PraxIS August 2005

_______________________________________________________

Welcome to PraxIS

This month, I'm asking you to let me know what magazines and journals you find best for technical, computer, and business book reviews. Enjoy your holidays!

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk and Security

Companies unclear on credit-card security requirements

More than half of the IT professionals in a recent survey said their companies do not fully understand the requirements mandated by the Payment Card Industry (PCI) Data Security Standard (Security Consultant Magazine Jul-01-05). http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=f1cc23a5-1372-4317-8b7d-73e79abe46a0 

Hold off on ZoneAlarm 6.0 for a while

I had to revert to 5.5.094 because 6.0 consistently rebooted my PC when I tried to edit a html file. I've set the auto-update to remind me in 30 days, then I'll check the Zone Labs forums first.

European Spreadsheet Risk Interest Group 2005 conference

The conference summary is at http://www.eusprig.org/gre2005.htm. Copies of the proceedings can be bought by emailing membership at eusprig.org, and there is also available a compendium of the proceedings of the first five years of Eusprig.

I won't go into the details here, but a few selected highlights are:

July 7 was marked by the tragic bombings in London, but the conference organisers responded to reassure delegates.
"Regulatory Update" - Dean Buckner, Financial Services Authority (UK). He reported some progress since he first addressed Eusprig in 2003, but not all good news. Management need to explicitly address the need for training – which would mean that they recognise the possibility of error and accept the fact that "tactical" (ie short-term) spreadsheet solutions are really here to stay. He believes that Eusprig should have a view on what is good practice.

"Sarbanes-Oxley: What About All the Spreadsheets?" – Ray Panko, University of Hawai'i (US). He pointed out that the logical consequence of a normal 5% cell error rate is that nearly all spreadsheets have errors. He gave an overview of SOX, PCAOB, COSO, and CobiT. He stressed the importance of testing as a control on spreadsheets, as it is on any information system, both execution testing and code inspection. He discussed the specific features that distinguish controls on intentional fraud from those on accidental error. That issue was also addressed in "Protecting Spreadsheets against Fraud" by Roland Mittermeir of the University of Klagenfurt (AT). The detection and prevention of errors arising from mistakes can be assisted by technical means. On the other hand, perpetrators of fraud often take countermeasures for concealment. Therefore different strategies are required, more like those in conventional software application systems.

"The importance and criticality of spreadsheets in the City of London" – Grenville Croll, Frontline Systems (UK) Ltd. He reported on a survey of 23 professionals in the £13Bn financial services sector. The interviewees said that spreadsheets were pervasive, and many were key and critical. There is almost no spreadsheet software quality assurance and people who create or modify spreadsheets are almost entirely self-taught. Two each disclosed a recent instance where material spreadsheet error had led to adverse effects involving many tens of millions of pounds.

"Developing an auditing protocol for spreadsheet models" – Stephen Powell, Dartmouth College (US). He described the protocol they use to methodically analyse a spreadsheet and record findings. They are collecting spreadsheets for analysis and asked for submissions.

A number of vendors presented solutions to lock down spreadsheet use, and monitor and control access to them.

The closing panel discussion centred on the need for EuSpRIG to produce or endorse statements of good practice in spreadsheet design and use to help users comply with the increasing expectations from regulators and stakeholders for risk managed accurate financial statements and business decisions.

In fact, a member of the Eusprig Yahoogroup, Phil Bewig, has contributed a 16-page paper 'Principles, Techniques and Practice of Spreadsheet Style' which is currently being discussed at http://groups.yahoo.com/group/eusprig (membership required for access, free). My own book (see below) also presents 47 'best practices' for spreadsheet check and control.

____________________________________________________________
____________________________________________________________   

2) Spreadsheet Check and Control book

'Spreadsheet Check and Control: 47 key practices to detect and prevent errors' ISBN 1-905404-00-X

I am currently sending out advance review copies to magazines and journals. If you know of an influential reviewer who should see this book, please tell me!

With the current focus on Sarbanes-Oxley section 404 compliance, business readers want to know how to exercise better internal controls on financial reporting, most of which depends on accurate spreadsheets. The approach to responsible computing can best be characterised as 'internalised control'. This book enables users with the skills they need to check and control their own work.

It covers these skills:

• Specification
• Security
• Spreadsheet Settings and Formulas
• Calculation fundamentals
• Identify common mistakes
• Correct errors and inconsistencies
• Avoid error-prone constructs and operations
• Reveal and correct hidden or misrepresented data
• Appropriate use of charts
• Test case design and execution, self-checking
• Data integrity and validation

____________________________________________________________
____________________________________________________________

3) Spreadsheet Auditing Training Course

The intended audience is anyone who builds or reviews spreadsheet models, such as managers, accountants, actuaries, financial modellers, or IT analysts in enterprise SOX IT audits. You need to have an intermediate or advanced knowledge of Excel. You should leave the seminar with the confidence to use the tools and methods shown to risk-assess and test spreadsheets in your organisation.

• Where to start and what are the most efficient techniques to use
• How you can cut down a huge system of spreadsheets to a manageable audit task
• The symptoms that indicate potential or actual problems
• How a company can create an inventory of its critical spreadsheets, assess them for risk, and prioritize scarce resources
• How the top spreadsheet auditing software tools compare, including little-used secrets of Excel's auditing features
• Includes a copy of "Spreadsheet Check and Control", with 47 professional checking techniques
• Reinforce your learning with an optional two hours of hands-on practice using your preferred auditing tool on your laptop
• Demonstration versions of auditing software made available on request

The detailed course syllabus and enquiry form is at

http://www.sysmod.com/spreadsheet_auditing.htm

_______________________________________________________
_______________________________________________________

FEEDBACK

Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

4) Off Topic

www.primesurprises.com 

PrimeSurprises create personalised prime numbers to suit every occasion. Using personal information such as birthdays (e.g. 10121975, 11061963), wedding dates, years of marriage, years of service, lucky numbers, telephone numbers or other numeric information, Grenville Croll creates a very large prime number (at least 500 digits) to celebrate your special occasion.

Eusprig used this service to present our guest speaker, Ray Panko, with his very own prime number after his after-dinner speech at Eusprig 2005.

_______________________________________________________
_______________________________________________________

Copyright 2005 Systems Modelling Limited, http://www.sysmod.com . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com - it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
_______________________________________________________
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
______________________________________________________
ARCHIVES
To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm

DISCLAIMER
This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
_______________________________________________________
PRIVACY POLICY:
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website http://finance.groups.yahoo.com/group/EuroIS/
_______________________________________________________