PraxIS May 2007

07-05 Contents: Risk awareness, Fraudsters, SOX, AACS, Statistics, Digital archive, Excel Wish List, service stories

ISSN 1649-2374 This issue online at http://www.sysmod.com/praxis/prax0705.htm   [Previous] [Index] [Next]

_______________________________________________________

Welcome to PraxIS

Initial feedback on ScanXLS 3 has been good, with enhancement suggestions for the next version coming in.

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk & Security

Raising awareness of Information Risk

http://csrc.nist.gov/publications/nistpubs/index.html  U.S. National Institute of Technology (NIST) documents include:

800-50 Building an Information Technology Security Awareness and Training Program.

800-100 Information Security Handbook: A Guide for Managers

http://www.enisa.europa.eu/pages/ENISA_Working_Group_on_Awareness_Raising.htm  ENISA (European Network and Information Security Agency). Also provides guidance on risk awareness for the more trusting older generation of silver surfers. 

http://pst.libre.lu/m2ssic-metz/2006-2007/02_ar-art.pdf  Pascal Steichen's course about awareness raising at the Metz University. 

____________________________________________________________

Profile of a Fraudster

http://www.kpmg.co.uk/pubs/ProfileofaFraudsterSurvey(web).pdf 

KPMG UK has produced a 38 page report "Profile of a Fraudster" based on 360 cases of detected and investigated fraud, in Europe, South Africa, and the Middle East.

The findings reinforce the notion that the overriding motivations for white-collar crime are greed, opportunity and the pressure to meet budgets and targets. 50% defrauded more than 1 million euro. 89% are insiders and 60% senior management. The highest proportion is in those employed between 3 and 5 years. 91% performed multiple fraudulent transactions; one-third acted more than 50 times. Weak internal controls resulted in 61% being able to defraud for 2 to 5 years.

Recommendations include:

• A comprehensive fraud and misconduct risk assessment
• A well-implemented code of conduct
• An appropriate employee and third party due diligence
• A carefully planned communications and training program
• Hotlines to report possible fraud and misconduct
• Auditing and monitoring plans based on the organization’s fraud risk assessment process
• Proactive forensic data analysis tools
• A disciplinary system detailing enforcement and accountability protocols is key to effectively deterring fraud and misconduct and signalling that managing fraud and misconduct risk is considered a top priority.

____________________________________________________________

Oxley Unhappy with SOX

http://www.accountingweb.com/cgi-bin/item.cgi?id=103406  Oxley Blames PCAOB

AccountingWEB.com - Apr-17-2007 - Former Congressman Michael Oxley is unhappy with implementation of the corporate reform legislation that bears his name. In an interview with CFO.com, he was asked, “Are you happy with the way Sarbanes-Oxley has been implemented?” His answer: “Not really. The law has gotten a lot of criticism.” He noted that the vast majority of the complaints center on Section 404, which requires an audit of internal controls over financial reporting.

“It was Auditing Standard No. 2, promulgated by the PCAOB (Public Company Accounting Oversight Board), that started all the problems,” he said. “It was two paragraphs long, but by the time the PCAOB was done, it was 330 pages of regulations. It was far too prescriptive and [more] expensive than anyone anticipated. So, [the PCAOB] and the Securities and Exchange Commission proposed a risk-based assessment to better define material weakness, with more emphasis on internal audit. It adds flexibility with smaller companies.”

____________________________________________________________

Hidden in plain sight

Advanced Access Content System Licensing Administrator, LLC (“AACS LA”)  issued a Digital Millennium Copyright Act (DMCA) take down notice against several bloggers about the hacked Digital Rights Management (DRM) on HD-DVD and Blu-ray players.

http://www.chillingeffects.org/notice.cgi?sID=3218  Chilling Effect take down notice

In order to bypass the DRM you need a process key. The AACS claims that anyone publishing the process key may be violating US laws against circumvention of copy protection. However, the key is effectively published in the second URL mentioned!

AACS "has taken action, in cooperation with relevant manufacturers, to expire the encryption keys associated with the specific implementations of AACS-enabled software." So consumers have to update their software such as WinDVD online.

____________________________________________________________
____________________________________________________________   

2) What does the data say?

I've mentioned Chance News before, where real life examples are discussed for statistics education. The current edition is at

http://chance.dartmouth.edu/chancewiki/index.php/Chance_News_26

This month Laurie Snell mentions some other stat bloggers:

http://blogs.wsj.com/numbersguy/ The Numbers Guy: WSJ's Carl Bialik examines the way numbers are used, and abused.

