Published on May 10, 2014
For most businesses, spreadsheets offer a simple way to perform key business functions, such as accounting, data analysis or chart creation. But many of the user-friendly advantages of spreadsheets also make them susceptible to data or security errors that can create nightmares for organizations if overlooked. According to the European Spreadsheet Risk Interest Group (EuSpRIG), a global resource for spreadsheet risk management, spreadsheet errors can have a tangible impact on companies ranging from lost revenue or fraud to poor decision-making or financial failure. In a recent survey by Forrester Research, only 10 percent of 155 IT decision makers surveyed said they provide an alternative to Microsoft Office. Although Excel is an excellent business tool, it still requires careful auditing, particularly as the complexity of a spreadsheet increases, says Jürgen Schmechel, owner of Capitalise-IT, a Sydney based consultancy specializing in spreadsheet auditing and business strategies for growing companies. By following best practices for spreadsheet use, whether Microsoft Excel or an alternative, many common problems can be prevented, he says. 1. Define parameters for use- “Complex spreadsheets in large enterprises normally involve several departments, and designing an effective template for each process is often necessary,” says Schmechel. By identifying requirements for spreadsheet use up front, companies can avoid common errors such as versioning mistakes or allowing the wrong person access. 2. Perform an audit- Identify the most critical spreadsheets used within your organization and ensure ad hoc sheets are not used for critical processes. “Logical handover processes for spreadsheets are crucial, especially when multiple departments are involved,” says Schmechel. 3. Don’t rely on document protections- Security features such as password protection, hiding or protecting sheets and other features are not actually designed to secure information and can be easily bypassed. “Many companies do not consider that software is readily available to crack passwords or are unaware that opening an Excel document on the iPad using a $10 app called Numbers will remove all perceived protection features such as hidden sheets,” says Schmechel. “The fact that third-party solutions also remove such so-called protection is another issue, with common examples including cloud offerings from Google GOOG +1.51% and Zoho,” he adds. Preventing this problem can be difficult without taking steps to better manage or secure files. 4. Determine sharing requirements- Make a distinction between spreadsheets designed for internal and external use, ensuring that confidential information or source data is not present in documents designed for third-party review. “Alternatively, use PDF format only for third parties,” says Schmechel. 5. Secure at the file level- Security must be enforced at a file level for true protection. “File or directory-based, read-only or edit permissions for internal spreadsheets is recommended, given the open nature of spreadsheets,” says Schmechel. 6. Utilize document management- Implement an internal document management system that includes file versioning, testing and approval processes before sharing takes place. 7. Don’t forget to check the work- Manual data entry and custom formulas must be checked to correct errors just like a spell-check is needed on text documents. Studies indicate that almost 90 percent of spreadsheets contain errors ranging from minor to severe. “Larger companies often base multimillion-dollar decisions on spreadsheet information that contains errors. If a $10,000 external audit ensures all data is correct, the expense is worth it,” says Schmechel. 8. Bring your own- With BYOD increasing, companies must also consider spreadsheet security for personal mobile devices and for documents created using software from home or freeware, such as Google Docs. Decide whether employees can send out spreadsheets to third parties or edit them on portable devices using Polaris Office, Kingsoft Office or other solutions. Alternatively, maintain all data on local servers, with remote access granted to approved staff and frequent audits from uninvolved parties.