S T U DY U N I T 6

Spreadsheet security, risks and controls

In this study unit

96

6.1 Introduction
In the previous study unit we showed you what a powerful tool Microsoft Office Excel can be
when it is used to perform calculations, present reports and charts and analyse data.

Spreadsheets have become an essential tool for numerous entities, many of whom cannot
function without the use of spreadsheets. This is why spreadsheet security and control have
become so important to ensure that spreadsheets, which organisations rely on, are not
compromised, leading to incorrect calculations, reports, charts and data analysis, which in
turn could lead to incorrect management decisions.

In this study unit we will focus specifically on spreadsheet security, risks and controls.

The learning outcomes of this study unit are as follows:

• list the inherent risks of spreadsheet software

• describe the controls to minimise or address the risks of spreadsheet software
• apply security and privacy settings to Microsoft Office Excel documents

The following icons are included in this study unit:

ICON DESCRIPTION

This icon indicates reading material you must study.

This icon indicates the documents used in the process.

Open Rubric
 This icon indicates that you need to self-reflect.

This icon indicates that you need to do some critical thinking.

This icon illustrates an activity you must complete.

This icon indicates that you need to click on the link to view a brief video file.

This icon indicates that you need to refer to AIN1501.

6.2 Spreadsheet risks

Many things can go wrong with spreadsheets. Unauthorised modifications or data input
may occur, resulting in incorrect output, be it intentional or unintentional. There is also the
possibility of errors contained in the formulas and functions used to perform calculations in
spreadsheets.

Thus to assess the risk potential for certain spreadsheets, the following factors have to be
considered:

• Complexity. Spreadsheets containing complex calculations and functions, including

the use of macros with multiple sources of input, present a greater potential risk owing to
the complex calculations.
• Frequency of use and updating. Spreadsheets that are frequently used or updated
pose a greater potential risk owing to the potential for incorrect input or updating of
information or modification of calculations.
• Number of users using a spreadsheet. Spreadsheets that are used by more users
have a greater potential risk, especially if these users can enter data or change formulas
and functions.
• Time in use. This relates to spreadsheets that are used for a long time (a year or
longer). The potential risk increases because the initial data entered may be incorrect,
potentially leading to subsequent data being negatively affected in future months.

Hence unauthorised modifications or data entry, or spreadsheets containing errors either

because of incorrect data being entered or incorrect formulas or functions being used in
calculations will lead to errors, with management making incorrect decisions.

2
Owing to the structural design of spreadsheets, a minor change in a formula or value or in
any of their input cells may affect their overall output, where manual errors may also go
undetected.

Because the user only sees the results on the face of the spreadsheet or printed report,
these errors could easily go unnoticed.

Typical errors include

• accidental copy-paste
• omission of a negative sign
• erroneous range selection
• incorrect data input
• unintentional deletion of a character, cell, range, column or row
• sorting of only a portion of the data range

Another common error is the possibility of the user working on the wrong spreadsheet
version.

The potential consequences of one or more of the above errors occurring or security
being breached with unauthorised modifications to spreadsheets could result in:
• financial loss or bankruptcy of an organisation
• incorrect costing or budgeting
• public embarrassment, adverse news coverage or loss of reputation
• loss of investor confidence
• loss of share value
• loss of financial control
• career damage
• lawsuits

3
 6.3 Spreadsheet controls
With the potential risks of a breach in security or the occurrence of an error in
spreadsheets, management will need to implement controls to minimise the risks
identified.
There are various ways of controlling spreadsheets. One is to make regular back-
ups of spreadsheets and to audit working versions of spreadsheets from time to
time to check any changes made to ensure that the spreadsheet still works as it was
intended to.

Spreadsheet use also poses inherent risks. These risks can be lessened by
reducing the number of spreadsheets in use. The use of tested and audited
templates for frequently recreated spreadsheets can also decrease risks.

The following controls (including security controls) may be implemented for

spreadsheets:

• Change control. Spreadsheet changes including changes in formulas and

functions need written approval, review and acceptance in order to maintain data
integrity.
• Access control. General IT controls should protect spreadsheets from
unauthorised outside access.
̶ Low-risk spreadsheets residing on a user’s computer system require
password protection.
̶ High-risk spreadsheets need to be stored on a server that has a
secure file directory. Access rights to these folders need to be restricted to the
authorised users.

• General security controls. General security controls relating to file access

controls that may be implemented are as follows:
- a password required for opening or reading workbooks
- a password required to make changes to the workbook structure
- a password required for changing the content in a sheet or cell

A password may encrypt the specific workbook, the structure or the cells in a
spreadsheet. Note, however, that commercial hackers may use various
programs available on the internet to obtain the password for a file – hence
password protection alone may not be sufficient.