• In a long-running housing discrimination case in Yonkers, N.Y Judge Sand drew up a fines system meant to bring quick action. In August 1988, he ordered the city to pay a paltry $100. The catch: The fine would have to be paid every day, and the amount due would double every day, until the city took steps to end public-housing segregation.
• Saving the Planet, One Square of Toilet Paper at a Time
• How One Author Tried to Boost His Amazon.com Ranking

http://www.stat.columbia.edu/~gelman/blog/ Statistical Modeling, Causal Inference, and Social Science discuss:

• racial discrimination among NBA referees - black refs call more fouls on white players and vice-versa;
• the negative correlation between the rates of institutionalization and homicide - when more people have been in mental hospitals, there have been fewer homicides, and vice-versa;
• baby-faced politicians lose; inferences of competence based solely on facial appearance predicted the outcomes of U.S. congressional elections better than chance;
• the myth of the rational voter;
• “nobody knows anything,” as the screenwriter William Goldman once said about Hollywood. But why?

____________________________________________________________
____________________________________________________________

3) Digital Media Archive in Ireland

Irish Computing History: the Digital Media Archive

The Irish Computer Society is assisting the first project that aims to collect and preserve software and online services that were developed in Ireland. It involves identifying material that has survived from previous decades, selecting samples of historical significance and converting them into a common format where they can be stored and demonstrated for many more years. This project will start the process of creating a national archive of digital content with a special emphasis on applications software from Irish companies.

In the initial phase, it is planned to record the existence and location of software developed before 1990, most likely for minicomputers or early PCs. If you possess old disks or tapes that contain such material, please contact the project co-ordinator, John Sterne, at john <at> newsmail <dot> ie with the following information:

1. Name and version of the product or service.
2. Platform for which it was developed.
3. Media type and format on which it is now held.
4. Contact details for the individual or company that has this material.

____________________________________________________________
____________________________________________________________

4) Spreadsheets

MS Excel Quality Wish List

What improvements in data integrity and security do you think should be included in the next version, Excel 13/14?

David Gainer has asked for examples of slow Pivot Tables to help MS make performance improvements:

http://blogs.msdn.com/excel/archive/2007/04/23/help-us-make-excel-pivottables-faster.aspx

Here is a starting list, with pros and cons:

1. Be able to find consumers of spreadsheet data

Excel can show you the inwards links in a workbook from other workbooks. It would be very useful if you could see outwards, what other spreadsheets link to this one. That's one reason why I wrote ScanXLS, see below. But it's very hard to extend this beyond the obvious use of direct workbook links. All a server can do is provide blocks of data from a file, all the interpretation in terms of cells etc is done by the client application. The server has no way of knowing whether the consumer of the data is another workbook, a SQL Data Query, a file read by some other application such as OpenOffice, or indeed any other application whatever that can interpret the Excel file structure. Do you have any need for this kind of analysis?

2. Track changes to spreadsheets

Of course, the best way to begin is to use worksheet protection to prevent all changes other than allowed ones. Excel has change tracking but stores all changes in the workbook itself which causes file bloat and adds a risk that recipients can see previous data.

There are now many utilities to compare workbooks before and after changes. ScanXLS compares formulas, values, and VBA code. The main problem with these is that the comparison is between the files at two points in time and many other changes might have been made before, between, and since. Another problem is that changes in the structure throw out the row & column alignment, making synchronisation difficult, hence the need for tools like Synkronizer. If we could access the tree structure of the dependency chain which is preserved even if positions are changed, we could reduce irrelevant differences. Other tools log every change as it happens, and use that as a compliance audit trail to be able to allocate blame for changes to the appropriate user. The problem is that usually too many changes happen to be easily auditable, so rules have to be set to decide what are significant events in the huge log files.

Code differences are easy to find with a diff utility, but again the problem is the point-in-time observation. Does any tool track changes to Forms and other objects?

What limitations do you find with present change recording and reporting tools?

3. Technical improvements

However, it would be a problem for the cottage Excel aftermarket if the need for their must-have utilities was eliminated.

A better Name Manager like that by Jan Karel Pieterse available from DecisionModels.com or the facilities in SpreadsheetDetective.com would allow users to rename ranges, or redefine names.

FindLink.xla by Bill Manville is still useful to find hidden and dead links in workbooks.

Rob Bovey has a VBA code cleaner and code documenter, which features are also available in MZTools.

We can use a formula to conditionally format cells to highlight values or attributes of interest, but not select them. So I'd like a Select Cells by Value in the Go To Special dialog. This is available in John Walkenbach's Power Utility Pack (PUP))

If MS drop old functionality like the XLM sheets I would like the features to be preserved and made visible as functions. For example, the GET.CELL macro is still needed for some tricks.

