Tip

Take the sting out of user-developed apps with spreadsheet management

Double-edged sword. Multiheaded beast. Cockroach? Three decades after the first electronic worksheet program (VisiCalc) found its way to the PC, the spreadsheet

    Requires Free Membership to View

has grown to mythic proportions, infiltrating just about every cubicle in the workplace. Despite big-enterprise business technology, spreadsheets persist: Business people rely on them for tracking expenses, budgets, inventory, employees, survey results, even the World Wide Web. Excel and other spreadsheet programs inhabit more than 90% of computer desktops globally, according to Deloitte LLP. Yet, spreadsheet management is nonexistent at most companies, according to risk experts. This is not prudent.

"Spreadsheets may well represent the largest unaddressed risk confronting our use of IT today," said Jay Heiser, a research vice president specializing in IT risk management at Gartner Inc.

The spreadsheet is a powerful business tool: It functions as a program, a database, a file, and a data sharing application containing structured (and unstructured) data. The people who create spreadsheets, however, are for the most part not programmers and therefore do not take advantage of the lessons learned over a half-century of computer science, Heiser said. "It is a unique form of IT, and it is placed squarely in the hands of people who don't understand IT risk management conventions."

That lack of risk management smarts has led to serious problems for companies, as documented in the collection of spreadsheet horror stories on the website of the European Spreadsheet Risks Interest Group. Despite the risks posed by uncontrolled spreadsheet use -- from data leakage and inadvertent error to deliberate fraud -- in many companies there's no one responsible for spreadsheet management. Users, certainly those power users who have built professional reputations on the backs of their spreadsheets, have resisted such oversight. Plus, because spreadsheets' underlying logic changes frequently, most will never be converted to purpose-built applications. That fact makes spreadsheet controls and governance all the more important, Heiser and others note.

Until recently, regulatory bodies didn't pay spreadsheets a lot of attention. Section 404 of the 2002 Sarbanes-Oxley Act (SOX) required that change management controls be put on the spreadsheet programs used for financial reporting by public companies. That requirement, however, does not address the broad risks lurking in the hoard of other spreadsheets used throughout the business, according to Michael Rasmussen, founder of Waterford, Wis.-based governance, risk and compliance (GRC) advisory firm Corporate Integrity LLC. To comply with SOX requirements, he recommends replacing spreadsheets altogether with GRC management platforms from such vendors as Axentis, now part of Wolters Kluwer NV; BWise Inc. and IBM-owned OpenPages Inc.

The economic downturn seems to have further dampened interest in spreadsheets, even that of companies eager to find a technology product to help automate spreadsheet management. After a flurry of inquiries a few years ago, calls dropped off, Gartner's Heiser said: "It's a technology that Gartner is not currently covering."

Innovation and change keep spreadsheets alive

There are signs, however, that interest in managing the threat of uncontrolled spreadsheet use is intensifying. An increasing number of international regulatory and advisory organizations have published guidance on controls for spreadsheets and other user-developed applications. That guidance includes:

• Guidance from the Institute of Internal Auditors for auditing user-developed applications.

• Report from the Public Company Accounting Oversight Board on the first-year implementation of Auditing Standard No.5.

• Financial Industry Regulatory Authority 2010 examination priorities for accounting and spreadsheet controls (page 13).

• Deloitte's seven questions to jump-start a spreadsheet management program (see sidebar above).

One reason the use of spreadsheets remains unfettered is that businesses must adapt to ever-changing conditions, according to Ralph Baxter. Updating vendor-built solutions takes time. As the vendors update and companies implement, spreadsheets fill the gap.

Spreadsheets may well represent the largest unaddressed risk confronting our use of IT today.

Jay Heiser, research vice president, Gartner Inc.

Baxter is CEO of London-based ClusterSeven Ltd., one of a relatively small group of providers that sell spreadsheet management software. Others include: Finsbury Solutions Ltd., also based in London; CimCon Software Inc. in Boston; and Pleasanton, Calif.-based Prodiance Corp. According to Gartner, all four vendors' products offer such capabilities as auditing and logging at the cell level, automated location of spreadsheets, and access control and quality improvement.

Baxter recommended three steps for companies trying to get a handle on spreadsheet use. The process and ensuing governance rules can be supported and automated by software that sits in the background like a virus checker and alerts the person or group responsible for the spreadsheet only when a rule is broken:

1. Take an inventory of your spreadsheet world and use risk-assessment rules to get a picture of its current state. For example, look for error cells, hidden data, bad logic and the word "confidential."

2. Weed out the spreadsheets you don't need, replace the bad ones, and apply business rules to help people amend the spreadsheets that are most important to the business.

3. Put the remaining spreadsheets under "active management" and put a layer of new rules on top of them to confirm that users have not broken the business rules that apply to the spreadsheet (for example, making sure that data that shouldn't change indeed hasn't been altered).

Let us know what you think about the story; email Linda Tucci, Senior News Writer.

This was first published in November 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.