Spreadsheet Woes – Limited Features For Easy Adoption of a Control Framework

Like it or not, regulations are here to stay and for a company to comply with them, its IT and financial systems will have to be equipped with a suitable control framework. One common stumbling block to such an implementation is a company?s over-reliance on spreadsheets.

Why is it so difficult to adopt controls for a system that’s reliant on spreadsheets? To understand this, let’s pinpoint some of the strongest, most powerful attributes of these User Developed Applications (UDA).

By nature, spreadsheets are the epitome of simplicity: easy to develop, easily accessible and easily altered. All computers in your workplace will most likely have them and everyone in your organization may be sharing them, making their own versions, and storing them in personal folders.

Sad to say though, these strengths are also control weaknesses and constitute the very reasons why spreadsheets require effective risk management.

Easy to develop. Being easy to develop, most spreadsheet systems are created by non-IT users who have limited knowledge on best control practices. Being constantly under time pressure, these ?developers? may also relegate documentation, security, and data verification to the back burner in favour of coming up with a timely report.

Easy to access. Information in a spreadsheet can be opened by practically anyone within the organization?s network. Who accessed what? And when? If anything goes wrong, it would be difficult to identify the culprit, and the failure to pinpoint responsibility for erroneous data could lead to bigger, more costly mistakes.

Easy to alter. Lastly, if the information is easy to access, then it can also be easily altered, consequently making reports more prone to both accidental errors and fraudulent modifications.

The rise of multimillion dollar scandals due to accidental and intentional spreadsheet errors have prompted regulatory bodies to publish guidelines for mitigating spreadsheet-associated risks. These controls include:

Change control
Version control
Access control
Input
Security and data integrity
Documentation
Development life cycle
Backup and archiving
Logic inspection/Testing
Segregation of duties/roles, and procedures
Analytics

In theory, these controls should be able to bring down risks considerably. However, because of the inherent nature of spreadsheets, such controls are rarely implemented effectively in the real world.

Take for example Security and Data Integrity. One of the most common causes of spreadsheet error is due to ?hardwiring?. This happens when values are inadvertently entered into a formula cell, naturally changing the logic of the spreadsheet.

As a way of control, cell locking can be applied on the formula cells to prevent users without the proper authority from making any changes. However, when reporting deadlines approach drawing spreadsheets to the forefront of data processing, more people are given access rights to the locked cells. Ironically, it is during these crunch times, when errors are most likely to happen.

Because the built-in features of a spreadsheet support none of the controls mentioned above, some companies are tempted to purchase control-enabling programs for spreadsheets just to continue using them for financial reporting. But although these programs can integrate the required controls, you?d still be interacting with the same complex and outdated interface: the spreadsheets.

Thus, these band-aid solutions may not suffice because the root cause of these problems are the spreadsheets themselves.

Learn more about our server application solutions and discover a better way to implement controls.

More Spreadsheet Blogs

Spreadsheet Risks in Banks

Top 10 Disadvantages of Spreadsheets

Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry

How Internal Auditors can win the War against Spreadsheet Fraud

Spreadsheet Reporting – No Room in your company in an age of Business Intelligence

Still looking for a Way to Consolidate Excel Spreadsheets?

Disadvantages of Spreadsheets

Spreadsheet woes – ill equipped for an Agile Business Environment

Spreadsheet Fraud

Spreadsheet Woes – Limited features for easy adoption of a control framework

Spreadsheet woes – Burden in SOX Compliance and other Regulations

Spreadsheet Risk Issues

Server Application Solutions – Don’t let Spreadsheets hold your Business back

Why Spreadsheets can send the pillars of Solvency II crashing down

amazon.co.uk

amazon.com

Check our similar posts

How to Improve Corporate Efficiency through IT

When revenues are low, what do you do to improve your profit? Obviously, those same revenues should at least remain the same. So, the objective would be to deliver the same products and services for less cost. More for less. Such is the essence of corporate efficiency.

There are many things that can make a company inefficient. There are outdated procedures, poor coordination between departments, managers? lack of business visibility, and prolonged down times, to mention a few. As a company grows, these issues get more severe.

You can overcome all these by deploying the right IT solutions. But don’t IT solutions increase spending instead? Au contraire. The last couple of decades have seen the rise of IT solutions that help companies’realise obvious cost savings in no time.

