In my opinion the only reason that most of these companies have *not* experienced a major theft is that people in general, and frankly IT staff in particular are trustworthy. But trust is not a good policy.This same speculation is repeated in a TimesOnline article where it is claimed Jerome Kerviel was earning a relatively paltry (by bank standards) €100,000 ($145,000) per annum. In France that's in the top few per cent of earners but a fraction of what successful traders can make. The 'system' works because as in any casino, winners score big. It has nothing to do with trust but a direct appeal to greed. The Times article goes on to suggest that there is more to this than meets the eye. If the allegations are right, then Kerviel was executing what forensically is a simple and common fraud accountants term 'teeming and laldling.' Borrowing from Peter to pay Paul. The fact Kerviel managed to hoodwink superiors indicates both failed process and a lack of basic audit understanding. Given the background to this spectacular case, you have to wonder where this spreads. In my opinion, it isn't just a matter of security but a fundamental lack of understanding around risk by everyone involved including both internal and external auditors.
Despite all the facts and stories, businesses of all sizes regularly make financial decisions based on spreadsheets. The parallels between SocGen and the spreadsheet problem may appear tangential but taken together they represent an appalling view of risk management at all levels. Just as we've not heard the last of the SocGen debacle, we will continue to hear horror stories about spreadsheet errors.Dean Buckner of the UK Financial Services Authority gave the Regulator’s View on the progress in the control of End User Computing (EUC) in the financial markets. His themes were echoed by many subsequent speakers
1. Change of mindset. He referred to the acceptance that spreadsheets are not going to be replaced by bigger systems, but rather that they are here to stay.
2. User training. This is still shockingly neglected; he still finds dumb solutions that could be replaced by cleaner methods.
3. There is no accepted base of ‘good practice’.
4. Because of (3) there is therefore no accreditation of spreadsheet skills.
5. He sees increasing mention of spreadsheet controls in audit reports.
6. Data standards – including data quality in Access databases, created to get over the 65535 row limit in Excel prior to the 2007 version.
7. Software support – more tools and technologies are becoming available to manage spreadsheets.