PraxIS August 2004

04-08 Contents: P2P leaks, free audit programs, risk newsletter, IT waste, Euro & Oil, EU Constitution, Spreadsheet conference report

ISSN 1649-2374 This issue online at      [Previous] [Index] [Next]

Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success  


1) Risk & Security
    Are P2P networks leaking military secrets?
    Audit programs - freely shared
    Newsletter on risk management
2) Another Government IT project story
    $500 million and counting
3) European affairs
    The PetroEuro?
    Eurobarometer - the future European Constitution
4) Spreadsheets
    Eusprig 2004 Conference report
5) On the lighter side
    Inspirational posters
    Preparing for emergencies - the unofficial guide
14 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information


Welcome to PraxIS

Travelling on holidays this month? Tell a news, business, or travel portal about our daily updated online euro-based foreign exchange calculator that they can include on their site for free!

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk and Security

Are P2P networks leaking military secrets? reported by John Borland CNET July 27, 2004

"A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella. The 'See What You Share' site has been online for a week and has published photos ranging from a crashed military jet to a screenshot of a spreadsheet file that appears to include names, addresses and telephone numbers of marines".


Audit programs - freely shared

The following collection of audit work programs were contributed by auditors from around the world. 33 programs were added in July 2004 alone!

A. Management and financial audit programs (591 plus 87 Internal control questionnaires)
B. Information systems technology audit programs (248)
C. Mainframe and technical audit programs (67)


Newsletter on risk management in financial services, operational risk and EUC

Louise Pryor, who spoke at the 2004 Eusprig conference reported below, has a monthly newsletter on risk management archived at

She reported a personal experience of a bank who appears to be doing little to prevent fraud. After a fraud report, they destroyed the Switch card and said that they would issue a new one. When she received her bank statement, it had the expected credit, but also included three more purchase at the same petrol station in the Isle of Dogs. These were all dated well after the original report of the fraud. This appears to mean that stopping the old card made no difference whatsoever. She asks "Surely a bank can spot a transaction that uses an invalid card number? The only other explanation is that the new card details were used, in which case the only possible source was the bank itself. Either way, the bank isn't doing much to prevent fraud. The amounts involved aren't large, but it doesn't really give me much confidence in the bank's ability to get other things right."



2) Another Government IT project story

$ 500 million and counting

The Risks Digest reports another jaw-dropping government project mess at
How costly computer sparked a `nightmare': 'Government estimates fixing flaws could top $10 million'

"In Jan 1997 then-premier Mike Harris contracted with Andersen Consulting to revamp the Ministry of Community and Social Services' outdated computer system. But a two-year independent study of the $500 million computer system has concluded that it has been seriously flawed from the very beginning and virtually incapable of making timely changes. The system, responsible for distributing welfare and disability benefits to 670,000 Ontarians, is unable to calculate a 3 per cent increase, the first rise in 11 years. It's going to cost at least $10 million to fix the problem -- $3 million to correct the computer system and an additional $7 million to test it."

What computer consultants want to know is, "how do I get customers like that?"  Unless, of course, the answer is to meet Andersen's fate.


3) European affairs

The PetroEuro?

With the current rising price of oil, Rory Kearns of the Open University drew my attention to an article 'The dollar dilemma' in the Australian Financial Review, June 2004 at

"The convention whereby the dollar is given a transcendent value as an international currency ... is a means of credit appropriated to one state. " Charles de Gaulle, 1965.

This article argues that since 1988 the rapid role reversal from world's banker to world's biggest debtor has allowed US business to invest substantially (notably in information technology) without requiring Americans to reduce their consumption, and permitted tax cuts rather than private sector investment.  The author, Niall Ferguson, says that the central banks of Asia are willing to buy the new bonds issued by the US treasury at remarkably high prices, which keeps the Asian economies' exports competitive in the US while at the same time giving Americans a seemingly limitless low interest credit facility to run up huge private and public sector debts. He concludes "It is not clear when exactly the dollar usurped the pound. But once it did, the turnaround was rapid. If the euro has already nudged in front, it may not be long before oil producers club together to price their black gold in the European currency (an idea that must surely appeal to anti-American producers like Venezuela and Malaysia)."