Streamline processes and keep departments in-sync

Company inefficiencies are largely due to outdated systems and procedures. These systems and procedures were not built for the dynamic and complex business environments of today that are being shaped by increasingly onerous regulations, fierce and growing competition, significant economic upswings and downturns, new battlefronts (like the Web) and logistical strategies (like outsourcing), and IT-savvy crooks.

So when your employees force outdated systems to meet today?s business demands, they’re just not able to deliver. At least not efficiently.

Another major cause of inefficiency is the discordance among departments, business units, and even individual staff members themselves. There are those who still use highly personalised spreadsheets and other disparate applications, which make data consolidation take forever and the financial close a perennial headache.

Costly devices like mobile phones, netbooks, and tablet PCs, which are supposedly designed to provide better communication, are not fully maximised. If these are subsidised by the company, then they also contribute to company inefficiency.

One way to deal with these issues is to deploy server based solutions. By centralising your IT system, you can easily implement various improvements that can pave the way for better communication and collaboration, stronger security, faster processes and transactions, and shorter down times for troubleshooting and maintenance. All these clearly translate to cost savings.

Gain better visibility

Corporate efficiency can be improved if your decision makers can make wise and well-informed decisions, faster. But they can only do this if reports they receive from people down the line are timely, accurate, and reliable. Basically, data should be presented in a way for managers to gain quick insights from.

If your people take too much time scrutinising, interpreting, and reconciling data, you can’t hope to gain a significant competitive advantage. Equally important to managing an ongoing project is the speed at which you make a go/no go decision to start or stop a project. A wise, quick decision will help you avoid wastage.

The same holds true when making purchases and investment decisions. It’s all about quickly eliminating waste and investing only on those that will give you fast, positive returns.

Clear business visibility will allow managers to allocate resources where they are most effective, to pinpoint what products and services being offered are more profitable, and to identify which customers are giving better business from an overall perspective.

These are all possible with business intelligence. We know, we know. You’ll say BI solutions will force you to break the bank. Not anymore. At least, not all. There are already two main types of BI solutions: on-premise and SaaS. The latter will generally cost you less.

Of course, each type has its own advantages, and you’ll really have to look into the size of your organisation, the number of source systems your decision-making platform is connected to, integration requirements, budget, etc. to make sure you get the most out of your investment.

But IT solutions cost an arm and a leg

Again, not anymore. These days, you can find IT products that are faster, more functional, and more powerful than their predecessors at a fraction of the cost. When it comes to getting more affordable IT products and services, you now have many options.

For example, you can turn to open source solutions to save on license costs. These solutions are typically backed by vibrant and helpful communities where you can find an extensive source of technical support – many of which are for free. With popular open source products, you can easily tap from a large pool of developers with affordable rates any time you want to make system enhancements or customisation.

On another front, virtualization solutions allow you to save on CAPEX and OPEX by eliminating certain expenses normally used for setting up infrastructure or buying hardware and maintaining them. Server virtualisation, for instance, will allow you to consolidate servers and put them together into just one machine, while desktop virtualisation will enable you to eliminate unproductive hours associated with desktop down times by allowing you to redeploy a malfunctioning desktop very quickly.

Closely related to those are cloud-based solutions like SaaS (Software as a Service), IaaS (Infrastructure as a Service), and DCoD (Data Center on Demand). SaaS and IaaS will help you realize savings in acquisition and maintenance costs for software and hardware, while DCoD?s scalable services allow you to request for additional capacity, power and storage only as you need them, thus making you spend only according to your current infrastructure requirements.

Like we said, there are many, many options out there just waiting to be tapped.

Malware

In the past, viruses were created with the sole purpose of wreaking havoc on the infected systems. A large fraction of today’s malware, on the other hand, are designed to generate revenues for the creator. Spyware, botnets, and keyloggers steal information from your system or control it so that someone else can profit. In other words, the motivation for making them is now more attractive than before.

Keyloggers can reveal your usernames, passwords, PIN numbers, and other authentication information to their creators by recording your key strokes. This information can then be used for breaking into various accounts: credit cards, payment programs (like PayPal), online banks, and others. You’re right, keyloggers are among the favourite tools of individuals involved in identity theft.

