Study unit 6: Spreadsheet security, risks and controls – page 210
02 Spreadsheet risks – page 211
– What are the risks that must be considered when using spreadsheets?
- Complexity: the more complex, the higher the risk
- Frequency of use and updating: higher frequency = higher risk
- Number of users using a spreadsheet: more users = higher risk
- Time in use: the longer in use, the higher the risk
03 Spreadsheet controls – page 212
– List the typical spreadsheet errors
- Accidental copy-paste
- omission of a negative sign
- erroneous range selection
- incorrect data input
- unintentional deletion of a character, cell, range, column or row
- sorting of only a portion of the data range
– List the potential consequences of spreadsheet errors
- Financial loss / bankruptcy
- incorrect costing / budgeting
- public embarrassment/adverse news coverage/loss of reputation
- loss of investor confidence
- loss of share value
- loss of financial control
- career damage
04 Microsoft Office Excel security controls – page 213
- Make regular back-ups of spreadsheets
- Audit working versions of spreadsheets to check any changes made to ensure that the spreadsheet still works as it was intended.
- The use of tested and audited templates for frequently recreated spreadsheets can also decrease risks.
– List the appropriate controls that should be in place for the use of spreadsheets
- Change control
- Access control
- General security controls
- Input control
- Logical inspection
– Briefly describe appropriate change control in the use of spreadsheets
- To maintain data integrity, changes to formulas / functions need to be approved in writing after careful revision and acceptance thereof
– Briefly describe appropriate access control in the use of spreadsheets
To protect spreadsheets from unauthorised outside access.
- Low risk: password on user’s computer
- High risk: store file on the server with secure file directory with access only to authorised users.
– Briefly describe appropriate general security control in the use of spreadsheets
- Relating to file access controls
– Briefly describe appropriate input control in the use of spreadsheets
– Briefly describe appropriate logical inspection in the use of spreadsheets
An independent person other than the spreadsheet user should test the formulas and functions for correctness. Only one logical inspection per spreadsheet is required if the other controls are working effectively.
Another facet of logical inspection is the inclusion of fixed values in formulas.
A formula should never contain a fixed (“hard-coded”) value. Even “permanently” fixed components (eg tax rate) can change in the context of business operations.
Password protection is regarded as good practice :
- Do not share the password with anyone
- Do not write the password down and place it where people can find it
- Do not use an obvious password (eg birthdays or names) that someone could easily guess
- Use a combination of letters and numbers
- Include uppercase and lowercase letters, numbers, and symbols in the password.
- Use numbers to represent letters, for instance, 3 for your e and 1 for i
- Passwords should be eight or more characters in length.
- Change passwords regularly if needed