Conference programme. Some papers are available for download by kind permission of the authors.
Wed July 6 – Patrick O'Beirne, '47 key practices to detect and prevent errors'. Presented the ECDL syllabus for 'Spreadsheet Check+Control' to an interactive audience, with a challenging debate on what are priority areas vs. what are minor issues.
The day was marked by the tragic bombings in London, but the conference organisers responded to reassure delegates.
Keynote 1: Regulatory Update - Dean Buckner, Financial Services Authority (UK). He reported some progress since he first addressed Eusprig in 2003, but not all good news. Management need to explicitly address the need for training – which would mean that they recognise the possibility of error and accept the fact that "tactical" (ie short-term) spreadsheet solutions are really here to stay. He believes that Eusprig should have a view on what is good practice. The biggest problem is the use of spreadsheets for data processing – ie reformatting, transfer, conversion, filtering, and restructuring.
Welcome address: Tessa Blackstone, Vice-Chancellor of the University of Greenwich. She welcomed us back to Greenwich after five years and noted that Greenwich is currently the only university in the UK with a PhD graduate in spreadsheet integrity.
Keynote 2: Spreadsheet management and remediation program – Barry Pettifor, PriceWaterhouseCoopers LLP (UK). He listed twelve client issues in three areas – efficiency, controls, and modelling. He regards it as acceptable to use spreadsheets to analyse data, but not to link them, re-enter data, or use them as data massagers. He recommends that business understand the big picture of data flow and look for improvement opportunities in people, process, technologies, governance, and standards.
Paper 3: "Sarbanes-Oxley: What About All the Spreadsheets?" – Ray Panko, University of Hawai'i (US). He pointed out that the logical consequence of a normal 5% cell error rate is that nearly all spreadsheets have errors. He gave an overview of SOX, PCAOB, COSO, and CobiT. He stressed the importance of testing as a control on spreadsheets, as it is on any information system, both execution testing and code inspection. He discussed the specific features that distinguish controls on intentional fraud from those on accidental error.
Paper 4: "Spreadsheet risks and accountability" – Pat Cleary and Lynne Norris-Jones, University of Wales Institute Cardiff (UK) summarised regulatory legislation: Basel II, IFRS, Higgs, and the UK Companies Act. Lynne invited discussion on to what extent an organisation and its directors may be criminally liable for loss from a decision based on a faulty spreadsheet.
Paper 5: "Protecting Spreadsheets against Fraud" – Roland Mittermeir, University of Klagenfurt (AT). He described reviews, inspections, testing, assertions, and authentication as they apply to spreadsheets. The detection and prevention of errors arising from mistakes can be assisted by technical means. On the other hand, perpetrators of fraud often take countermeasures for concealment. Therefore different strategies are required, more like those in conventional software application systems.
Paper 6: "The importance and criticality of spreadsheets in the City of London" – Grenville Croll, Frontline Systems (UK) Ltd. He reported on a survey of 23 professionals in the £13Bn financial services sector. The interviewees said that spreadsheets were pervasive, and many were key and critical. There is almost no spreadsheet software quality assurance and people who create or modify spreadsheets are almost entirely self-taught. Two each disclosed a recent instance where material spreadsheet error had led to adverse effects involving many tens of millions of pounds.
Paper 7: "Regulation and the integrity of spreadsheets in the information supply chain" – Ralph Baxter, ClusterSeven (UK). He illustrated how spreadsheets plug the gap between changing user requirements and conventional IT system delivery. He reviewed the regulatory landscape and characterised the responses of business as spreadsheet lockdown, auditing tools, and change management with audit trails of all changes.
Paper 8: "Qtier-Rapor: Spreadsheets in compliance with the Sarbanes-Oxley act" – Keith Bishop, Qtier Software Ltd. (UK). He discussed the options in change control, version control, access control, authentication, and archiving.
Paper 9: "Breaking out of the Cell: on the benefits of a new spreadsheet user-interaction paradigm" – Ziv Hellman, Inrise Financials Inc (IL). He described a move from the cell-matrix paradigm to a text-based modelling language using business algebra that generates spreadsheets.
