Spreading the blame

When rogue trader John Rusnak defrauded Allied Irish Bank/Allfirst to the
tune of half a billion pounds in February 2002 he did so by “manipulating the
weak control environment in Allfirst’s treasury”.

Astonishingly, Rusnak was able to do this partly by substituting a falsified
spreadsheet of his own as the input source for a core trading system. The lesson
drawn by the auditors in the case was that an error in a spreadsheet will
subvert all the controls in all the systems feeding into it.

Spreadsheets have become a fundamental and, as Rusnak proved in this fraud,
largely uncontrollable component of business. From finance directors to
marketing departments to staff managing the supply chain, spreadsheets are now
completely ubiquitous. In fact, there is a solid argument for claiming that
Excel is the “real” enterprise software application that most companies are
based upon – forget that multi-million pound Oracle or SAP implementation.

But, as with any drug, Excel abuse can cause major problems. Before too long,
companies run the risk of locally created, ad hoc spreadsheets proliferating
throughout the organisation. And this brings a risk of inconsistencies –
inaccuracies with data and information. And, worst of all, no one seems to know
whose responsibility it is to manage the situation. It could seemingly fall
within the remit of both IT and finance.

Ken Curtis, finance director at Lloyd’s underwriter Chaucer Syndicates,
describes the many issues he faces. “You have the problems of different
departments needing to report at quarter-end into management information and
into actuarial and into finance,” he says. “In the past, there basically used to
be spreadsheet reports emailed across. Sometimes, that data has changed between
reporting to one part of the organisation compared to reporting to another part
of the organisation.”

Even HM Revenue & Customs noted in its Methodology for the Audit of
Spreadsheet Models guide that “the complexity and functionality of spreadsheets
has reached levels of sophistication that few could have imagined… the
consequent threat posed to businesses by such powerful ‘end-user’ applications,
mainly in the hands of untrained users, is immense”. Meanwhile,
PricewaterhouseCooper, in data from 54 random spreadsheets used in business,
found that 49 (91%) contained errors.

The sort of errors companies are possibly facing include manually entered
spelling or numerical errors, incorrect mathematical operators and out-of-date,
impossible-to-understand macros. Then there’s the fact that anyone can open
someone else’s spreadsheet and easily alter data.

Curtis reiterates the problem his company faced before installing software
from ALG. “Once you’ve got into our end of the business you’ve got an extremely
large, complicated suite of spreadsheets,” he says. “So it’s not like if I do a
spreadsheet, it’s a simple one-pager with about five formulas. The kind of
spreadsheet that, for instance, generated our annual accounts are probably about
five suites of spreadsheets all with links to others.”

Compliance issues

Analyst Philip Howard of Bloor Research warns that poor spreadsheet use means
some companies probably aren’t compliant de facto. “Sarbanes-Oxley requires
companies to be able to justify what has happened to the data it presents in its
corporate accounts and how it got there,” he says. “If a spreadsheet is involved
at any point in that process, then unless appropriate controls are in place you
will have a breakdown in the data chain where you cannot certify what has
happened to the data.”

Curtis is at pains to point out, however, that Chaucer has always had the
controls in place, it’s just that they took a huge amount of time to perform.
“We’ve got fairly robust procedures and controls to ensure that all data is
adequately reviewed and signed off before it goes out the door and could cause
us any problems,” he says. “It’s just very time consuming.”

There are millions of Excel users around the world and although there are
(albeit limited) auditing and security controls in Microsoft’s product, trying
to control its use is almost impossible. Rather a combination of policy, best
practice as described by Curtis and, possibly, additional products may have to
be considered.

The issue is that because so many desktops have a copy of Excel, lots of
users at all levels will and do create and coddle their own spreadsheet-based
version of the truth.

Is it a real problem, though, or one just made up by suppliers of fancy and
often expensive software products labelled as essential to meet compliance
requirements? The sad fact is that such cynicism is misplaced, as all sorts of
organisations say that spreadsheets can throw up issues they could do without.
Chaucer’s Curtis paints a graphic picture of the problems his – heavily
regulated – business is faced with.

“We have fairly cumbersome quarter-, month- and year-end procedures to pass
information from one division to another, which were slow and error-prone, but
the fact that it’s mainly spreadsheet-driven means all the disadvantages you get
with spreadsheets, such as a lack of an audit trail and general lack of control,
applied,” he says. After implementing a more centralised solution, the company
has “improved reporting times because the spreadsheet processes were [so] slow”.

Technical solutions

The IT sector is quick to put its hand up and offer technology to help solve
the problem. This means a lot of different things depending on the supplier, but
in essence is about installing some layer of control above the organisation’s
spreadsheet use.

One solution is to ditch spreadsheets altogether and insist staff use
statistical packages, or other more centrally organised applications. This could
work, but seems to raise issues of cultural change at the very least.

Another is to allow spreadsheets to function but take steps to control their
use. Two approaches to the problem are current: the complete control solution,
where the company aims to fully control everything done within the spreadsheet
environment, and a less comprehensive view called the closed-circuit TV
approach.

In the former, the FD would insist on a fully role-based security system so
that only authorised personnel can change any data or adjust a formula, a
process audited and logged when it happens. In the alternative, everything the
user does is monitored, but they are not stopped doing so. There will, however,
be close support for the auditing process if necessary.

Another way could be to work with a product that instead of extracting
business data automatically from one source, combines data from various sources,
to offer greater control. It’s a solution offered by Actuate, with
e.Spreadsheet.

“This is, to a large degree, a user issue, not a Microsoft issue,” says Jeff
Morris, director of product marketing. “The problems with spreadsheets really
come from the fact that there is hardly ever any formal training in their use.
Our argument is that if you can offer users a tool that encourages good design
practices to deal with this knowledge gap, we may be able to solve some of our
issues.” His company has a slogan to the effect that the ‘blank canvas’ of a new
spreadsheet encourages bad practice, so blueprints or templates that follow
approved corporate patterns may be much more useful and safer.

There are a range of options for better spreadsheet use. The chosen solution
will depend on the specific nature of an organisation, the level and nature of
its compliance concerns, and to what extent the board is prepared to invest
money to address the potential issues.

But one thing’s for sure, a blanket ban on the little green ‘X’ button on the
toolbar is not realistic. “Trying to take spreadsheets from users is not a
solution; they’ll figure out a way round it,” says Morris. “The better bet for
the financial director or CFO is to investigate spreadsheet management controls
that can better collect and source the data and control its distribution.”

It seems we have to make this powerful, but massively ubiquitous and flexible
software application into less of a narcotic and more of a business tool. Back
to ledgers, anyone?