Much like the viruses of old, most present day malware drain the resources, such as memory and hard disk space, of contaminated systems; sometimes forcing them to crash. They can also degrade network performance and in extreme cases, may even cause a total collapse.

If that’s not daunting enough, imagine an outbreak in your entire organisation. The damage could easily cost your organisation thousands of euros to repair. That’s not even counting yet the value of missed opportunities.

Entry points for malware range from optical disks, flash drives, and of course, the Internet. That means, your doors could be wide open to these attacks at this very moment.

Now, we’re not here to promise total invulnerability, as only an unplugged computer locked up in a vault will ever be totally safe from malware. Instead, this is what we’ll do:

Perform an assessment of your computer usage practices and security policies. Software and hardware alone won’t do the trick.
Identify weak points as well as poor practices and propose changes wherever necessary. Weak points and poor practices range from the use of perennial passwords and keeping old, unused accounts to poorly configured firewalls.
Install malware scanners and firewalls and configure them for maximal protection with minimal effect on network and system performance.
Implement regular security patches.
Conduct a regular inspection on security policy compliance as well as a review of the policies to see if they are up to date with the latest threats.
Keep an audit trail for future use in forensic activities.
Establish a risk management system.
Apply data encryption where necessary.
Implement a backup system to make sure that, in a worst case scenario, archived data is safe.
Propose data replication so as to mitigate the after effects of data loss and to ensure your company can proceed with ‘business as usual’.

Once we’ve worked with you to make all these happen, you’ll be able to sleep better.

Other defences we’re capable of putting up include:

Solutions to Password Overload

If only technologists had their way, passwords and PINs would have long been replaced with more innovative (and admittedly, better) security solutions. But such is not the case. Those alternative solutions, which include biometrics, smart cards, and password fobs, effective as they may be, are just way too expensive to implement.

So although passwords and PINs may not be here to stay, they certainly won’t be going away soon either.

Why keeping passwords in memory is no longer possible

A couple of decades ago, it would have been nearly impossible to crack an eight-character password using brute force. Today, however, advancements in computing power are rendering the typical passwords of the past easily decipherable, forcing us to come up with passwords that are not only much longer, but also much more complex and hence difficult to recall.

For instance, memorable words like your favourite character (e.g. ‘skywalker’) may have been acceptable then, but not anymore. Today?s security systems will encourage you to insert numbers or even other keyboard characters as a means to once again counter brute force. Hence, ‘sk5%ywa936lker@#’ may be more acceptable.

Remembering that one alone can be pretty daunting.

To further complicate matters, the number of applications that require passwords for access is much greater than before even for a single end user. Ordinary end users have to keep track of passwords for their email account, network login, workstation login, online services, and so on.

The burden is even greater for your IT admins, who have to remember a larger collection of passwords that protect business critical systems and applications. Clearly, the team in charge of your IT security will need a way to manage all these passwords.

Password management solutions

Existing password management solutions typically come in the form of software applications that store passwords. Basically, all you need to remember are your login details for the app a.k.a. the ?master password?. Once you’ve gained access inside, you can then retrieve any password you stored there.

Some of these apps are installed in portable devices like Pocket PCs, PDAs, or smartphones, which you would normally take along with you. For as long as the device stays with you, your passwords will be in safe hands. What’s more, you can retrieve them anywhere you go.

But obviously, there’s a problem. What if the device gets misplaced or stolen? Although the person who ends up with your device may not be able to gain access into the app and your passwords, neither will you. A better solution would therefore be an app that can be accessed anywhere but is not susceptible to getting lost.

Web-based password manager

A web-based password manager fits the bill. You don’t have to take it with you, but still you can access it almost anywhere. A typical web-based password manager will have all your passwords stored in a centralised, highly secure location.

If you want, you can even use your mobile password manager along with the web-based one. Ideally, your web-based password manager would have a copy of all the end-user passwords as well as the master passwords of your organisation.

With an easy to access but highly-secure web-based password manager, you no longer have to come up with passwords that (ironically) are supposed to be easy to remember but hard to crack at the the same time.

Furthermore, password managers are ideal for keeping passwords that have to be changed every-now-and-then; a requirement that’s becoming all too common in organisations bent on enforcing more stringent controls.