Paper 10: "Controlling the information flow in spreadsheets" – Sangeeta Patni, Extensio Software Inc (US). She described a services-oriented architecture for database access, comparing it to copy/paste, text file importing, ODBC, web services, and add-ins.
Paper 11: "Developing an auditing protocol for spreadsheet models" – Stephen Powell, Dartmouth College (US). He reported on their experience with two representative tools (XLAnalyst and Spreadsheet Professional), in their Software Engineering Research Project (SERP). He described the protocol they use to methodically analyse a spreadsheet and record findings. They are collecting spreadsheets for analysis and asked for submissions.
Paper 12: "The use of spreadsheets to enable Sarbanes-Oxley 404 compliance" – Adrian Carter, Smarttech CS (UK). He outlined the procedural and technical controls that a company might apply, following the standard cycle of inventory – assess – analyse – validate – remediate. He described the controls in the Wimmer Systems DACS system that included lockdown, digital signatures and audit trail recording. (Smarttech were the main sponsors of Eusprig 2005.)
In the evening dinner, Ray Panko gave a keynote address that ended with an appeal for Eusprig to hold a conference in Hawai'i, referred to humorously as the Sandwich Islands.
Fri 8 July.
Paper 13: "Why, how, and when spreadsheet tests should be used" – John Nash and Jody Goldberg, University of Ottowa (CA). Jody Goldberg described a large corpus of spreadsheet function tests used by the Gnumeric project to validate its accuracy against both Excel and against mathematical conventions.
Paper 14: "Exploring human factors in spreadsheet development" – Simon Thorne, University of Wales Institute Cardiff (UK). He described the unstructured approach of spreadsheet developers and their overconfidence. He explained the theory of human learning, memory, errors, hypothesis fixation, and the tendency of people to latch on to hypotheses that confirm their prejudice.
Paper 15: "Excelsior: bringing the benefits of modularisation to Excel" – Jocelyn Paine (UK). He described a text-based language for specifying modules and their transformation to build spreadsheet models, using Prolog. He cited some examples of its application to corrections and style checking.
Paper 16: "A revised classification of spreadsheet errors" – Kamalasen Rajalingham, University of Westminster (UK). He revisited early work reported at the first Eusprig conference in 2000. He described a binary tree structure rather than the conventional multi-branched taxonomy of error types. This permits the creation of questions that assign errors to mutually exclusive categories.
Paper 17: "Comparison of spreadsheets with other development tools (limitations, solutions, workarounds, and alternatives" – Simon Murphy, Codematic Ltd. (UK). He gave illustrations of how common suggestions to make spreadsheets safer can be subverted. He suggested that spreadsheets are best fitted to be prototyping tools.
Paper 18: "Remediation services for Excel, a comprehensive approach" – Jan Pruis, Scientific Software (NL). He described the use of their Enterprise Content Management System (ECMS) for spreadsheet lockdown, security, and audit trails.
Paper 19: "Archiving: the overlooked spreadsheet risk" – Victoria Lemieux, Credit Suisse First Boston (UK). She discussed the risks of insecure archives in the context of legislation that requires record retention, including computer-based files and software assets.
The closing panel discussion centred on the need for EuSpRIG to
produce or endorse statements of good practice in spreadsheet design and use to
help users comply with the increasing expectations from regulators and
stakeholders for risk managed accurate financial statements and business
decisions.
The conference ended with the Eusprig Biennial General Meeting. Leon Strous (Netherlands Central Bank) stood down and was thanked for his long contribution to the work of the committee. Louise Pryor was elected to the organising committee for our 2006 conference in Cambridge, UK.
A meeting was held to discuss research collaboration with the SERP project of Dartmouth College, at which many useful ideas and information resources were exchanged.
In conclusion, Eusprig are happy to declare their 2005 conference to be not only their biggest, but the best and most forward-looking meeting yet!
Patrick O'Beirne
Chair, 2005