Businesses where staff use Excel spreadsheets to develop applications quickly and cheaply aren't paying enough attention to the operational risks they run -- especially when the spreadsheets link to back-end systems.
"Microsoft never intended Excel to be an enterprise application. Users are today placing undue trust in Excel, and errors go undetected for a long time," said Ewen Ferguson, senior manager at risk consultancy Protiviti, in a presentation at the European Computer Audit Control and Security Conference in Stockholm.
Today companies are even using Excel as an interface to their ERP (enterprise resource planning) systems, something that worries Ferguson.
"I think it's a misconception that anyone can build well-designed spreadsheets, and that's a part of the problem," he said.
Poor use of spreadsheets can lead to financial losses, directly or indirectly.
Ferguson illustrates how easy it is for things to go wrong with an example from real life.
An employee at a company developed a spreadsheet that tagged some cells in pink to indicate they should be included in a particular calculation. He then turned the spreadsheet over to someone else, who after a while came back and said it didn't work.
"He didn't like pink so he changed to a different color, which broke the spreadsheet," said Ferguson.
For companies that want to tackle their spreadsheet problems, there are solutions.
Protiviti, for example, has developed a framework to simplify the task. It has four stages, starting with the identification of critical spreadsheets, and ending with the implementation of controls.
"It's not rocket science, but it can help," said Ferguson.
There are also a number of vendors that sell Excel-specific products, including ClusterSeven and Compassoft.
With Compassoft Enterprise companies can manage and control spreadsheets based on a risk policy, automating the discovery and prioritization of spreadsheets.
ClusterSeven Enterprise Spreadsheet Manager monitors important spreadsheets so that you can trust their integrity.
In Europe there is also the European Spreadsheet Risks Interest Group, which runs an annual conference on the subject.