PraxIS August 2005

05-08 Contents: Eusprig 2005 report, Spreadsheet Book Reviewers, Audit Training Course

ISSN 1649-2374 This issue online at  [Previous] [Index]  [Next]

Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success  


1) Risk & Security
     Companies unclear on credit-card security requirements
     Hold off on ZoneAlarm 6.0 for a while
     European Spreadsheet Risk Interest Group 2005 conference
2) Spreadsheet Check and Control
     Magazine and Journal Reviewers wanted
3) Training course in how to audit spreadsheets

4) Off Topic
     Fun with numbers
7 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information


Welcome to PraxIS

This month, I'm asking you to let me know what magazines and journals you find best for technical, computer, and business book reviews. Enjoy your holidays!

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk and Security

Companies unclear on credit-card security requirements

More than half of the IT professionals in a recent survey said their companies do not fully understand the requirements mandated by the Payment Card Industry (PCI) Data Security Standard (Security Consultant Magazine Jul-01-05). 

Hold off on ZoneAlarm 6.0 for a while

I had to revert to 5.5.094 because 6.0 consistently rebooted my PC when I tried to edit a html file. I've set the auto-update to remind me in 30 days, then I'll check the Zone Labs forums first.

European Spreadsheet Risk Interest Group 2005 conference

The conference summary is at Copies of the proceedings can be bought by emailing membership at, and there is also available a compendium of the proceedings of the first five years of Eusprig.

I won't go into the details here, but a few selected highlights are:

July 7 was marked by the tragic bombings in London, but the conference organisers responded to reassure delegates.
"Regulatory Update" - Dean Buckner, Financial Services Authority (UK). He reported some progress since he first addressed Eusprig in 2003, but not all good news. Management need to explicitly address the need for training which would mean that they recognise the possibility of error and accept the fact that "tactical" (ie short-term) spreadsheet solutions are really here to stay. He believes that Eusprig should have a view on what is good practice.

"Sarbanes-Oxley: What About All the Spreadsheets?" Ray Panko, University of Hawai'i (US). He pointed out that the logical consequence of a normal 5% cell error rate is that nearly all spreadsheets have errors. He gave an overview of SOX, PCAOB, COSO, and CobiT. He stressed the importance of testing as a control on spreadsheets, as it is on any information system, both execution testing and code inspection. He discussed the specific features that distinguish controls on intentional fraud from those on accidental error. That issue was also addressed in "Protecting Spreadsheets against Fraud" by Roland Mittermeir of the University of Klagenfurt (AT). The detection and prevention of errors arising from mistakes can be assisted by technical means. On the other hand, perpetrators of fraud often take countermeasures for concealment. Therefore different strategies are required, more like those in conventional software application systems.

"The importance and criticality of spreadsheets in the City of London" Grenville Croll, Frontline Systems (UK) Ltd. He reported on a survey of 23 professionals in the 13Bn financial services sector. The interviewees said that spreadsheets were pervasive, and many were key and critical. There is almost no spreadsheet software quality assurance and people who create or modify spreadsheets are almost entirely self-taught. Two each disclosed a recent instance where material spreadsheet error had led to adverse effects involving many tens of millions of pounds.

"Developing an auditing protocol for spreadsheet models" Stephen Powell, Dartmouth College (US). He described the protocol they use to methodically analyse a spreadsheet and record findings. They are collecting spreadsheets for analysis and asked for submissions.

A number of vendors presented solutions to lock down spreadsheet use, and monitor and control access to them.

The closing panel discussion centred on the need for EuSpRIG to produce or endorse statements of good practice in spreadsheet design and use to help users comply with the increasing expectations from regulators and stakeholders for risk managed accurate financial statements and business decisions.

In fact, a member of the Eusprig Yahoogroup, Phil Bewig, has contributed a 16-page paper 'Principles, Techniques and Practice of Spreadsheet Style' which is currently being discussed at (membership required for access, free). My own book (see below) also presents 47 'best practices' for spreadsheet check and control.


2) Spreadsheet Check and Control book

'Spreadsheet Check and Control: 47 key practices to detect and prevent errors' ISBN 1-905404-00-X

I am currently sending out advance review copies to magazines and journals. If you know of an influential reviewer who should see this book, please tell me!

With the current focus on Sarbanes-Oxley section 404 compliance, business readers want to know how to exercise better internal controls on financial reporting, most of which depends on accurate spreadsheets. The approach to responsible computing can best be characterised as 'internalised control'. This book enables users with the skills they need to check and control their own work.

It covers these skills:


3) Spreadsheet Auditing Training Course

The intended audience is anyone who builds or reviews spreadsheet models, such as managers, accountants, actuaries, financial modellers, or IT analysts in enterprise SOX IT audits. You need to have an intermediate or advanced knowledge of Excel. You should leave the seminar with the confidence to use the tools and methods shown to risk-assess and test spreadsheets in your organisation.

Where to start and what are the most efficient techniques to use
How you can cut down a huge system of spreadsheets to a manageable audit task
The symptoms that indicate potential or actual problems
How a company can create an inventory of its critical spreadsheets, assess them for risk, and prioritize scarce resources
How the top spreadsheet auditing software tools compare, including little-used secrets of Excel's auditing features
Includes a copy of "Spreadsheet Check and Control", with 47 professional checking techniques
Reinforce your learning with an optional two hours of hands-on practice using your preferred auditing tool on your laptop
Demonstration versions of auditing software made available on request

The detailed course syllabus and enquiry form is at



Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

4) Off Topic 

PrimeSurprises create personalised prime numbers to suit every occasion. Using personal information such as birthdays (e.g. 10121975, 11061963), wedding dates, years of marriage, years of service, lucky numbers, telephone numbers or other numeric information, Grenville Croll creates a very large prime number (at least 500 digits) to celebrate your special occasion.

Eusprig used this service to present our guest speaker, Ray Panko, with his very own prime number after his after-dinner speech at Eusprig 2005.


Copyright 2005 Systems Modelling Limited, . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com - it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to from your web site!
To read previous issues of this newsletter please visit our web site at

This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website