Most of these vulnerabilities will come as no surprise to users, but the current financial climate has made dealing with them a new priority. "In good times the mistakes and potential frauds are not considered to be important because there is money coming in to cover them," says Ralph Baxter, director with London-based spreadsheet and data management software provider Cluster Seven. "In bad times, money is tighter and as a result, the incentive for people to commit fraud or try and push the limits is that much greater."
Operational risk issues plague spreadsheet usage. Excel has become a standard method of inter-business communication, holding a great deal of the information going in and out of an organization. However, when a spreadsheet model that has been created using data from a corporate system is passed on to a third party, it becomes very difficult to track or control who is seeing that view of the firm's system. "People sometimes inadvertently provide information within word processing documents through the inappropriate use of tracked changes, commenting and mark-up," says Richard Edwards, information management practice director with UK IT research firm Butler Group. "But the dangers potentially exposed by doing that are non-existent compared to letting a spreadsheet loose beyond the corporate firewall," he adds.
A typical spreadsheet is vulnerable to numerous other risks. An end user can easily overwrite a critical formula or cut and paste figures into the wrong place without leaving any trace of their actions. Beyond simple mistakes, the combination of formulas, macros and conditional formatting also produces an ideal environment to perpetrate fraud.
Other operational risk issues can also arise. An automatically updating data feed may drop out unnoticed, leaving stale data or a fixed figure going forward. Moreover, the potential for multiple, concurrent versions to exist at any one time can lead to uncertainty over which is the most up to date. Cluster Seven estimates that 90 percent of spreadsheets have errors in them. When the huge sums of money that are calculated using Excel are factored in, the potential costs of a simple mistake could be astronomical.
USAGE LIKELY TO GROW
The ease of use, openness and flexibility that attracted users to Excel in the first place also account for its biggest weaknesses. "Spreadsheets can be manipulated and changed at the whim of the user," says Rob Nieves, director at US consulting and internal audit firm Protiviti. "And that can be done in a way that is difficult to audit and difficult to manage, resulting in a very complicated control environment."
However, while there may be growing concern over the security issues involved with spreadsheets, new and urgent transparency requirements in the current financial climate are likely to boost rather than diminish reliance. "The City of London is very dependent on Excel and some of the new reporting regimes will force firms to be even more so," says Nieves. "Rapidly increasing demands for ad-hoc risk management will push firms to develop more and more spreadsheets."
Frenzied merger and acquisition activity could also drive further use. The financial industry has seen several large-scale takeovers over the past 12 months, and the trend looks set to continue. "There is an obvious need for more controls as the size of the enterprise increases, so any merger or acquisition requires a re-evaluation of procedures across a much bigger firm," says Stevan Vidich, industry technology strategist with Microsoft's worldwide financial services group. "Companies need to quickly figure out how to handle and document the influx of new financially sensitive information onto their combined books."
Regulatory bodies the world over are beginning to demand that the same level of governance of risk and controls that are currently applied to other core business systems be extended to spreadsheets. Over the last decade the US Securities and Exchange Commission (SEC) has handed out billions of dollars in fines to organizations with inadequate reporting practices or insufficient procedures in place to handle sensitive financial data. Firms will be keen to avoid such sanctions, and in order to control all their complex risks and exposures may look beyond the standard model of spreadsheet usage toward specialized management packages.
"Moving forward, the spreadsheet will become less of a blank page," says Adam Sussman, director of research at research and advisory firm The Tabb Group. "You will still be able to tweak a formula or play with a parameter as before but there will be certain defined links to go to, calculations to connect to and enterprise standards for tagging data. It will continue to be an open and flexible tool, but with a better set of standards around it," he says.
Sussman expects firms to turn to spreadsheet management packages-such as those offered by Cluster Seven, Prodiance and Finsbury Solutions-to achieve better controls and oversight. Such packages monitor enterprise-wide spreadsheet usage, keep track of the details of all changes made and put them into a single server database, ensuring regulatory compliance.
Microsoft itself has implemented a number of security features in recent versions of Excel. Its SharePoint Server reduces the need to e-mail spreadsheets around by storing them in a central spreadsheet repository, which can be accessed through a portal. This allows customers to keep track of document versioning, the details of users checking in and out, and aids auditing and archiving. Excel Services, which was included with SharePoint Server 2007 took this one step further by including a rendering engine, which can display a spreadsheet in HTML, allowing it to be displayed in a Web browser. End users are then able to interact with the data without the original spreadsheet and its sensitive data ever leaving the enterprise.
The 2007 update to SharePoint Server also added rights management features. An expiration date can be set on a spreadsheet, and controls put in place such as allowing specific users to view but not to modify, copy or forward the document.
In March 2008, Forrester Research found that 40 percent of 259 IT decision makers surveyed in North America and Western Europe had rolled out Microsoft Office 2007 and a majority planned to do so within the next 12 months. SharePoint Server 2007 adoption rates were almost identical and a number of high-profile financials institutions and exchanges, including Bank of America and the London Stock Exchange (LSE), are already using it.
SECURITY FEATURES IGNORED
The tools are there to beef up spreadsheet security but firms are not taking advantage of the improved features on offer, says Edwards. "Microsoft has been providing rights-management facilities and the like in Excel for quite some time, but anecdotally they do not seem to be being used. There are plenty of opportunities for spreadsheets to be better managed and better controlled, but there is little evidence to suggest that is taking place."
Purchasing more advanced management packages may not be a top priority either. "Firms have been trying to control their Excel environments, but are not going out and buying the software to do so," says Nieves. This may partly be a result of firms finding themselves stuck between the twin pressures of rapid change and diminishing funding. Increased Excel usage and sweeping changes to reporting requirements are being introduced at a time when IT budgets are being slashed. Converting to new systems is a labor-intensive process, requiring standards to be set across an organization-in correctly tagging data or identifying counterparties, for example. The investment of time and money may be one that few firms are willing to bear.
Some organizations may also shy away from implementing a new control environment in case it impairs the ease of use and flexibility that Excel users enjoy. "A lot of CFOs think spreadsheet controls will reduce their flexibility and ability to deal with ad hoc requirements," says Nieves. "When it comes to doing things to really improve their own lot in life I find that the finance function tends to throw bodies at a problem but not technology."
Firms that do make the step toward spreadsheet management may reap more benefits than just improved security. "Firms that finally bite the bullet and put in the tools, find that, when done correctly, they are actually saving money, because they can troubleshoot and maintain a spreadsheet environment much more effectively than they otherwise could," Nieves says. -->