They are cheap, widely used, highly effective, and dangerous if not used under proper supervision. Spreadsheets, starting in the 1980s with the humble Lotus 123, have evolved into formidable analytical engines, and are heavily used for planning and forecasting in businesses and for drawing up statutory accounts and reports.
They are also what are known as "end-user operated" programs, meaning they are developed and used by line managers and executives who do not come from the field of information technology. Departments can tailor them to their own uses and pass them on to others.
This decentralisation is part of the attraction because managers often cannot wait for pressured IT departments to come up with systems that will give them the answers and information that they need.
However, this is also part of the danger, says Justin Trentini, managing director in Australia of business and risk consultant Protiviti, which has recently drawn up a system of safeguards for handling spreadsheets.
"Spreadsheets are put together by people who are not trained in assessing risk or controlling information. There is often very little discipline around the development."
The dangers range from lack of security over information and potential theft or fraud, to errors in spreadsheets that can threaten havoc in a company. One large Australian bank ran into trouble in its United States lending portfolio when incorrect interest rate assumptions were fed into its financial modelling spreadsheets.
"They are rarely developed or used by experts, nor are they subject to proper controls, and this can lead to problems ranging from embarrassing calculation errors to disastrous business decisions," Trentini says.
The risks of spreadsheets were highlighted by the introduction of the Sarbanes-Oxley Act in the US, which mandated strict controls over financial reporting after the accounting scandals of 2001 involving Enron and WorldCom.
Big companies may have hundreds, even thousands, of spreadsheets in use, some of them feeding into their main annual accounts.
This proliferation continues. One oil refiner that Protiviti worked with was using 600 spreadsheets globally, some of them managing billions of dollars worth of activity, and with tens of thousands of formulas built into them. The potential for cumulative errors to tear through an organisation is clear.
Beware spreadsheet complacency
01 Create a library of critical spreadsheets and rate them according to the financial risk to the organisation. Software tools can scan spreadsheets to help with this.
02 Set up a control system with clear minimum standards and risks these can be measured against.
03 Make sure that the control system deals with access, back-ups, data input validation, integrity and security, etc.
04 Set up independent reviews of the adequacy of the controls either through a specialist team, internal audit, or a third party.
05 Monitor the company's exposure to spreadsheet risk through tracking the number of critical or complex spreadsheets being used by individual departments, or the volume of spreadsheet risk action plans being filed.
06 Train staff in spreadsheet risks. All users should understand minimum control standards, be aware when a particular spreadsheet is becoming critical to the organisation, and know who to talk to when a spreadsheet is becoming critical.
Source: Protiviti
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.