The following steps should also be followed and communicated to the users of
spreadsheets that are password protected to ensure that their passwords stay
safe and that this is regarded as good practice for password protection:
- Do not share the password with anyone.
- Do not write the password down and place it where people can find it.
- Do not use an obvious password (eg birthdays or names) that someone
could easily guess.
- Use a combination of letters and numbers.
- Include uppercase and lowercase letters, numbers and symbols in the
password.
- Use numbers to represent letters, for instance, 3 for your E and 1 for i.
- Passwords should be eight or more characters in length.
- Change passwords regularly if needed.

• Input control. Spreadsheet input data needs to be verified to the original source
data for accuracy. Another person also needs to trace inputs back to original
source data.
• Logical inspection. An independent person other than the spreadsheet user should
test the formulas and functions for correctness. Only one logical inspection per
spreadsheet is required if the other controls are working effectively.

4
 Another facet of logical inspection is the inclusion of fixed values in formulas. A formula
should never contain a fixed (“hard-coded”) value. Even “permanently” fixed components
(eg tax rate) can change in the context of business operations. To prevent these types of
mistakes you could separate the input components from the formulas by having a data input
section/sheet in which you can easily identify the various inputs and assumptions on the
face of the spreadsheet and update these without the need to change the detailed
formulas/ functions. The use of control balances may also prove helpful to ensure the
soundness of formulas or input on spreadsheets.

In so doing, the use of formulas and functions becomes much more flexible, with a decrease
in potential errors caused by the inclusion of an incorrect fixed value.

(a) Display formulas

You may be auditing formulas and you need to see all the formulas on the worksheet. You
can use the following procedures to control the hiding or displaying of formulas:

There are two ways to switch between displaying formulas and their values on a
worksheet:

• Using an icon/command:
– Click on the Formulas tab on the Ribbon.
– In the Formula Auditing group, click on the Show Formulas icon.

OR

• Using the keyboard:

- Press CTRL and ~ (the grave accent) simultaneously

6.4 Microsoft Office Excel security controls

Microsoft Office Excel provides various levels of security and protection, allowing
you to control who can access and change the file’s data. To protect a workbook
containing data you can do the following:

• Optimal security. Protect your entire workbook file with a password allowing
only authorised users to view or modify the data.
• Additional protection of specific data. Protect certain worksheet or
workbook elements, with or without a password. This will help to prevent users
from accidentally or intentionally changing, moving or deleting data, formulas or
functions.

In the next activities we will demonstrate how to do

both.

5
 6.4.1 Using passwords to help secure an entire workbook

You can secure an entire workbook

• by restricting who can open and use the workbook data
• by requiring a password to view or to save changes to the workbook

For optimal password security, always assign a password to open and view the file. In
section 4.2 you will learn how to give only certain users permission to modify data or
workbook elements.

Before you start the next practical section, start/open the Microsoft Office Excel Program.

(a) To encrypt your workbook and set a password to open it

Com pute r a c ti v i ty 6 .1 – Pa ss w or d pr ote cti ng the

w hol e Wor k book
•
•

• In an open spreadsheet, click the File tab.

• Click on Info.
• This will open the Info menu options.
• Click on the arrow below Protect Workbook. The following options appear:

6
• Select Encrypt with Password, the Encrypt Document dialog box appears.

• Type in the password, and click on OK

- Take note that you choose a password you will be able to remember
later on
- Take the guidelines for good practice for password protection in
section 3 into consideration

• In the Confirm Password dialog box, in the Reenter password box, type the
password again, and then click OK.

• To save the password, save the file.

• After typing the password, the “Protect Workbook” option colour filling
changes from white to light-brown as per above with a message: “A
password is required to open this workbook”

7
 • Close the workbook, and open it again.
• Before opening, the workbook should first prompt you to put in a password,
see below:

6.4.2 Protecting a specific worksheet or workbook elements

When you share a workbook with other users in order to work together on the data, you may
want to protect data in specific worksheets or workbook elements to prevent it from being
changed/edited by other users. Passwords may be used to enable users to enter so that
they can modify specific workbook and worksheet elements that are protected.

The difference between a workbook and a worksheet can be explained as follows:

• A workbook is the actual Microsoft Office Excel file that stores all the entered data and
information. Workbooks contain worksheets.
• A worksheet, also known as a spreadsheet, is the combination of cells that contain
data, which the user can enter and manipulate.

NOTE

Workbook element and worksheet element protection is not workbook-level password security (as per 4.1
above). Element protection cannot protect a workbook from users with malicious intent.

6.4.2.1 Protecting worksheet elements

When you protect a worksheet, all cells on the worksheet are locked by default, and
users cannot make any changes to a locked cell. For example, they cannot insert,
modify, delete or format data in a locked cell. However, you can specify which
elements users will be allowed to change when you protect the worksheet.

To protect worksheet elements

8
 Computer activity 6.2

(a) To protect a worksheet

• Select the worksheet you want to protect.

• On the Review tab, in the Changes group, click Protect Sheet.

As noted above, all cells on the worksheet are locked by default.

Type
password

• In the Password to unprotect sheet box, type a password for the sheet,
click OK and then retype the password to confirm it.