That last point is one that is argued in Cóilín Nunan's article 'Oil, Currency and the War on Iraq' which refers to a longer paper by William Clark, 'The Real Reasons for the Upcoming War With Iraq: A Macroeconomic and Geostrategic Analysis of the Unspoken Truth', (January 2003), 


Eurobarometer - the future European Constitution (July 2004)

The percentage of respondents who considered themselves well informed varied from 11% in Finland to 38% in Belgium, Ireland and Slovenia and 43% in Luxembourg. A significant factor is the level of education: the more well-educated prefer press and brochures for information on the EU, the less prefer radio and television.

79% of citizens are in favour of the adoption of a Constitution by the European Union. This proportion has risen slightly since January 2004 (+ 2 points). Respondents of the fifteen pre-enlargement Member States seem more often to be "rather favourable" to this proposal, whereas the responses in the new Member States stagnated.

A majority of European Union citizens (61%) say they rather agree with the "two-speed Europe" proposal according to which the Member States that so wish could increase their cooperation without waiting for the others.

Slightly more than four European citizens out of ten answered "yes" correctly when asked if it is possible for one million European Union citizens to invite the European Commission to submit a proposal.

Another poll:

In the EUBusiness poll on the EU Constitution, of the more than 9,000 who voted, 60 per cent said they would sign up to the Constitution, while 37 per cent were against it. A mere 1 per cent said they don't know enough about it. View the results at


4) Spreadsheets

Eusprig 2004 Conference report

This amazing event showed the European Spreadsheet Risk annual conference maturing in strength and content. We were fortunate to have it in a beautiful lakeside location, and to have the benefit of professional organisation that was much appreciated. The number and quality of papers presented was higher than ever before. As a result, our previous two-half-day format was expanded to almost two days!

The presentation slides are available at: 

We began with a well-attended tutorial briefing by Ray Butler and Louise Pryor on Wednesday evening on "Spreadsheets, their Use, their Problems and Risks".

Dean Buckner of the UK FSA delivered the keynote address on "Appropriate Control of User Development Solutions in the Banking Sector". As a regulator, he sees many banks who do not know how dependent they are on end-user developed spreadsheet and database applications, and he described how some have suffered severe disruption when the IT administrators migrated systems without taking these thousands of "islands of automation" into account. His talk echoed David Colver's in that risk and impact assessment is needed for a wise choice of appropriate controls.

David Colver of Operis UK stimulated much interest with his talk on "Spreadsheet Good Practice: Is There Any Such Thing?" In this, he took the Operis two-day course in spreadsheet methodology, condensed it to a half hour, and then presented a counter-argument for each point. It made it clear that circumstances alter cases, and that "best practice" depends on the specific context in which a spreadsheet model is used.

Thomas A. Grossman and Özgür Özlük from universities in San Francisco presented "A Paradigm for Spreadsheet Engineering Methodologies". Tom's lively presentation style got the audience involved in a thought-provoking session. So let me now pose Tom's question to you, the reader: "What do see as the value proposition of spreadsheet risk management?" If that sounds like American management jargon, try "What's the benefit of imposing more controls on spreadsheet development and use?" To start you thinking, how about "Stay out of jail by being able to demonstrate for SOX purposes that material risks are managed."

Ralph Baxter of Cluster Seven presented "Auditability and other Benefits Derived from a Temporal Dimension". The idea of change monitoring, as described in the XiGence system, was new to some delegates. Recognising the difficulty of imposing controls, many were interested in at least keeping a close track on what changes are made to spreadsheets on a server.

Louise Pryor's talk on "When, why and how to test spreadsheets" explained the difference between structural review which audit tools do and dynamic testing, which her product Xlsior assists. She described the key concepts of unit test, system test, and regression test.

