considered as a deficiency in these methods, a gap which is addressed in this paper. In this paper a new software tool for managing spreadsheets and identifying the risk levels they include is proposed, developed and tested. As an add-in for Microsoft Excel application, "Risk Calculator" can automatically collect and record spreadsheet properties in an inventory database and assign risk scores based on their importance, use and complexity. Consequently, auditing processes can be targeted to high risk spreadsheets. Such a method saves time, effort, and money.

Software Engineering

Brandon Weber

DOI: https://doi.org/10.48550/arXiv.0711.4634

2007-11-29

Computers and Society

Abstract:Most organizations today use spreadsheets in some form or another to support critical business processes. However the financial resources, and developmental rigor dedicated to them are often minor in comparison to other enterprise technology. The increasing focus on achieving regulatory and other forms of compliance over key technology assets has made it clear that organizations must regard spreadsheets as an enterprise resource and account for them when developing an overall compliance strategy. This paper provides the reader with a set of practical strategies for addressing spreadsheet compliance from an organizational perspective. It then presents capabilities offered in the 2007 Microsoft Office System which can be used to help customers address compliance challenges.

Grenville J. Croll,Raymond J. Butler

DOI: https://doi.org/10.48550/arXiv.0710.0871

2007-10-03

Computers and Society

Abstract:There is overwhelming evidence that the continued and widespread use of untested spreadsheets in business gives rise to regular, significant and unexpected financial losses. Whilst this is worrying, it is perhaps a relatively minor concern compared with the risks arising from the use of poorly constructed and/or untested spreadsheets in medicine, a practice that is already occurring. This article is intended as a warning that the use of poorly constructed and/or untested spreadsheets in clinical medicine cannot be tolerated. It supports this warning by reporting on potentially serious weaknesses found while testing a limited number of publicly available clinical spreadsheets.

Thomas Lemon,Ewen Ferguson

DOI: https://doi.org/10.48550/arXiv.1009.1404

2010-09-08

Abstract:Spreadsheets are used extensively within today's organisations. Although spreadsheets have many benefits, they can also present a significant risk exposure, requiring appropriate management. Protiviti has worked with a number of organisations, ranging in size up to huge multi-nationals, to help them build appropriate spreadsheet governance frameworks, including the design and implementation of policies, minimum design standards, control processes, training and awareness programmes and the consideration and implementation of spreadsheet management tools. This paper presents a case-study explaining the practical and pragmatic approach that was recently taken to control spreadsheet risk at one of Protiviti's clients - a global energy firm.

Software Engineering,Computers and Society

D. Price

DOI: https://doi.org/10.48550/arXiv.0711.4613

2007-11-28

Computers and Society

Abstract:Her Majestys Revenue & Customs (HMRC) was born out of the need to create a UK tax authority by merging both the Inland Revenue and HM Customs & Excise into one department. HMRC encounters spreadsheets in tax-payers systems on a very regular basis as well as being a heavy user of spreadsheets internally. The approach to spreadsheet risk assessment and spreadsheet audit is by the use of trained computer auditors and data handlers. This, by definition, limits the use of our specialist spreadsheet audit tool to such trained staff. In order to tackle the growing use of spreadsheets, a new way of approaching the problem has been piloted. The aim is to issue all staff who come across spreadsheets with a simple to use analysis and risk assessment tool, based on the departmental software SpACE (Spreadsheet Audit & Compliance Examination).

John C. Nash,Neil Smith,Andy Adler

DOI: https://doi.org/10.48550/arXiv.0807.3168

IF: 6.4588

2008-07-20

Human-Computer Interaction

Abstract:Because spreadsheets have a large and growing importance in real-world work, their contents need to be controlled and validated. Generally spreadsheets have been difficult to verify, since data and executable information are stored together. Spreadsheet applications with multiple authors are especially difficult to verify, since controls over access are difficult to enforce. Facing similar problems, traditional software engineering has developed numerous tools and methodologies to control, verify and audit large applications with multiple developers. We present some tools we have developed to enable 1) the audit of selected, filtered, or all changes in a spreadsheet, that is, when a cell was changed, its original and new contents and who made the change, and 2) control of access to the spreadsheet file(s) so that auditing is trustworthy. Our tools apply to OpenOffice.org calc spreadsheets, which can generally be exchanged with Microsoft Excel.