• To unlock a protected worksheet, click on “Review” tab then Unprotect

Sheet

• Then type in password to unprotect the sheet

9
 (b) To unprotect an individual cell(s) within an already protected a
worksheet

Perform these procedures if you want to allow users to be able to

change/amend specific cell(s) within a locked/protected worksheet.
If locked, you need to unlock the whole protected sheet per (a) above.
• Select/highlight the cell(s) you want to unlock and allow
changes/amendment to be done to those.
• Select cell B5
• Right click and select the “Format Cells” option.
• Click on “Protection” tab, then unselect (clear) the “Locked” check box
• Click on OK.
• Then lock/protect the whole worksheet again as outlined in (a) above.
• The whole worksheet is now locked except for the cell you have
highlighted above (B5).

(c) To hide formulas in a protected worksheet:

Perform these procedures if you do not want users to view/see certain

formulas within a locked/protected worksheet.

• If locked, first unlock/unprotect the whole protected sheet as per (a)

above.
• Select/highlight the cell(s) with the formulas you want to hide for
viewing.
• Select cell AB45
• Right click and select “Format Cells” option
• Click on “Protection” tab and select the “Hidden” check box
• Click on OK.
• Lock/protect the whole worksheet again as outlined in (a) above.
• All the formulas in the worksheet are now visible except for the cell
you have highlighted above (AB45).

10
 (d) To unlock any graphic objects inserted in worksheet (such as
pictures, clip art, shapes or Smart Art Graphic)

Perform these procedures if you wish to lock any image/object inserted

in the worksheet.
• If locked, first unlock/unprotect the worksheet as per (a) above.
• Hold down the CTRL key (on the keyboard) and then click on the
object you wish to lock/unlock
• A “Format” tab will then appear on the Ribbon.
• Click on the Format tab
• In the Size group, click the Dialog Box Launcher
• The “Format Shape” window will open to the right of your screen.

Image/Object or
Picture inserted in
the worksheet

• On the Properties drop-down menu, clear the Locked check box.

NOTE

The password is optional. If you do not supply a password, any user can unprotect the sheet
and change the protected elements. Make sure that you choose a password that is easy to
remember, because if you lose the password, you cannot gain access to the protected
elements on the worksheet.

6.4.2.2 Protecting the WORKBOOK

Computer activity 6.3

(a) To protect/lock the workbook

11
 • On the Review tab, in the Changes group, click Protect Workbook.
• A “Protect Structure and Windows” window will open.
• To protect the structure of a workbook, select the Structure check box.
• To keep the workbook windows in the same size and position every time the
workbook is opened, select the Windows check box.
• To prevent other users from removing workbook protection, in the Password
(optional) box, type a password, click OK.
• Click OK.
Retype the password to confirm it.

To remove protection from a worksheet

(b) To remove protection from a worksheet

• On the Review tab, in the Changes group, click the greyed-out

“Protect Workbook”
• Type in the password in the “Unprotect Workbook” window.
• Click OK.

12
6.4.3 Protecting confidential data in a workbook
Hiding, locking and protecting workbook and worksheet elements are not intended to
secure or protect any confidential information you keep in a workbook. This will only help
obscure data or formulas that might confuse other users and prevent them from viewing
or making changes to that data.

Excel does not encrypt data that is hidden or locked in a workbook. To help keep confidential
data confidential, you may want to limit access to workbooks containing such information
by storing them in a location that is available only to authorised users.

Activity 6

After working through this study unit, you should be able to answer the
following:

Jane is an accountant at a multinational organisation. She is responsible for all

the monthly salary calculations. The financial manager, John, to whom Jane
directly reports, has previously emphasised the importance of keeping the
company’s salary information confidential. He insisted that Jane password protect
the salary spreadsheets, of which only he and Jane know the passwords.

For every month’s salary calculation spreadsheet that Jane uses, she scribbles
the passwords on a piece of paper and then sticks it on the front of her wall
calendar at the applicable month. She uses the name of her pet parrot, Polly,
together with the applicable month as the password for the monthly salary
spreadsheets.

(a) (i) Advise Jane on what good password practice is and what she should
refrain from doing with reference to the case study above.
(ii) Advise Jane on whether she should use a password to secure the entire
workbook or password to secure the specific worksheet. Briefly explain why.

(b) List and explain the factors to consider when assessing the potential risks of a
spreadsheet.

Go to Discussion Forum 6 and discuss this with your fellow students.

Guidelines for participating in forums:

• Compile your post offline and keep a record of it.
• Use an academic writing style for referencing and citing the sources you used.
• Post your answer on the Forum.
• Reply to contributions of at least two of your fellow students.

6.5 Summary
In this study unit we discussed and described spreadsheet risks and controls. We specifically
discussed factors to consider when assessing the potential risk of spreadsheets, including
the consequences of errors contained in spreadsheets. We looked at controls that can be
implemented to minimise the risks identified. Lastly, we focused on certain security and
privacy controls that are included in Microsoft Office Excel that you can use to protect
your data, formulas and functions.

13