Are Spreadsheets 'Out of Control'?

Study finds spreadsheets underappreciated as critical enterprise assets, but recommends use of audit and compliance tools.

The electronic spreadsheet arguably was the "killer application" that kicked off the personal computer revolution. Today, the spreadsheet's ability to crunch tons of data on the desktop makes it still one of the most popular and useful applications that people use.

But such universal utility comes at a price. One serious misstep entering data with one could cost you your business.

"Spreadsheets . . . used improperly or incorrectly, or without sufficient control, pose a greater threat to your business than almost anything you can imagine," cautions a recent study by UK-based analysis firm Bloor Research.

The study, titled "Spreadsheet Management" and authored by Bloor's research director Philip Howard, finds that a major cause of the problem is that spreadsheets are frequently not treated as corporate assets, the way that, say, a large customer database is treated.

"A further complication is that most large organizations have probably thousands, if not tens of thousands, of spreadsheets distributed across the enterprise. Not only are these uncontrolled, they are unknown [and] as a result, corporate security standards are not implemented for spreadsheets," Howard said.

Like it or not, many corporate spreadsheets fall under the aegis of Sarbanes-Oxley requirements, securities laws, and other regulations, all of which impose their own set of compliance issues on IT managers.

The logical conclusion: "All spreadsheets that do anything more than very simple reporting should be subject to a quality control process to ensure accuracy," the report finds.

So what kinds of challenges do IT administrators face? Among them are a failure to audit changes to data, either through fraud or via mistakes in entering numbers or formulas. Part of this is due to the fact that Excel -– by far the most common spreadsheet in use -- has had limited auditing and security capabilities, and also because many spreadsheet users are self-taught, the report states.

In fact, the latest version, Excel 2007, provides new capabilities along those lines, "though these have typically been addressed through the use of SharePoint 2007 and Excel Services rather than Excel."

The solution, the report argues, is to use software tools to not only enhance existing security measures, but also to help audit, control, and maintain compliance for spreadsheets throughout the business. Such tools have been around for years but many are now reaching a level of maturity that makes them particularly useful for corporate governance purposes, Howard wrote in the report.

One of the points of the study is to "push the task of managing spreadsheets into the hands of the IT department."

Of course, the report states, there is no substitute for best practices, such as auditing the most important spreadsheets, making medium and high-priority spreadsheets server based, thus providing some measure of central control, as well as storing information as XML data where practical, and using Excel's (or another spreadsheet's) password and auditing capabilities.

At the least, however, the report says such products should provide a specific set of "must have" features, including role-based security down to the cell level, encryption, locking of data down to the cell level and for all objects such as formulas and macros, as well as a full audit capability for all changes including changes to macros.

Other must-have features include an auto-discovery capability for existing spreadsheets, management and control of distribution and scheduling, and spreadsheet hierarchy management. Add to that support for IT testing of formulas and procedures, segregation of various employee roles, the ability to track use of data and formulas across spreadsheets, and template management, including the ability to require use of specified templates so that users cannot choose the wrong one.

But while the problems are real, don't get too carried away, cautions one former senior IT executive.

"[All of these tools] can be beneficial, but are any of them the Nirvana for [the challenges] the PC has created? No," said Ajit Kapoor, managing director of The Kapoor Group, a global consultancy that specializes in aligning business with IT expenses.

(Kapoor was previously chief architect for the CTO's office at Lockheed Martin, and held similar positions at Allied Signal and General Motors.)

Kapoor cautioned that the tools are only as good as the people using them and that education and awareness are key components of any compliance strategy. Plus, he added, spreadsheets are not the only under-appreciated corporate assets -– word processing documents are also often at risk, not to mention other documents created on PCs, such as presentations.

Which isn't to say that he's against the use of auditing and compliance tools for managing spreadsheets. "I think it's easier said than done but you have to start somewhere," Kapoor told internetnews.com.

This article was first published on InternetNews.com. To read the full article, click here.






Comment and Contribute

 


(Maximum characters: 1200). You have characters left.