Spreadsheet Woes – Limited Features For Easy Adoption of a Control Framework

Like it or not, regulations are here to stay and for a company to comply with them, its IT and financial systems will have to be equipped with a suitable control framework. One common stumbling block to such an implementation is a company?s over-reliance on spreadsheets.

Why is it so difficult to adopt controls for a system that’s reliant on spreadsheets? To understand this, let’s pinpoint some of the strongest, most powerful attributes of these User Developed Applications (UDA).

By nature, spreadsheets are the epitome of simplicity: easy to develop, easily accessible and easily altered. All computers in your workplace will most likely have them and everyone in your organization may be sharing them, making their own versions, and storing them in personal folders.

Sad to say though, these strengths are also control weaknesses and constitute the very reasons why spreadsheets require effective risk management.

Easy to develop. Being easy to develop, most spreadsheet systems are created by non-IT users who have limited knowledge on best control practices. Being constantly under time pressure, these ?developers? may also relegate documentation, security, and data verification to the back burner in favour of coming up with a timely report.

Easy to access. Information in a spreadsheet can be opened by practically anyone within the organization?s network. Who accessed what? And when? If anything goes wrong, it would be difficult to identify the culprit, and the failure to pinpoint responsibility for erroneous data could lead to bigger, more costly mistakes.

Easy to alter. Lastly, if the information is easy to access, then it can also be easily altered, consequently making reports more prone to both accidental errors and fraudulent modifications.

The rise of multimillion dollar scandals due to accidental and intentional spreadsheet errors have prompted regulatory bodies to publish guidelines for mitigating spreadsheet-associated risks. These controls include:

Change control
Version control
Access control
Input
Security and data integrity
Documentation
Development life cycle
Backup and archiving
Logic inspection/Testing
Segregation of duties/roles, and procedures
Analytics

In theory, these controls should be able to bring down risks considerably. However, because of the inherent nature of spreadsheets, such controls are rarely implemented effectively in the real world.

Take for example Security and Data Integrity. One of the most common causes of spreadsheet error is due to ?hardwiring?. This happens when values are inadvertently entered into a formula cell, naturally changing the logic of the spreadsheet.

As a way of control, cell locking can be applied on the formula cells to prevent users without the proper authority from making any changes. However, when reporting deadlines approach drawing spreadsheets to the forefront of data processing, more people are given access rights to the locked cells. Ironically, it is during these crunch times, when errors are most likely to happen.

Because the built-in features of a spreadsheet support none of the controls mentioned above, some companies are tempted to purchase control-enabling programs for spreadsheets just to continue using them for financial reporting. But although these programs can integrate the required controls, you?d still be interacting with the same complex and outdated interface: the spreadsheets.

Thus, these band-aid solutions may not suffice because the root cause of these problems are the spreadsheets themselves.

Learn more about our server application solutions and discover a better way to implement controls.

More Spreadsheet Blogs

Spreadsheet Risks in Banks

Top 10 Disadvantages of Spreadsheets

Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry

How Internal Auditors can win the War against Spreadsheet Fraud

Spreadsheet Reporting – No Room in your company in an age of Business Intelligence

Still looking for a Way to Consolidate Excel Spreadsheets?

Disadvantages of Spreadsheets

Spreadsheet woes – ill equipped for an Agile Business Environment

Spreadsheet Fraud

Spreadsheet Woes – Limited features for easy adoption of a control framework

Spreadsheet woes – Burden in SOX Compliance and other Regulations

Spreadsheet Risk Issues

Server Application Solutions – Don’t let Spreadsheets hold your Business back

Why Spreadsheets can send the pillars of Solvency II crashing down

amazon.co.uk

amazon.com

Check our similar posts

Maturing Into CMMI

In all likelihood, the reason why you landed on this page was because you were seeking CMMI experts to help you meet the demands of a growing number of potential clients who require CMMI compliance.

Whether or not you’re here for that reason, you might want to know why CMMI or Capability Maturity Model Integration is steadily becoming a common denominator among highly successful software and engineering development companies. If you stay for a while, we can show you how CMMI can substantially increase your organisation’s chances of:

reducing development costs;
acquiring new customers and retaining old ones;
beating deadlines;
bringing down development time;
increasing the overall quality of your products and services; and
improving the level of satisfaction of customers, employees, and all other stakeholders.

Surely, no organisation can be too small or too big to aspire for such benefits of attaining high levels of maturity and capability.

If you want to look beyond Maturity Level ratings, then you’ve come to the right place. We focus on introducing CMMI principles and blending them into your organisation’s culture to achieve a truly superior and sustainable business advantage. Compliance will then be an inevitable offshoot of the actions you make.

Likewise, if you simply want to obtain a deeper understanding of CMMI and learn how it can be applied either to your entire organisation or to specific projects, we’d be happy to assist you in that regard as well.

Finally, when you’re ready, we can also conduct CMMI appraisals either for benchmarking purposes or simply for determining how well your process improvement initiatives are going.

CMMI Consulting

Are you worried that implementing CMMI might entail an overhaul of your current processes? Don’t be.

CMMI is all about improving current processes, not replacing them. Ideally, the final result of all process improvement activities should be hinged on your own business objectives and context, so we’ll make sure it remains that way when we work with you.

We rely on our extensive knowledge and experience in CMMI, engineering, software development, and technologies as well as in change and project management in providing model-based process improvement services. Whether you’re gearing up for an appraisal or simply want to employ CMMI-based practices, these are the things we can do for you.