What would you like?

____________________________________________________________

On Error GoTo @##^! - sample chapter for VBA developers

http://www.charteris.com/publications/white_papers/downloads/OnErrorGoto1.pdf by Peter J. Morris

The Mandelbrot Set provide this 58 page sample chapter on error handling from their book "Advanced Visual Basic 6", MS Press, 2000. It is also applicable to error handling in VBA.

____________________________________________________________

Spreadsheet Audit Training Course, Dublin 22 May

My next public one-day training course will be run on Tue May 22 in the training PC room of the Irish Computer Society. Mount St. Crescent, Dublin 2, Ireland. It covers risk analysis, auditing, and good practices to detect and prevent errors

http://www.sysmod.com/spreadsheet_auditing.htm

Spreadsheet Check and Control: the book on spreadsheet testing for every user

http://www.sysmod.com/az.php?a=190540400X&b=Spreadsheet+Check+Control Available worldwide from Amazon.

http://sysmod.buy.ie/catalog/product_info.php?products_id=188  Our offer - free shipping to EU .

List your large directories of spreadsheets and summarise their quality

http://www.sysmod.com/scanxls.htm ScanXLS 3.0 overview of spreadsheet properties

ScanXLS3 works in Excel 2000 to 2007 and can process the much larger files in Excel 2007 (version 12), 16384 columns by 1048576 rows. It lists all XL* files in directories and reports many types of error and unusual properties. It allows you to specify as many properties and search terms as you wish. It optionally reports a detailed list of cell addresses with errors.

________________________________________________________
_______________________________________________________

FEEDBACK

Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

5) Off Topic

Two Customer Service stories

An unhappy customer tells ten people, it is said. But recovering from a customer problem can help reinforce a better impression. Here are two contrasting examples.

(1) At a hotel we stayed in recently, there was a disagreement about a charge on the bill that we believed we were not liable for. We were in a hurry to go to catch a train, so we were under pressure to get this sorted out quickly. The desk clerk called the supervisor, who explained to the clerk that a particular code meant that indeed we did not have to pay. That was fine, but my wife was not happy that the supervisor did not apologise for the misunderstanding. The problem was solved, but the customer left feeling upset.

(2) I recently bought a Dell laptop. In selecting the MS Office 2007 bundle, I didn't need the complete suites on offer including Access, Publisher, Frontpage, etc. So I looked at the combinations available, 'Basic', 'Standard', 'Home', 'Small Business', or 'Professional'. I checked the link given to the MS product comparison web page, and settled on a package labelled Home & Student (H&S). It had only Word & Excel & Powerpoint and something called OneNote.  From the other descriptions given, I read that as simply a convenient name to encapsulate the picture of a typical user, with no other implications. Therefore when I installed it I was surprised to see 'non-commercial use' appearing in the title bar. This restriction was not stated in the Dell web page, nor on the MS page. So I phoned Dell support. I was expecting to have to pay an extra 100 euro to upgrade to Small Business Edition (SBE), not that I wanted the extras, but just to avoid the restrictive MS licensing terms. The first support person said that I could use H&S for business; I didn't believe that and asked for it in writing. He agreed to do so, confirmation did not arrive, so when I got an email for a satisfaction survey, I gave them a low rating. Note that Dell DID at least ask; some other vendors just take the money and go quiet. The next support person offered to send me a complimentary SBE, which I gladly accepted. But when it arrived it was SBE 2003, another unstated limitation. That annoyed me so I complained again. The rep said "We have to make a complete return and you need to order a new computer" so I replied  "Yes, I'll get a full refund and buy from a supplier who does not make customers jump through hoops to get what they want". He then sent me SBE 2007. I was satisfied with that so when I got a call the same day offering me 3 years onsite service for 96 euro (ex VAT) I took it; it's very unlikely it'll need a service, but I saw it as effectively the same price as the upgrade I had been willing to pay. So Dell got the money for the upgrade without having to ask for it! The problem was solved, and I got what I wanted. It did take more exchanges than I would have wished, but at least Dell did keep the conversation going.

_______________________________________________________
_______________________________________________________

Copyright (c) Systems Modelling Limited, http://www.sysmod.com . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I moderate posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
_______________________________________________________
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
______________________________________________________
ARCHIVES
To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm

DISCLAIMER
This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
_______________________________________________________
PRIVACY POLICY:
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website http://finance.groups.yahoo.com/group/EuroIS//
_______________________________________________________