RSS feedsWhen rogue trader John Rusnak defrauded Allied Irish Bank/Allfirst to the tune of half a billion pounds in February 2002 he did so by “manipulating the weak control environment in Allfirst’s treasury”.
Astonishingly, Rusnak was able to do this partly by substituting a falsified spreadsheet of his own as the input source for a core trading system. The lesson drawn by the auditors in the case was that an error in a spreadsheet will subvert all the controls in all the systems feeding into it.
Spreadsheets have become a fundamental and, as Rusnak proved in this fraud, largely uncontrollable component of business. From finance directors to marketing departments to staff managing the supply chain, spreadsheets are now completely ubiquitous. In fact, there is a solid argument for claiming that Excel is the “real” enterprise software application that most companies are based upon – forget that multi-million pound Oracle or SAP implementation.
But, as with any drug, Excel abuse can cause major problems. Before too long, companies run the risk of locally created, ad hoc spreadsheets proliferating throughout the organisation. And this brings a risk of inconsistencies – inaccuracies with data and information. And, worst of all, no one seems to know whose responsibility it is to manage the situation. It could seemingly fall within the remit of both IT and finance.
Ken Curtis, finance director at Lloyd’s underwriter Chaucer Syndicates, describes the many issues he faces. “You have the problems of different departments needing to report at quarter-end into management information and into actuarial and into finance,” he says. “In the past, there basically used to be spreadsheet reports emailed across. Sometimes, that data has changed between reporting to one part of the organisation compared to reporting to another part of the organisation.”
Even HM Revenue & Customs noted in its Methodology for the Audit of Spreadsheet Models guide that “the complexity and functionality of spreadsheets has reached levels of sophistication that few could have imagined… the consequent threat posed to businesses by such powerful ‘end-user’ applications, mainly in the hands of untrained users, is immense”. Meanwhile, PricewaterhouseCooper, in data from 54 random spreadsheets used in business, found that 49 (91%) contained errors.
The sort of errors companies are possibly facing include manually entered spelling or numerical errors, incorrect mathematical operators and out-of-date, impossible-to-understand macros. Then there’s the fact that anyone can open someone else’s spreadsheet and easily alter data.
Curtis reiterates the problem his company faced before installing software from ALG. “Once you’ve got into our end of the business you’ve got an extremely large, complicated suite of spreadsheets,” he says. “So it’s not like if I do a spreadsheet, it’s a simple one-pager with about five formulas. The kind of spreadsheet that, for instance, generated our annual accounts are probably about five suites of spreadsheets all with links to others.”
Compliance issues
Analyst Philip Howard of Bloor Research warns that poor spreadsheet use means some companies probably aren’t compliant de facto. “Sarbanes-Oxley requires companies to be able to justify what has happened to the data it presents in its corporate accounts and how it got there,” he says. “If a spreadsheet is involved at any point in that process, then unless appropriate controls are in place you will have a breakdown in the data chain where you cannot certify what has happened to the data.”
Curtis is at pains to point out, however, that Chaucer has always had the controls in place, it’s just that they took a huge amount of time to perform. “We’ve got fairly robust procedures and controls to ensure that all data is adequately reviewed and signed off before it goes out the door and could cause us any problems,” he says. “It’s just very time consuming.”
There are millions of Excel users around the world and although there are (albeit limited) auditing and security controls in Microsoft’s product, trying to control its use is almost impossible. Rather a combination of policy, best practice as described by Curtis and, possibly, additional products may have to be considered.
The issue is that because so many desktops have a copy of Excel, lots of users at all levels will and do create and coddle their own spreadsheet-based version of the truth.
Is it a real problem, though, or one just made up by suppliers of fancy and often expensive software products labelled as essential to meet compliance requirements? The sad fact is that such cynicism is misplaced, as all sorts of organisations say that spreadsheets can throw up issues they could do without. Chaucer’s Curtis paints a graphic picture of the problems his – heavily regulated – business is faced with.
“We have fairly cumbersome quarter-, month- and year-end procedures to pass information from one division to another, which were slow and error-prone, but the fact that it’s mainly spreadsheet-driven means all the disadvantages you get with spreadsheets, such as a lack of an audit trail and general lack of control, applied,” he says. After implementing a more centralised solution, the company has “improved reporting times because the spreadsheet processes were [so] slow”.
Technical solutions
The IT sector is quick to put its hand up and offer technology to help solve the problem. This means a lot of different things depending on the supplier, but in essence is about installing some layer of control above the organisation’s spreadsheet use.
One solution is to ditch spreadsheets altogether and insist staff use statistical packages, or other more centrally organised applications. This could work, but seems to raise issues of cultural change at the very least.
Another is to allow spreadsheets to function but take steps to control their use. Two approaches to the problem are current: the complete control solution, where the company aims to fully control everything done within the spreadsheet environment, and a less comprehensive view called the closed-circuit TV approach.
In the former, the FD would insist on a fully role-based security system so that only authorised personnel can change any data or adjust a formula, a process audited and logged when it happens. In the alternative, everything the user does is monitored, but they are not stopped doing so. There will, however, be close support for the auditing process if necessary.
Another way could be to work with a product that instead of extracting business data automatically from one source, combines data from various sources, to offer greater control. It’s a solution offered by Actuate, with e.Spreadsheet.
“This is, to a large degree, a user issue, not a Microsoft issue,” says Jeff Morris, director of product marketing. “The problems with spreadsheets really come from the fact that there is hardly ever any formal training in their use. Our argument is that if you can offer users a tool that encourages good design practices to deal with this knowledge gap, we may be able to solve some of our issues.” His company has a slogan to the effect that the ‘blank canvas’ of a new spreadsheet encourages bad practice, so blueprints or templates that follow approved corporate patterns may be much more useful and safer.
There are a range of options for better spreadsheet use. The chosen solution will depend on the specific nature of an organisation, the level and nature of its compliance concerns, and to what extent the board is prepared to invest money to address the potential issues.
But one thing’s for sure, a blanket ban on the little green ‘X’ button on the toolbar is not realistic. “Trying to take spreadsheets from users is not a solution; they’ll figure out a way round it,” says Morris. “The better bet for the financial director or CFO is to investigate spreadsheet management controls that can better collect and source the data and control its distribution.”
It seems we have to make this powerful, but massively ubiquitous and flexible software application into less of a narcotic and more of a business tool. Back to ledgers, anyone?
