James Tanner is an analyst at Orthus limited (http://www.orthus.com). Orthus is a leading provider of information risk professional services, helping orgnisations globally to measure, minimise and manage the information risks they face. Orthus provide end to end services for clients to comprehensivly address risk in their environments including Insider Threats (http://www.orthus.com/itm_overview.htm) addressing issues including data leakage, sabotage and fraud; External Threats including penetration testing, virtualisation security, vulnerability management and Secure Software Development Life-Cycle; Supply Chain Threats including securing cloud services and data processed by third parties; and Legal and Regulatory challenges including Payment Card Industry (PCI) Data Security Standard (DSS).
One of the biggest threats to compliance isn’t your employees or hackers, but a trusted tool: the spreadsheet. It is unstructured, untracked, and unsecured. Learn to recognize top spreadsheet risks and what you can do to reduce them.
Compliance experts estimate that 80 percent of enterprises use spreadsheets to support critical business functions. For example, in one Deloitte survey of 800 financial professionals, 88 percent said their firms "use spreadsheets of material importance in financial reporting." At the same time, however, research suggests the typical spreadsheet has a 2 to 5 percent error rate.
As a result, spreadsheets are one of the biggest compliance risks facing regulated companies. Indeed, despite their prevalent use, the life of the average spreadsheet is unstructured, untracked, insecure, and potentially just inaccurate. Learn how to pre-emptively control challenges that can run afoul of Sarbanes-Oxley (SOX), Basel II, or numerous other laws which regulate the integrity of financial processes.
Bet on auditors wanting to see all spreadsheets relating to your company’s financial reporting practices. Will your rows and columns pass compliance muster? To help mitigate the regulatory risks posed by spreadsheets, consider these 10 tips.
1: Acknowledge Spreadsheets’ Programming Power
One issue with spreadsheets is they’re simply so powerful. The spreadsheet problem is largely due to the fact that we’ve given a programming language to a non-IT user without any development environment-type oversight or safeguards. They’ve become the programmer, tester and the user - so you’ve just lost all objectivity. Who’s going to detect the errors in that spreadsheet?
2: Expect Errors
The average spreadsheet contains a substantial number of errors Human error research indicates that for things about as complex as creating a spreadsheet formula, the error rate floor is about 2 percent to 5 percent. The reason: people tend to take shortcuts when doing math, and these shortcuts often produce errors. Regarding automation, please see tip number eight. On a related note, spreadsheet novices are three times as likely as experts to make mistakes.
Few companies, however, test for spreadsheet errors or outright fraud, preferring instead to eyeball results—often with predictable consequences. For example, one software developer may use two 15,000-cell Excel spreadsheets to project the market for its products, with figures rounded to whole numbers. Yet another user may inadvertently round the modifier for inflation down say from 1.06 to 1, consequently resulting in a market undervaluation. Such an error would obviously qualify as a material weakness.
3: Manage Spreadsheet Changes
One solution: don’t prohibit spreadsheet use, but rather identify which spreadsheets handle critical business functions, and then implement controls to ensure their integrity and accuracy, and especially to prevent fraud. For starters, apply change management controls to spreadsheets, including sign-offs, a record of all changes and the rationale for every change, plus rollback capabilities. Each spreadsheet’s business logic must also be thoroughly vetted, as with any application which handles complex business functions.
4: Beware the Orphans
When auditing spreadsheets, pay particular attention to the orphans: spreadsheets of unknown provenance which today still drive critical business processes. As Arthur C. Clarke wrote, "any sufficiently advanced technology is indistinguishable from magic," and as anyone who’s ever inherited a spreadsheet knows, some operate if not by magic, then at least through unintuitive logic that might take a lifetime to unravel.
Certainly, the average business user can’t be expected to accurately keep a 50-tab Excel workbook current.
5: Consider Versioning Software
The poster child of the spreadsheet world is Microsoft Excel. Until recently, however, software to manage Excel in regulated environments was scant. Beginning with Excel 2007, though, Microsoft itself began offering businesses a way to enforce change management, audit controls, and versioning for Excel spreadsheets. Together with SharePoint Server 2007, companies can even manage spreadsheets centrally and offer role-based access to HTML versions of spreadsheets.
- Related Videos
- Related Articles
- Ask / Related Q&A
- Pci Dss Compliance Do S and Don'ts
- PCI DSS Compliance
- PCI Dss Compliance Standards help keep your credit card transactions safe
- An Increased Need for PCI DSS Compliance
- Importance of Penetration testing in achieving PCI DSS compliance
- Title: SAS 70 Type I and Type II Audits & PCI DSS Compliance Assessments
- CEO of Cashtronics Payment Gateway anticipates PCI-DSS Compliance for Internet Payment Service Providers Imminent across Europe
- Why And How To Be PCI Compliance
How to Prevent a Computer Virus and Protect Your Email?
