In my opinion the only reason that most of these companies have *not* experienced a major theft is that people in general, and frankly IT staff in particular are trustworthy. But trust is not a good policy.This same speculation is repeated in a TimesOnline article where it is claimed Jerome Kerviel was earning a relatively paltry (by bank standards) €100,000 ($145,000) per annum. In France that's in the top few per cent of earners but a fraction of what successful traders can make. The 'system' works because as in any casino, winners score big. It has nothing to do with trust but a direct appeal to greed. The Times article goes on to suggest that there is more to this than meets the eye. If the allegations are right, then Kerviel was executing what forensically is a simple and common fraud accountants term 'teeming and laldling.' Borrowing from Peter to pay Paul. The fact Kerviel managed to hoodwink superiors indicates both failed process and a lack of basic audit understanding. Given the background to this spectacular case, you have to wonder where this spreads. In my opinion, it isn't just a matter of security but a fundamental lack of understanding around risk by everyone involved including both internal and external auditors. Which brings me onto a recent story about a rogue spreadsheet at Tucson Unified School District which ended up with 300 employees being overpaid $140,000. Spreadsheets are the staple of finance departments to the point where the major application vendors have given up trying to fight them off. It is the ultimate user adopted program. Yet each year, tales emerge of significant errors arising because spreadsheets have not been authenticated, documented or tested. Why this continues to happen astonishes me and has been the subject of an annual rant I've penned for my UK accounting friends since 1999. Ray Panko of the University of Hawaii has been conducting a variety of studies carried tracking different types of spreadsheet error. KPMG regularly publishes statistics on the same subject. At last year's Eusprig Conference, it was said that:
Despite all the facts and stories, businesses of all sizes regularly make financial decisions based on spreadsheets. The parallels between SocGen and the spreadsheet problem may appear tangential but taken together they represent an appalling view of risk management at all levels. Just as we've not heard the last of the SocGen debacle, we will continue to hear horror stories about spreadsheet errors.
Dean Buckner of the UK Financial Services Authority gave the Regulator’s View on the progress in the control of End User Computing (EUC) in the financial markets. His themes were echoed by many subsequent speakers
1. Change of mindset. He referred to the acceptance that spreadsheets are not going to be replaced by bigger systems, but rather that they are here to stay.
2. User training. This is still shockingly neglected; he still finds dumb solutions that could be replaced by cleaner methods.
3. There is no accepted base of ‘good practice’.
4. Because of (3) there is therefore no accreditation of spreadsheet skills.
5. He sees increasing mention of spreadsheet controls in audit reports.
6. Data standards – including data quality in Access databases, created to get over the 65535 row limit in Excel prior to the 2007 version.
7. Software support – more tools and technologies are becoming available to manage spreadsheets.