Victoria Lemieux

DOI: https://doi.org/10.48550/arXiv.0803.3231

2008-03-22

Abstract:This paper maintains that archiving has been overlooked as a key spreadsheet internal control. The case of failed Jamaican commercial banks demonstrates how poor archiving can lead to weaknesses in spreadsheet control that contribute to operational risk. In addition, the Sarbanes-0xley Act contains a number of provisions that require tighter control over the archiving of spreadsheets. To mitigate operational risks and achieve compliance with the records-related provisions of Sarbanes-Oxley, the author argues that organisations should introduce records management programmes that provide control over the archiving of spreadsheets. At a minimum, spreadsheet archiving controls should identify and ensure compliance with retention requirements, support document production in the event of regulatory inquiries or litigation, and prevent unauthorised destruction of records.

Software Engineering,Computers and Society

Yusuf Jafry,Fredrika Sidoroff,Roger Chi

DOI: https://doi.org/10.48550/arXiv.0803.1748

2008-03-12

Software Engineering

Abstract:We present Risk Integrated's Enterprise Spreadsheet Platform (ESP), a technical approach to the near-elimination of spreadsheet risk in the enterprise computing environment, whilst maintaining the full flexibility of spreadsheets for modelling complex financial structures and processes. In its Basic Mode of use, the system comprises a secure and robust centralised spreadsheet management framework. In Advanced Mode, the system can be viewed as a robust computational framework whereby users can "submit jobs" to the spreadsheet, and retrieve the results from the computations, but with no direct access to the underlying spreadsheet. An example application, Monte Carlo simulation, is presented to highlight the benefits of this approach with regard to mitigating spreadsheet risk in complex, mission-critical, financial calculations.

Daniel Kulesz

DOI: https://doi.org/10.48550/arXiv.1111.6878

2011-11-30

Abstract:Thanks to the enormous flexibility they provide, spreadsheets are considered a priceless blessing by many end-users. Many spreadsheets, however, contain errors which can lead to severe consequences in some cases. To manage these risks, quality managers in companies are often asked to develop appropriate policies for preventing spreadsheet errors. Good policies should specify rules which are based on "known-good" practices. While there are many proposals for such practices in literature written by practitioners and researchers, they are often not consistent with each other. Therefore no general agreement has been reached yet and no science-based "golden rules" have been published. This paper proposes an expert-based, retrospective approach to the identification of good practices for spreadsheets. It is based on an evaluation loop that cross-validates the findings of human domain experts against rules implemented in a semi-automated spreadsheet workbench, taking into account the context in which the spreadsheets are used.

Software Engineering

Nancy Wu

DOI: https://doi.org/10.48550/arXiv.1111.5007

2011-11-21

Software Engineering

Abstract:Recognizing that the use of spreadsheets within finance will likely not subside in the near future, this paper discusses a major barrier that is preventing more organizations from adopting enterprise spreadsheet management programs. But even without a corporate mandated effort to improve spreadsheet controls, finance functions can still take simple yet effective steps to start managing the risk of errors in key spreadsheets by strategically selecting controls that complement existing user practice

Roland T. Mittermeir,Markus Clermont,Karin Hodnigg

DOI: https://doi.org/10.48550/arXiv.0801.4268

2008-01-28

Abstract:Previous research on spreadsheet risks has predominantly focussed on errors inadvertently introduced by spreadsheet writers i.e. it focussed on the end-user aspects of spreadsheet development. When analyzing a faulty spreadsheet, one might not be able to determine whether a particular error (fault) has been made by mistake or with fraudulent intentions. However, the fences protecting against fraudulent errors have to be different from those shielding against inadvertent mistakes. Faults resulting from errors committed inadvertently can be prevented ab initio by tools that notify the spreadsheet writer about potential problems whereas faults that are introduced on purpose have to be discovered by auditors without the cooperation of their originators. Even worse, some spreadsheet writers will do their best to conceal fraudulent parts of their spreadsheets from auditors. In this paper we survey the available means for fraud protection by contrasting approaches suitable for spreadsheets with those known from fraud protection for conventional software.

Computers and Society,Cryptography and Security

Simon Murphy

DOI: https://doi.org/10.48550/arXiv.0801.3853

2008-01-25

Abstract:The spreadsheet paradigm has some unique risks and challenges that are not present in more traditional development technologies. Many of the recent advances in other branches of software development have bypassed spreadsheets and spreadsheet developers. This paper compares spreadsheets and spreadsheet development to more traditional platforms such as databases and procedural languages. It also considers the fundamental danger introduced in the transition from paper spreadsheets to electronic. Suggestions are made to manage the risks and work around the limitations.