By: Amy Zhou | 25/12/2009Viruses and other malicious PC threats can easily infect our computer systems. Basing on my personal experience and study from the Internet, I would like to share some tips about how to prevent computer virus and safeguard your email.
Koobface - How to Remove Koobface?
By: Amy Zhou | 25/12/2009"Koobface" is a kind of worm. With the increasingly large group of social network users, Koobface worm spreads crazily among Facebook users, so people also name it as Facebook worm. However, the name "Facebook worm" will soon be the past, because this worm has leaped out of the fence of Facebook, and madly sprung to other social network.
Computer Virus Removal - How to Remove Computer Virus Manually and Automatically
By: Amy Zhou | 25/12/2009Do you really know how to remove computer viruses when you are suffered by these terrible unexpected intruders? Actually, as long as you read this article, and learn some basic knowledge about computer virus, you should know several ways to manually or automatically remove them.
How to Remove the Trojan Downloader
By: Amy Zhou | 25/12/2009The Trojan-Downloader is a kind of Trojan, which once running will generate infection files, modify Registry and add Startup items, in order to make itself run at the computer startup. Use the antispyware program in safe mode to detect and remove Trojan-Downloader, and after which please download the Registry repair tool to repair your system Registry and check the startup items.
Free From Spyware Threats - You Need Real-Time Protection
By: Amy Zhou | 25/12/2009Many computer users are suffering from the compromising of spyware, virus, Trojan, or other PC threats. To get rid of viruses or Trojans, a security tool should contain not only effective technology in scanning out or detecting malicious threats, but also robust and complete mechanisms in removing threats and infections.
Staying Safe on the Internet
By: Hannah Miller | 25/12/2009If you are concerned about whether or not you are safe while you are on the Internet, there are a few precautions that you can take. It’s good to know a few basic things about Internet security and what could be a potentially harmful situation. Read more for some information about basic ways to protect yourself while you’re on the Internet.
TCP/IP Exploit Countermeasures
By: Steven James | 23/12/2009Increasingly, offenders and network intruders are using highly advanced tools and techniques to facilitate their offenses and evade apprehension, inventing new challenges for law enforcement, security professionals and computer forensic examiners. However, a TCP packet is a data structure comprising of a sequence number, an acknowledgement number for connecting the packets of a communication session, flags, source and destination port numbers.
The most recommended Spyware Protection in 2009
By: topsofts | 23/12/2009Spyware Doctor is one of the best-known spyware removal tools on the market. The program protects your system through real-time blocking, spyware scanning, and immunization against infections. The real-time scanner continuously monitors your memory and the web pages you visit. Spyware Doctor also monitors files, which try to run automatically on your system, and protects your system from security flaws. Whenever it detects a possible infection, it displays a dialog, allowing you to block the threat.
Virtualization Security - The How To Guide - Part 6
By: James Tanner | 29/10/2009 | SecurityIn this the final virtualisation article, we look at the wider security and operational implications of virtualisation for business.
Virtualization Security - The How To Guide - Part 5
By: James Tanner | 29/10/2009 | SecurityVirtualised resources and appliances are now a major revenue stream for a number of vendors, virtual resources are widely deployed in a number of sectors, and this is a trend that is expected to continue. Virtualised resources are being deliberately targeted at those organisations that wish to make cost savings, and are mooted by many as being a secure, flexible and high availability technology.
Virtualization Security - The How To Guide - Part 4
By: James Tanner | 29/10/2009 | SecurityIn this the fourth in a series of technical articles that summarises much of the platform focused industry research that has taken place as regards issues associated with the security of virtualisation platforms, we outline the final category of virtualised platform specific vulnerabilities, namely that of virtual machine environment destruction.
How to Deal With Identity Theft
By: James Tanner | 29/10/2009 | SecurityIdentity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. Unlike your fingerprints, which are unique to you and cannot be given to someone else for their use, your personal data, bank account or credit card number and other valuable identifying data can be used by bad guys for profit at your expense.
A 12 STEP PROGRAM TO SECURING YOUR SMALL-TO-MEDIUM SIZE BUSINESS: STEP 5
By: James Tanner | 29/10/2009 | SecurityThis is the fifth in a series of twelve articles for the non-technical managers at small to medium sized companies who operate smaller networks and may lack a sophisticated in-house information technology department.
A 12 STEP PROGRAM TO SECURING YOUR SMALL-TO-MEDIUM SIZE BUSINESS: STEP 4
By: James Tanner | 29/10/2009 | SecurityThis is the fourth in a series of twelve articles for the non-technical managers at small to medium sized companies who operate smaller networks and may lack a sophisticated in-house information technology department.
Virtualization Security - The How To Guide - Part 3
By: James Tanner | 11/08/2009 | SecurityIn this the third technical article from Orthus that summarises much of the platform focused industry research that has taken place as regards issues associated with the security of virtualisation platforms, we outline the second of three categories of virtualised platform specific vulnerabilities, namely that of virtual machine environment protection bypasses.