Hilary Emmett of Decisioneering spoke on "Identification of logical errors through Monte Carlo simulation". This is also a form of dynamic testing, where the range of values used in simulations can stress spreadsheets and show their weak points.

Markus Clermont of the University of Limerick presented "A Toolkit for Scalable Spreadsheet Visualisation". This is a Gnumeric plug-in that looks for structural similarities in spreadsheet formulas, to get a clearer idea of its overall organisation, devise auditing strategies, and assist in fault tracing.

Sabine Hipfl of the University of Klagenfurt presented "Using Layout Information for Spreadsheet Visualization". This took a different approach to Markus Clermont in that it looked for data patterns that might show more clearly blocks of related information. A comment from one of the delegates indicated that she might also use blank rows and columns to help delineate areas.

Andrej Bregar of the University of Maribor presented "Spreadsheet Models Complexity Metrics". This applied and adapted conventional software engineering complexity measures to the spreadsheet application. He used concepts of distance, dependencies, and logic branches to show how one might measure how complex and difficult a given spreadsheet is.

Simon Thorne of the University of Wales in Cardiff won the student paper prize with "A novel approach to formulae production and overconfidence measurement to reduce risk in spreadsheet modelling". This study produced data to show that when given an English description of a calculation, people made fewer errors when producing data to illustrate a correct result, than to create the formula itself.

Garry Cleere of the ECDL Foundation presented a draft version of a new syllabus for "Spreadsheets Good Practice" and invited comments and contributions from the delegates. This should stimulate some debate!

Karin Hodnigg of the University of Klagenfurt presented "Computational Models of Spreadsheet-Development: Basis for Educational Approaches". This probed into the different meanings that spreadsheet operations have, and how they can confuse new users. For example, a cut-and-paste operation has different effects from a copy-and-paste.

John Nash of the University of Ottawa described the recent developments in his research project "TellTable Spreadsheet Audit: from technical possibility to operating prototype". Like the ClusterSeven product, this tracks spreadsheet changes; by contrast, it works in Linux and is strictly server-based.

Gary K. Arakaki could not attend to present "XlStruct: A Tool for Building Structured Error-Resistant Spreadsheets" but Simon Thorne stood in for him.

In the panel session at the end, we agreed that we needed to do more to promote Eusprig. Several speakers from prominent consulting and technology companies offered to mention the next conference in emails to their user base of many thousands of modelling users.

European Spreadsheet Risks Interest Group: 

Spreadsheet Model Review / Audit / Test

Recent news of fraud and expensive mistakes requiring compensation have prompted leading banks, financial institutions, manufacturing, and service industries to take a harder look at the risks they are exposed to from spreadsheet applications.

I have been involved with spreadsheets and modelling over many years. In the five years since the foundation of Eusprig, I have developed a particular expertise in detailed testing of spreadsheet models and their structural integrity.  In common with other practitioners, I have found that every customer is always surprised at the defects that are uncovered.

When you are reviewing  your internal controls, whether for Sarbanes-Oxley (SOX) or other compliance concerns, call on me for a thorough review of your spreadsheet applications. Phone +353 55 22294 or email me .



Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

If you like the newsletter, a great way to show your support is to make your next book or CD purchase from our Amazon shop page!

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

5) On the lighter side

Inspirational Posters  has an innovative line in (de-)motivational posters. High quality photographs are given captions that comment on the reality of corporate life. When you can't take any more of the "inspirational" schlock that gets dished out to distract people from facing the facts, take a look here. This site is not accessible to those with an irony deficit.

Preparing for emergencies - the unofficial guide

Spot the difference: 

I am told that "the people responsible for the first one have written a huffy email to the people responsible for the second one."


Copyright 2004 Systems Modelling Limited, . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com - it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to from your web site!
To read previous issues of this newsletter please visit our web site at

This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website 

    [Previous] [Index] [Next]