Controlling the Subversive Spreadsheet

By Ray Butler, CISA, FIRM

Spreadsheets are the ubiquitous Swiss Army knife of corporate computing. Since VisiCalc
put the Apple II on corporate desks in the early 1980s, and Lotus 1-2-3 did the same for the
IBM PC, it has become impossible to imagine a corporate IT network without a spreadsheet.
Indeed it’s almost impossible to buy a PC that doesn’t ship with spreadsheet software of
some sort.

Spreadsheets fuelled the PC revolution by freeing business people from what many saw as
the inability of IT departments to deliver flexible solutions to business problems. End-users
found that they could download huge volumes of corporate data and analyse it in all sorts of
ways to solve their problems and plan their forecasts. Spreadsheets are used for anything
from an individual’s personal expenses and time records, by way of use in medicine to
calculate doses of drugs and radiation, engineering in structural strength and design,
through to complex financial calculations and reports.

"...spreadsheets will always fill the void between what a business needs today and
the formal installed systems..." 1

Trouble was (and still is), that for important applications and models the IT department’s
restrictions and controls actually delivered checks and balances to prevent errors and
ensure that solutions in use were reliable. Even so, tales of large errors in spreadsheets soon
began to circulate. Many of them are documented by the European Spreadsheet Risks
Interest Group (www.eusprig.org).

Recent foul-ups include:

 A cut-and-paste error that cost a US power company US$ 24million

 Errors in excess of US$ 1 billion in the published financial reports of a financial entity
 Double-counting of assets by a UK local authority to the tune of UK£21 million

One of the UK financial regulators is reported2 as stating that a material error in a

spreadsheet “…could compromise a government, a regulator, a financial market, or other
significant public entity and cause a breach of the law and/or individual or collective
fiduciary duty”.

“Spreadsheets are integral to the function and operation of the global financial
system3”

So, how can professionals manage spreadsheet quality up and spreadsheet risks down?

1 Mel Glass et al http://arxiv.org/abs/0908.1584

2Grenville Croll, The Importance and Criticality of Spreadsheets in the City of London http://aps.arxiv.org/ftp/arxiv/papers/0709/0709.4063.pdf

3 ”. FSA Regulator, 2005 http://arxiv.org/abs/0709.4063

These five steps are a good start:

 Inventory spreadsheets.
Find out what is actually on the corporate network or in the document management
system.
 Evaluate the use and complexity of spreadsheets.
What are they being used for? How much damage to finance, reputation, delivery or
regulatory compliance would a material error cause? How complex are they? Tthe
inherent risk of error increases with complexity.
 Determine the necessary level of controls.
Once the important spreadsheets are identified, and the impact of material errors is
understood, decide what controls need to be in place to reduce the risk of errors.
 Evaluate existing “as is” controls.
For each important spreadsheet, identify the gaps between necessary and actual
controls.
 Remediate control deficiencies.
Close the gaps!

So far so good—but how? First, consider the need to engage some expert support. There
are a good number of consultants in the market and most large accountancy and
consultancy firms have spreadsheet assurance practices.

Inventory – A number of software tools are available that will identify every spreadsheet on
a network (or part thereof) and report back on their location, age, last use and complexity,
typically in terms of numbers of worksheets, formulas, distinct formulas (‘families’ of
formulas that are logically identical) and internal and external links. Users are often taken
aback by the huge number of differently named and subtly different versions of
spreadsheets that they find, which itself poses a risk (imagine – different members of a team
believing that their copy is the one version of the truth).

Use and Complexity--the reports from the inventory will (along with some research and
face-to-face fieldwork with users) direct users to the most important spreadsheets in the
organisation. This will allow resources to be directed at the highest risks.

Necessary Level of Controls - In other words, what needs to be in place to ensure that:

 The spreadsheet is designed to address the right business issue. It’s surprising how
often developers miss or misunderstand important assumptions or business rules.
 The “on the ground” spreadsheet actually delivers the intended calculations. Again,
errors in formulas can propagate very easily and corrupt the end result
 The spreadsheet is protected against unauthorised changes and unauthorised
access.
  The numbers that are uploaded to or typed into the spreadsheet are complete and
accurate.
 A user other than the person who built the spreadsheet can operate it correctly.
 The spreadsheet is maintainable and comprehensible.

Evaluate the ‘As Is’ controls

This can be done by examining:

 Standards and policies for spreadsheet use and development in the organisation
 The maturity/quality of the specification, design, documentation and testing of the
original spreadsheet and updates to it (It is horrifying to consider the number of
important spreadsheets that show no evidence of intelligent design)
 The spreadsheet itself – Again, software tools are available that will cut out a lot of
the repetitive and tedious parts of this (for example by identifying all the logically
identical formulas so that testing of the copies can be limited to ensuring that they
are used appropriately), but there is no substitute for checking by a knowledgeable
auditor.
 Security, backup and version control

Remediating control gaps

Steps Include:

 Correct the errors in spreadsheets you detected in the evaluation phase

 Take action to stop the errors creeping back in:
o Introduce and enforce appropriate end-user computing development and
use policies
o Protect the spreadsheets against unauthorised access and changes
o Get, and keep, a grip on the proliferation of different ‘versions of the truth’
o Consider using a document management system or a secure storage
monitoring tool that can prevent and detect erroneous changes.

You will find links to all the resources and tools on www.eusprig.org and on the spreadsheet
best practices site of Systems Modelling, www.sysmod.com/spreads.htm.

Ray Butler has just retired as head of Information Policy and Security at the Highways
Agency and is now an independent information risk and governance consultant. He has
recently co-presented a one-day workshop on Auditing Spreadsheet Risk & Quality at
ISACA’s EuroCACS conference, 20-23 March 2011, Manchester, UK
(www.isaca.org/eurocacs).