Software Engineering,Computers and Society

Mbwana Alliy,Patty Brown

DOI: https://doi.org/10.48550/arXiv.0809.3597

IF: 6.4588

2008-09-21

Human-Computer Interaction

Abstract:Accounting and Finance (A&F) Professionals are arguably the most loyal and concentrated population of spreadsheet users. The work that they perform in spreadsheets has the most significant impact on financial data and business processes within global organizations today. Spreadsheets offer the flexibility and ease of use of a desktop application, combined with the power to perform complex data analysis. They are also the lowest cost business IT tool when stacked up against other functional tools. As a result, spreadsheets are used to support critical business processes in most organizations. In fact, research indicates that over half of financial management reporting is performed with spreadsheets by an accounting and finance professional. A disparity exists in the business world between the importance of spreadsheets on financial data (created by A&F Professionals) and the resources devoted to: The development and oversight of global spreadsheet standards; A recognized and accredited certification in spreadsheet proficiency; Corporate sponsored and required training; Awareness of emerging technologies as it relates to spreadsheet use. This management paper focuses on the current topics relevant to the largest user group (A&F Professionals) of the most widely used financial software application, spreadsheets, also known as the accountant's hammer.

Keith Bishop

DOI: https://doi.org/10.48550/arXiv.0803.0011

2008-02-29

Other Computer Science

Abstract:Much of what EuSpRIG discusses is concerned with the integrity of individual spreadsheets. In businesses, interlocking spreadsheets are regularly used to fill functional gaps in core administrative systems. The growth and deployment of such integrated spreadsheet SYSTEMS raises the scale of issues to a whole new level. The correct management of spreadsheet systems is necessary to ensure that the business achieves its goals of improved performance and good corporate governance, within the constraints of legislative compliance - poor management will deliver the opposite. This paper is an anatomy of the real-life issues of the commercial use of spreadsheets in business, and demonstrates how Qtier-Rapor has been used to instil best practice in the use of integrated commercial spreadsheet systems.

Grenville J. Croll

DOI: https://doi.org/10.48550/arXiv.0908.4420

2009-08-31

Abstract:We briefly review the well-known risks, weaknesses and limitations of spreadsheets and then introduce some more. We review and slightly extend our previous work on the importance and criticality of spreadsheets in the City of London, introducing the notions of ubiquity, centrality, legality and contagion. We identify the sector of the financial market that we believed in 2005 to be highly dependant on the use of spreadsheets and relate this to its recent catastrophic financial performance. We outline the role of spreadsheets in the collapse of the Jamaican banking system in the late 1990's and then review the UK financial regulator's knowledge of the risks of spreadsheets in the contemporary financial system. We summarise the available evidence and suggest that there is a link between the use of spreadsheets and the recent collapse of the global financial system. We provide governments and regulating authorities with some simple recommendations to reduce the risks of continued overdependence on unreliable spreadsheets. We conclude with three fundamental lessons from a century of human error research.

Computers and Society,Human-Computer Interaction

Kevin McDaid,Ronan MacRuairi,Neil Clynch,Kevin Logue,Cian Clancy,Shane Hayes

DOI: https://doi.org/10.48550/arXiv.1111.6866

2011-11-29

Software Engineering

Abstract:Spreadsheet technology is a cornerstone of IT systems in most organisations. It is often the glue that binds more structured transaction-based systems together. Financial operations are a case in point where spreadsheets fill the gaps left by dedicated accounting systems, particularly covering reporting and business process operations. However, little is understood as to the nature of spreadsheet usage in organisations and the contents and structure of these spreadsheets as they relate to key business functions with few, if any, comprehensive analyses of spreadsheet repositories in real organisations. As such this paper represents an important attempt at profiling real and substantial spreadsheet repositories. Using the Luminous technology an analysis of 65,000 spreadsheets for the financial departments of both a government and a private commercial organisation was conducted. This provides an important insight into the nature and structure of these spreadsheets, the links between them, the existence and nature of macros and the level of repetitive processes performed through the spreadsheets. Furthermore it highlights the organisational dependence on spreadsheets and the range and number of spreadsheets dealt with by individuals on a daily basis. In so doing, this paper prompts important questions that can frame future research in the domain.