"Spreadsheets may well represent the largest unaddressed risk confronting our use of IT today," said Jay Heiser, a research vice president specializing in IT risk management at Gartner Inc.
The spreadsheet is a powerful business tool: It functions as a program, a database, a file, and a data sharing application containing structured (and unstructured) data. The people who create spreadsheets, however, are for the most part not programmers and therefore do not take advantage of the lessons learned over a half-century of computer science, Heiser said. "It is a unique form of IT, and it is placed squarely in the hands of people who don't understand IT risk management conventions."
That lack of risk management smarts has led to serious problems for companies, as documented in the collection of spreadsheet horror stories on the website of the European Spreadsheet Risks Interest Group. Despite the risks posed by uncontrolled spreadsheet use -- from data leakage and inadvertent error to deliberate fraud -- in many companies there's no one responsible for spreadsheet management. Users, certainly those power users who have built professional reputations on the backs of their spreadsheets, have resisted such oversight. Plus, because spreadsheets' underlying logic changes frequently, most will never be converted to purpose-built applications. That fact makes spreadsheet controls and governance all the more important, Heiser and others note.
Until recently, regulatory bodies didn't pay spreadsheets a lot of attention. Section 404 of the 2002 Sarbanes-Oxley Act (SOX) required that change management controls be put on the spreadsheet programs used for financial reporting by public companies. That requirement, however, does not address the broad risks lurking in the hoard of other spreadsheets used throughout the business, according to Michael Rasmussen, founder of Waterford, Wis.-based governance, risk and compliance (GRC) advisory firm Corporate Integrity LLC. To comply with SOX requirements, he recommends replacing spreadsheets altogether with GRC management platforms from such vendors as Axentis, now part of Wolters Kluwer NV; BWise Inc. and IBM-owned OpenPages Inc.
The economic downturn seems to have further dampened interest in spreadsheets, even that of companies eager to find a technology product to help automate spreadsheet management. After a flurry of inquiries a few years ago, calls dropped off, Gartner's Heiser said: "It's a technology that Gartner is not currently covering."
Innovation and change keep spreadsheets alive
There are signs, however, that interest in managing the threat of uncontrolled spreadsheet use is intensifying. An increasing number of international regulatory and advisory organizations have published guidance on controls for spreadsheets and other user-developed applications. That guidance includes:
• Guidance from the Institute of Internal Auditors for auditing user-developed applications.
• Deloitte's seven questions to jump-start a spreadsheet management program (see sidebar above).
One reason the use of spreadsheets remains unfettered is that businesses must adapt to ever-changing conditions, according to Ralph Baxter. Updating vendor-built solutions takes time. As the vendors update and companies implement, spreadsheets fill the gap.
Spreadsheets may well represent the largest unaddressed risk confronting our use of IT today.
Jay Heiser, research vice president, Gartner Inc.
Baxter is CEO of London-based ClusterSeven Ltd., one of a relatively small group of providers that sell spreadsheet management software. Others include: Finsbury Solutions Ltd., also based in London; CimCon Software Inc. in Boston; and Pleasanton, Calif.-based Prodiance Corp. According to Gartner, all four vendors' products offer such capabilities as auditing and logging at the cell level, automated location of spreadsheets, and access control and quality improvement.
Baxter recommended three steps for companies trying to get a handle on spreadsheet use. The process and ensuing governance rules can be supported and automated by software that sits in the background like a virus checker and alerts the person or group responsible for the spreadsheet only when a rule is broken:
1. Take an inventory of your spreadsheet world and use risk-assessment rules to get a picture of its current state. For example, look for error cells, hidden data, bad logic and the word "confidential."
2. Weed out the spreadsheets you don't need, replace the bad ones, and apply business rules to help people amend the spreadsheets that are most important to the business.
3. Put the remaining spreadsheets under "active management" and put a layer of new rules on top of them to confirm that users have not broken the business rules that apply to the spreadsheet (for example, making sure that data that shouldn't change indeed hasn't been altered).
Let us know what you think about the story; email Linda Tucci, Senior News Writer.
This was first published in November 2010