Spreadsheets Still Subject to Fraud Target
I wrote about this type of fraud last year. Whether creating or updating reports for senior management, or keeping track of equipment inventories - or the hundreds of other uses for spreadsheets - financial institutions depend on these workhorses to retain and create repositories of valuable data.
Without even considering the external threats that flaws in Microsoft Excel spreadsheets pose, the concern that many institutions may overlook is the potential for fraud perpetrated by employees.
With the sheer number of user-developed applications, the need for properly auditing these spreadsheets is now.
The Institute of Internal Auditors recently filled a hole in their practice recommendations related to technology risks created by users via databases and spreadsheets. This is a move whose time has come, and Ralph Baxter, an executive at ClusterSeven, showed it to me. With the sheer number of user-developed applications, especially financial applications using Excel, the need for properly auditing these spreadsheets is now.
Having the auditors' body finally acknowledge not only the value of spreadsheets in the workplace, but the potential damage they can do without proper monitoring, is like turning on the refrigerator light by slightly opening the fridge door. Hasn't that light always been on anyway, or just when you open the door? Wasn't the IIA recommending this anyway, or only when a problem was found by accident? To understand more about this topic, check out the latest release of the Global Technology Audit Guide (GTAG).
Since I wrote about three types of spreadsheet fraud last year, there have been some evolutions, and here's how Ralph Baxter explains them:
- Presentation Fraud: Here the spreadsheet is set to display and print different numbers to those calculated. Common examples are hidden rows or columns, or setting the font color to be the same as background. Less well known is conditional formatting. This can change or hide data depending on its value.
- Data Fraud: Here input data for an otherwise correct spreadsheet are replaced by false values. For example, spreadsheet links may be redirected to alternative data sources, changing the spreadsheet results.
- Incremental Fraud: This is seen in communities where bonuses are calculated on the value of a changing portfolio of many items (e.g., trading). Over multiple days, the fraudster sequentially adds a small amount to a cell buried in the detail of the spreadsheet. The incremental approach avoids sudden output changes that might generate suspicion. Over time, the adjustments contribute a material difference, triggering the payment of the performance bonus. Thereafter, the increments are then removed on a similarly gradual basis. By the end of the process, all evidence of the manipulation has been removed but the trader has retained their bonus.
- Burial Fraud: Here a fraudulent change is made to a key transaction in a list, and the user then sorts the list using standard spreadsheet functionality. With thousands (or more) transactions, such a change is virtually impossible to locate manually.
- Function Fraud: This makes use of the extensible nature of advanced spreadsheets such as Excel to create new functionality beyond standard cell-based formulas. It includes the fraudulent manipulation of macros or UDF (user defined functions) that are difficult for an average user to understand.