Help you interpret how CMMI can be implemented in relation to your business.
Assist in convincing sponsors and stakeholders to support your CMMI implementation initiatives.
Introduce the necessary training to all individuals who need to undertake them.
Conduct a Gap Analysis to find out where your company’s current processes stand relative to their CMMI specifications.
Assemble a process group that will champion your process improvement initiatives. We’ll facilitate effective collaboration among its team members, transforming them into a cohesive force designed to carry out plans and motivate everyone else down the line.
Introduce tools and practices that will improve the efficiency of our process improvement initiatives.
Carry out periodic evaluations and produce reports to provide sponsors and stakeholders a clear picture of our progress.

CMMI Training

Still not convinced CMMI is right for you? There’s only one way to fully grasp the benefits of implementing CMMI – take the Introduction to CMMI course. Although what happens next is entirely up to you, we’re pretty sure you’ll make the right decision after passing it.

Do you need to include people from your organisation in a SCAMPI (Standard CMMI Appraisal Method for Process Improvement) team? They’ll have to undergo this course too. The Introduction to CMMI is for systems and software engineering managers and practitioners, appraisal team members, process group members, and basically anyone who want to grasp CMMI fundamentals.

This is what you’ll be able to do after going through 3 days of lectures and exercises:

Gain a deeper understanding of the various components of CMMI-DEV models and their relationships.
Discuss the process areas in CMMI-DEV models.
Extract and interpret aspects in the model relevant to your own organisation’s processes.

We also offer highly specialised training and workshops such as those for:

Achieving High Maturity Levels
Top Executives
Team Building in Preparation for Appraisals

CMMI Appraisal

An organisation new to CMMI will want to know first how far their current processes are relative to the implementation of model-based improvements in order to determine the resources and time that have to be spent to get there.

Similarly, an organisation already well acquainted with CMMI and has begun taking steps in improving processes, will eventually want to know how close it has come to the Maturity Level it has aimed for.

In both cases, these organisations will have to be assessed by a qualified CMMI appraiser to obtain an accurate picture of their current status. We can perform appraisals on either your entire organisation or on specific projects/practices within a process area. Our appraisers can conduct the following SCAMPI (Standard CMMI Appraisal Method for Process Improvement) appraisals:

SCAMPI Class A – This is what you’ll need if you’re aiming for a level rating.
SCAMPI Class B – You may want to use this for process reviews or for preparing for a SCAMPI Class A.
SCAMPI Class C or Gap Analysis – We typically conduct this for organisations who have yet to implement CMMI-based initiatives so that they can design the most cost-effective road map for the implementation proper.

Can you do away with the Project Initiation Meeting?

Project initiation meetings are often skipped to fast-track projects. Once a sponsor is found, organisations go straight to project planning and execution. But based on our own experience, holding a project initiation meeting can actually eliminate many issues that may crop up in the future and hence may speed things up instead in the long run.

It is in the project initiation meeting where your project objectives and scope are clarified and all stakeholders are brought to the same page. Project sponsors and stakeholders will have to know in a nutshell what is needed from them, what the possible risks are, what different resources are required, and so on. So that, when it’s time to proceed to the next phase, everyone is already in-sync.

So what are taken up in such a meeting? Perhaps an actual example can help. Sometime in the past, we set out to work on an eCommerce website project. After conducting the project initiation meeting, these were some of the things we were able to accomplish:

Identified deliverables e.g. site design, interface to payment system, etc.
Come up with the project phases
Agreed what should be in and out of scope
Defined the acceptance test criteria
Identified possible risks
Identified the possible training and documentation work needed
Established whether any analysis was required, e.g. as with regards to payment interfaces
Formulated disaster recovery plans
Defined roles and responsibilities
Drafted timelines and due dates

Aren’t these covered in project planning? If the project is a big one, the answer is no. In a large project, project planning is a much more exhaustive activity. In a project initiation meeting, only the basic framework is defined.

Some questions may still remain unanswered after a project initiation meeting, but at least you already know what answers you need to look for. In the example we gave earlier, we left the meeting knowing that we needed:

a list of all necessary hardware to estimate the costs
to identify possible dependencies we might have with third parties
to identify what software had to be bought and what skills we needed to hire

When it was time to proceed to project planning, everyone involved already knew what direction we were taking. In effect, by not skipping the project initiation meeting, we were able to avoid many potential obstacles.

Data Replication

These days, not many companies can continue to operate once their entire computer system goes down. All the information needed in daily operations are stored in databases while the interfaces that make use of them all come in the form of software applications.

Software applications can be rapidly reinstalled and configured for as long as the necessary programs are available. Data, however, cannot be reconstructed as quickly even with hard copies available. It is therefore necessary to store your data in a replicated setup so that when one section goes down, operations can proceed without interruption.

For instance, if a category 5 hurricane renders your main office useless, you can simply rent workstations elsewhere, connect to the Internet and continue with your usual transactions for as long as data is readily accessible.

So how do we ensure the accessibility and reliability of your data? Here’s what we’ll do:

Activate data replication on your database management system. If your DBMS does not support replication, we’ll migrate all your data to one that does.
If absolutely necessary, we can allow modernised systems to run parallel to your legacy systems and prepare both for full modernisation when you’re ready.
Implement fail-over technologies where applicable to provide for automatic switching to a backup data server or network from one that has just failed.

We can also assist you with the following: