spreadsheet management No matter the popularity of spreadsheets, they, when used improperly or incorrectly, or without sufficient control, pose a greater threat to your business than almost anything you can imagine Philip Howard Contents Chapter 1 – Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 2 - Spreadsheet problems . . . . . . . . . . . . . . . . . . . . . . . . . 3 Chapter 3 - Thinking about Spreadsheet Management . . . . . . . . . . . . . . 9 Chapter 4 - Spreadsheet Management Approaches . . . . . . . . . . . . . . . 13 Chapter 5 – Product Evaluations . . . . . . . . . . . . . . . . . . . . . . . . . 17 Actuate e.Spreadsheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 CIMCON Spreadsheet Compliance Solutions . . . . . . . . . . . . . . . . . 26 ClusterSeven Enterprise Spreadsheet Management . . . . . . . . . . . . 32 Compassoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Lyquidity ComplyXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Mobius ABS for Spreadsheet Compliance . . . . . . . . . . . . . . . . . . 52 Operis Analysis Kit (OAK) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Prodiance Spreadsheet Compliance . . . . . . . . . . . . . . . . . . . . . . 62 Qtier-Rapor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Risk Integrated Enterprise Spreadsheet Platform . . . . . . . . . . . . . . 76 ROISoft ExSafe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Sheetware XLSpell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 SmartDB eXpresso . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Spreadsheet Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Spreadsheet Detective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Spreadsheet Professional . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Chapter 6 – Vendor and product comparisons . . . . . . . . . . . . . . . . . . 105 Auditor’s Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Control & Compliance Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Automation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Bloor Research overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 About the author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Copyright & disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 page i Spreadsheet Management Chapter 1 – Executive Summary Introduction Spreadsheets represent one of the most popular applications on the planet. This is because they are the reporting and analysis tool of choice for many professionals and because they support collaboration and information sharing. Moreover, this is not going to change, not just in terms of existing business people but, as our children are being taught how to use spreadsheets in school, this popularity is likely to continue for many years to come: spreadsheets are ubiquitous and will remain so. However, no matter the popularity of spreadsheets, they also, used improperly or incorrectly, or without sufficient control, pose a greater threat to your business than almost anything you can imagine. They can give rise to compliance issues because changes to data are not audited. They can also be used to aid and abet fraud, because security is not applied (typically) to conventional spreadsheets and, again, because there is no control over the ability to change data values (and bearing in mind that most fraud is carried out by authorised personnel). Further, it is easy to make mistakes in spreadsheets (for example, by entering an incorrect formula) that can mislead decision makers, the results of which can be very expensive. HM Customs & Excise in its “Methodology for the Audit of Spreadsheet Models” says that “the complexity and functionality of spreadsheets has reached levels of sophistication that few could have imagined… the consequent threat posed to businesses by such powerful ‘end user’ applications, mainly in the hands of untrained users, is immense”. A major cause of these problems is that spreadsheets are not treated as an enterprise resource. For example, although there are (limited) security and auditing facilities in Microsoft Excel, these are not usually enforced. Indeed, because many users are self-taught they will not be aware that such facilities even exist. In the main, this is because spreadsheets are not perceived to be an IT resource but are seen to lie within the business domain. As a result, corporate security standards are not implemented for spreadsheets. On the other hand, the business is not aware of the potential dangers that the uncontrolled use of spreadsheets can cause. A major focus of this report is therefore to make business users aware of these dangers so that they can push the task of managing spreadsheets into the hands of the IT department. In particular, it discusses the need for spreadsheet management, precisely in order to prevent, or at least minimise, the issues just mentioned. Having established the need for spreadsheet management solutions, this report goes on to discuss the various types of solution that are available, which range from complete control (that is, you absolutely prevent people from page 1 doing what you don’t want them to) to complete monitoring with no control (that is, you monitor all changes but do not actively prevent any of them—rather like closed circuit TV). In addition, there are tools that are specifically designed to help you find errors within spreadsheets. We will discuss the relative merits of these different approaches and when each of these might be most suitable (which will depend upon how spreadsheets are used and for what purpose). Further, we will compare and evaluate the various products that exist within each of these sectors. When we first published our white paper ‘Managing Spreadsheets’ in 2005 the solutions available on the market were few and far between and most of them were immature. While new products continue to emerge there is now a core set of well-established vendors with significant user bases. This is why we now feel that the time has come to look in detail at the products serving the enterprise spreadsheet management market. Moreover, Ventana Research has conducted research within this area and estimates that while the total market for enterprise spreadsheet management tools was $15m in 2006 it expects this to grow to some $500m within five years. The time has therefore arrived to look at the vendors in this market in some detail. In addition, it is worth bearing in mind that spreadsheets take an inordinately long time to produce. This is typically caused by the varying skill sets of the spreadsheet users but even the expert spreadsheet craftsman tends to spend too much time in tedious and repetitive tasks such as formula copying, formatting, workbook assembly, and distribution. From a business perspective, therefore, it would be useful if spreadsheet management solutions were to be able to provide automated facilities that could alleviate this repetition—with all the productivity gains that that implies. As it happens, there are a couple of vendors that offer automation for the development of spreadsheet applications (such as consolidation, sales reporting or budgeting and planning) as well as tool vendors within the conventional management category that provide facilities to speed up the development of spreadsheets. We will also consider the capabilities provided by all of these suppliers. Finally, one point that we must make is that there is an inevitable congruity between the concept of spreadsheets on the one hand and Microsoft Excel on the other. Excel is, after all, the epitome of a spreadsheet application, and it is by far the most widely used. In general, where Excel is referred to in this paper it can be taken as a synonym for spreadsheet unless specifically stated otherwise. We will, however, discuss (briefly) the uses of spreadsheets from other vendors. Spreadsheet Management Chapter 2 - Spreadsheet problems There are five major problems with spreadsheets: the potential for errors, lack of security, the absence of an audit trail, the misperception that spreadsheets are not an enterprise resource, and productivity issues. We will consider each of these in turn before considering some other management issues related to spreadsheets. Error potential The following paragraph is excerpted from a PriceWaterhouseCoopers (PwC) report published on the use of spreadsheets and the Sarbanes-Oxley Act, in July 2004: “An article in the May 24, 2004 issue of Computer World indicated that, “Anecdotal evidence suggests that 20% to 40% of spreadsheets have errors, but recent audits of 54 spreadsheets found that 49 (or 91%) had errors, according to research by Raymond R. Panko, a professor at the University of Hawaii.” The Journal of Property Management on July 1, 2002 stated, “30 to 90 percent of all spreadsheets suffer from at least one major user error. The range in error rates depends on the complexity of the spreadsheet being tested. In addition, none of the tests included spreadsheets with more than 200 line items where the probability of error approaches 100 percent.” Perform an online search for spreadsheet errors or spreadsheet audit, and you will find a number of major failures attributed to spreadsheet inaccuracies that hit the press in the past year alone.” This is not the first time that PwC has reported on the errors inherent in spreadsheets. In earlier work, the company reported that, in a survey of large client spreadsheets, it found that 90 per cent contained significant errors. More recently, KPMG Consulting reported that 95% of the financial models that it reviews contain material errors. Note in particular the statement that: “in spreadsheets with more than 200 line items the probability of error approaches 100 per cent”. Of course spreadsheet errors may be more or less important, depending on the spreadsheet in which they appear and the purpose for which the spreadsheet has been created. However, research has been carried out to establish the impact of errors in spreadsheets on decision making. According to a 1996 report, the cost of these mistakes is within the range of $10,000 to $100,000 per decision per month. The European Spreadsheet Risks Interest Group (EuSpRiG) runs a web site (www.eusprig. org/stories.htm) on which it lists the results of various spreadsheet errors. The following are just four of these (though in the last case this was not an error but fraud): page 3 A. January 29, 2005: Mistakes happen during budget planning: “Gov. John Lynch’s budget team … has to find another $70 million to make its budget balance. Figures that the Health and Human Services Department provided to budget writers in the fall contained an error that double-counted more than $17 million of Medicaid money in each of the next two years. A detailed spreadsheet that HHS gave Ways and Means Tuesday morning showed that $35 million in a specific category of hospital reimbursements would come in over the next two years. A second sheet HHS produced Tuesday afternoon showed no money in the category, reflecting the fact the funds can only be used one way—at the state hospital.” B. June 17, 2005: Natural gas consumers sue Dominion Transmission over clerical error—A Federal Energy Regulatory Commission investigation found that the subsidiary of Richmond, Va.-based Dominion Resources Inc. submitted the wrong week’s gas storage figures in November, leading to an artificial inflation of natural gas prices. The lawsuit estimates that consumer prices were hiked by between $200 million and $1 billion. “The investigation concluded that it was not deliberate, but when I hear the words clerical error, I think of negligence,” plaintiff’s attorney W. Coleman Allen Jr., of Richmond, Va., said Friday. “Consumers were harmed the same as if it was intentional.” One explanation for the error was that the company had used the same computer file name for each week’s storage balance spreadsheet report, making it easy for the wrong one to be sent. C. September 12, 2003: ORLANDO Sentinel— Assistant County Manager Cindy Hall, in a memo to commissioners on Thursday, wrote that the April 22 study by Henderson Young & Co. duplicated the cost of building a new elementary school. The extra $12 million cost was corrected on a spreadsheet in the study, but it wasn’t later adjusted on the total cost of school projects for the next five years. Jim Drake, director of finance for Lake County Public Schools, said: “It was basically a simple spreadsheet error. But obviously it’s going to have an impact on building new facilities.” County Commissioner Jennifer Hill said the consultant was given the final numbers for its study from the School Board only a few months before the study’s completion, “It was rush, rush, rush,” she said. Hill called the mistake “a simple mathematical error”. D. 2001: The role of spreadsheets in the AIB/ Allfirst currency trading fraud—Allfirst “Would not pay the US$ 10,000 for a direct data feed from Reuters to the risk Spreadsheet Management Chapter 2 - Spreadsheet problems control section”. Instead, they got Rusnak to download his Reuters feed into a spreadsheet. He then substituted links to his private manipulated spreadsheet. The total losses hidden by the fraud were almost US$700M. Rusnak exaggerated bonuses by over half a million dollars. There are four types of potential errors in spreadsheets: 1. Errors in the data—these can occur through: a. Incorrect data entry—keyboard entry of data is to be avoided if at all possible. There are well-established error rates for keying errors, which are inevitable if data is to be entered manually. b. Incorrect specification—for example, you want data in a particular cell to reflect a database field called “cust1” but have inadvertently entered “cust2”. Similarly, if working with a front-end environment that supports Excel, you might have selected the wrong option from a dropdown list of relevant data sources. Of course, this is similar to incorrect data entry but it cannot be entirely eliminated. c. Incorrect definition—similar to incorrect specification. This occurs when you specify the wrong format for a field. For example, you define it as text when it should be a currency field. d. Incorrect placement—this differs from incorrect specification in that the data you have defined is correct, but you have put it in the wrong place, as opposed to the wrong data in the right place. Note that incorrect placement is not limited to single instances. You may reuse a particular value in multiple places within a spreadsheet or across spreadsheets, and the data may be in the right place in some instances and wrong in others. e. Incorrect access—in spreadsheet reporting applications (as opposed to things like budgeting applications) it is often the case that data is loaded into the spreadsheet in some sort of automated way, either via an import from a CSV (comma separated value) file, or more directly from a query environment. In these cases there is the potential to address the wrong data source, or to perform an invalid transformation as the data is loaded into the spreadsheet. This problem can be exacerbated if timeliness is a major consideration, with lack of real-time access to data in spreadsheets driving users to deploy ad hoc query tools that exist outside of the spreadsheet environment. page 4 2. Formulaic errors—that is, where a formula is incorrectly expressed. For example, you might have “x” instead of “+”, with appropriately disproportionate results, or you might have added (or multiplied) the wrong columns. In the case of formulae there are basically three types of error: formulae that have been incorrectly worked out in the first place, formulae that are inaccurate because of keying errors, and problems with cloned formulae. In the last case, for example, it is all too easy to clone a formula designed to sum 10 cells and put it at the bottom of a column with 15 cells. Some, but by no means all, errors may be detected by the spreadsheet software. Microsoft Excel, for example, will display (if appropriately set up) a small green triangle with a pop-up comment if it suspects a formulaic error. However, not only does this miss some errors it may also think that some correct formulae are incorrect. Finally, note that formulae may suffer from the same problems as data: for example, right formula, wrong place. 3. Macro errors—many spreadsheet users do not use macros, but for those that do this represents another major potential source of errors. Macros are, in effect, miniprograms and we all know how bug-ridden and error prone programs can be. While there is less scope for errors in macros, it remains a possibility that must be catered for. 4. Template errors—a template error relates to the misapplication of a template. It is common to use a template for recurring uses of the same spreadsheet, for example: uses that occur on a regular monthly basis. In such instances it is common to reuse the same base template and simply make relevant amendments for the month in question. However, this reuse is purely manual and is therefore an inherent risk. This is exactly what happened to Dominion Resources (example C): when the company applied the wrong month’s template, which resulted in it under-representing gas reserves, leading in turn to artificially inflated consumer prices. There are of course a variety of other mistakes that you can make when using a spreadsheet. You can position columns incorrectly, it is possible to use inappropriate graphical methods for particular data sets, and so on, but these are mistakes rather than errors. What is important about errors is that they give you misleading information that can lead to poor decision making, which in turn costs money: often lots of it. Spreadsheet Management Chapter 2 - Spreadsheet problems Security There is not a lot to discuss about spreadsheet security because there isn’t any. Actually, that isn’t quite true: Microsoft Excel does, in fact, have a password facility though it is honoured more in the breach than the observance. This is also true of the ability to lock cells: although it is in the product it is seldom used or used rigorously. In practice, in most cases, anyone can open up a spreadsheet, change the data to their heart’s content and amend formulae. Anyone of malicious intent can deliberately induce errors in spreadsheets either because they have a grudge against the company or in order to support any fraudulent activity that they may be indulging in, or simply to gild the lily with respect to their own performance. To take a simple example, you cannot go into your company’s General Ledger and gaily change the figures therein: the software and its security will not let you do that. However, you can extract the data from the General Ledger into Excel and then you can change that data as much as you like. We cannot believe that such a laissez faire attitude to corporate data makes sense. The other big problem with spreadsheet security is that there is little or no user-level access control (though this is improved in Excel 2007). At present, even if you are one of the rare few that use passwords, once data is in a spreadsheet you can see all the data that is in it: you cannot then limit who sees what information within a given spreadsheet. This would not be acceptable almost anywhere else within your business. For example, you may let a manager see details of his department’s total salary expenditure but you wouldn’t let him or her see the salary information for each individual employee, but that is exactly what you can do using spreadsheets. You can, of course, hide data but then it is hidden from everybody (an invitation to fraud if ever there was one) but that doesn’t get you any further forward since what you need to be able to do is to allow visibility into what individuals are allowed to, or need to see, but not what they are not permitted to see. In other words, what is needed is full role-based security so that people can only see what they have the right to see. Moreover, and to briefly return to the issue of fraud, in many ways Excel actually helps the potential fraudster. For example, you can hide data by using a white font on a white background and you can hide data by putting it behind a graphic. You can also hide whole spreadsheets programmatically (these are known as ‘very hidden’ worksheets) as well as conventionally through the product. page 5 Crashes A further security issue occurs when Excel crashes. The software will automatically attempt to recover any documents that you are working on and it will create temp files for this purpose. Unfortunately, all the security procedures that apply to normal Excel files do not apply to temp files, which can be read by anybody. An additional security requirement, therefore, is to provide a mechanism to make this impossible. Auditing The third major issue with spreadsheets is with respect to auditing. However, like security, there is not much to discuss because again, while there is some capability, it is rarely used. In practice, you can log changes to a spreadsheet into a separate worksheet but this only applies on an individual spreadsheet basis rather than across the whole spreadsheet environment. More generally, in Excel 2007, version control is applied through Microsoft SharePoint but this only provides version control and auditing at the document level: it does not record changes to the spreadsheet at the cell level. In other words, in most instances, not only can you not prevent someone from changing the data in a spreadsheet, for whatever purpose, but you also have no way of knowing who changed the data, when he or she changed it, or what the change consisted of. Further, you cannot tell if anyone has attempted to make unauthorised changes. In a way, this is much more serious than a lack of security (though the two go hand-in-hand in encouraging fraud) because it undermines any compliance or governance regulations that may be in place. As a general statement it would be fair to say that: Any company that is subject to SarbanesOxley, IAS/IFRS or similar regulation, which uses spreadsheets for any purpose beyond very limited reporting, and does not use spreadsheet management, will be unable to comply with the strictures of those laws. This is a pretty strong statement. But Sarbanes-Oxley requires companies to be able to justify what has happened to the data it presents in its corporate accounts and how it got there. If a spreadsheet is involved at any point in that process then, unless appropriate controls are in place (spreadsheet management), you will have a breakdown in the data chain where you cannot certify what has happened to the data. Note that it is by no means impossible to use spreadsheets Spreadsheet Management Chapter 2 - Spreadsheet problems within a compliant environment—but it requires management. Microsoft, for example, makes extensive use of Excel spreadsheets in its own internal compliance procedures. However, the key point is that Microsoft does use the management facilities in Excel and they are surrounded by appropriate additional procedures. In fact, the issue is even worse than this. Spreadsheets are often passed from one user to another and the latter may well use the information in the original spreadsheet as a data source for spreadsheets of his or her own. Again, there is no way to track that this has happened. You can, in fact, prevent it from happening (you can lock the spreadsheet so that it cannot be forwarded, edited or even printed) by using Information Rights Management software, but this doesn’t help you to monitor what happens subsequently if you actually want to enable this sort of functionality. Finally, Excel allows data to be consolidated from a number of sources into a worksheet. By default, it shows results but no formulae, with the consolidation taking place in memory. From an auditing and compliance perspective, this default setting should never be used as the data cannot be tracked and there is a high risk of error. Audit functionality Auditors (whether internal or external) want to do a lot more than simply look at an audit trail or even check for errors; they also want to ask questions such as “where does that number come from?” and “what are the relationships that exist between these spreadsheets?” As we shall see later, auditors also want to see best practices used in the development of spreadsheets. Two of the most important of these are: • Spreadsheets should not include circular references—that is, spreadsheet A should not include a reference to spreadsheet B if spreadsheet B already includes a reference to spreadsheet A. Ideally, spreadsheets should be organised into hierarchies: circular references make this impossible. Tools to discover circular references that may exist in current spreadsheets will be useful here. • Segregation of roles—in a managed spreadsheet environment all spreadsheets will be developed, tested and audited prior to deployment but these functions involve various different people whose capabilities should be strictly delineated as is the case with users (who can see or change what). A workflow capability will be particularly useful here, either provided directly within the product or by means of a conventional document management system or via SharePoint 2007. page 6 Note that if you can demonstrate that such practices have been applied, then (external) auditors will need to spend less time auditing corporate spreadsheets, which will save you money on your auditing fees. Spreadsheets as an enterprise resource It should be clear that spreadsheets, or at least some of them, are vital to organisational well-being. In particular, those spreadsheets that are used to inform important decisionmaking processes, are used for financial and other corporate reporting, or are to be used in customer or other third-party presentations, need to be treated just like any other corporate asset. The same applies to any particular spreadsheets that may be subject to regulatory requirements, even if they do not fit within one of these other categories. In particular, just as you would not implement a new application without testing that it did what it was supposed to do, all corporate (if not personal) spreadsheets should be tested prior to deployment. That is, sets of figures should be run through the spreadsheet to ensure that there are no formulaic, macro, placement, access or specification errors anywhere within the spreadsheet. In other words, if it is accepted that spreadsheets represent a corporate resource, then all spreadsheets that do anything more than very simple reporting should be subject to a quality control process to ensure accuracy. If, on top of that quality control, you can implement spreadsheet management procedures (especially simplified data access) then you will be going a long way towards eliminating costly mistakes (and fraud) from your spreadsheets. The main reasons why spreadsheets are not recognised as being a corporate resource are varied. In the first instance, they are often simply dismissed as not really being a critical asset or as not being suitable for investment (for user training or process assurance). In our view this is clearly a mistake. The second problem is that spreadsheets are used in different ways and by different people. For example, there are what we might term ‘data collection’ activities such as budgeting, which is driven by the finance department in this particular case, or by other relevant The people who use spreadsheets are typically line managers on the one hand and business analysts on the other. These are expensive personnel and it is wasteful for them to have to do these routine tasks when such processes could be automated. Spreadsheet Management Chapter 2 - Spreadsheet problems departments for different applications of this sort. Secondly, we have ‘spreadsheet reporting’, which is owned by operational groups. In effect, spreadsheets are treated as siloed applications, each of which is owned by its own clique, none of which relate to the IT department. This leads in turn to a third problem, which we might characterise by saying that while there is a technology gap in the sense that there is an inadequate environment provided for managing spreadsheets, there is also a cultural gap which means that users do not even employ the security and auditing capabilities that are provided. The bottom line is that there is a lack of ownership of spreadsheets as a whole, with no-one in the organisation being seen to be responsible for their use within the corporate structure. This needs to change if spreadsheets are going to be properly managed. Productivity issues Another major issue is the time taken to manage existing spreadsheets. Even today, when these are not recognised as important enterprise resources, individual users have a considerable management effort involved in managing their own spreadsheets: they may need to discover the location of relevant source data, they may need to extract information from previous versions of a spreadsheet and perform reconciliation procedures, they may need to distribute their spreadsheets to colleagues (which raises the possibility of errors in distribution lists), and they will (we hope) be taking back-ups on a regular basis. All of these functions can and should be automated in so far as they can be. However, we are aware of organisations where people have simply stopped using spreadsheets and moved to statistical packages (for example) because of the difficulty of managing complex spreadsheets. While there may be other benefits associated with such an approach this would be a costly decision for many companies, and a means whereby spreadsheets can be properly and easily managed would be a preferable approach in many instances. Collaboration A further point to bear in mind is that spreadsheets are frequently used for collaborative purposes not merely in environments such as budgeting but also for decision making. In most organisations, when a spreadsheet needs to be distributed to various parties involved in any decisionmaking process, the relevant documents are distributed via email. This is inherently unsafe (and is therefore a security issue) but there is also no way in which collaborative working on the same spreadsheet is managed or controlled or, indeed, facilitated. page 7 Enterprise management issues While the issues discussed previously represent the main reasons for implementing a spreadsheet management application, there are potentially a number of other management issues surrounding the use of spreadsheets, which it would be useful to be able to handle. For example, it is often the case that spreadsheets exist within hierarchies and it would be useful if it was possible to easily view and maintain those hierarchies. Another issue that commonly arises is that spreadsheets are used to extract data automatically from a single source database, but what you actually want is to combine data from various data sources. Management issues around this sort of scenario would be greatly simplified if you could access multiple data sources from a single spreadsheet design, and assemble individualised workbooks that tailor their content to user roles and permissions, as you can with some vendors. A further complication is that most large organisations have probably thousands, if not tens of thousands, of spreadsheets distributed across the enterprise. Not only are these uncontrolled, they are unknown and not automated. A tool that can discover existing spreadsheets and bring some or all (according to user preference) of these into a single management structure will be especially useful for ongoing administration. Indeed, it is arguable that a product that only supports the management of new spreadsheets and has no facilities for bringing old spreadsheets into the new environment is only doing half the job, if that. In particular, a managed spreadsheet environment should be able to assimilate existing contents, formulae and macros into a new design and automation paradigm in order to evolve the environment smoothly. Moreover, it is inevitable that much of the functionality embedded in these spreadsheets is duplicated which, in itself, is wasteful. It would be useful to have comparison capabilities through which you could automatically compare different spreadsheets to ascertain where you have duplications or near duplications. In the latter case, a visual comparison or difference facility would be useful (similar to those provided in application development and change management environments) along with a merge facility. Finally, you would like to be able to consolidate all of your different spreadsheets into a centralised, IT-run environment. As a part of this process it will make sense to rationalise the spreadsheet environment. This would typically be on hierarchical lines, using the principle of inheritance (that is, lower level Spreadsheet Management Chapter 2 - Spreadsheet problems page 8 spreadsheets inherit the characteristics of higher level ones—ideally, based on versioning). However, as spreadsheets are dynamic objects it will not make sense to instantiate the spreadsheets except as and when requested to do so by an authorised user. Thus, what is required is a system in which the relevant metadata such as spreadsheet formatting, formulae, macros, data locations (including cached data) and so forth are stored as a part of this process. By maintaining this master data on the server, IT could maintain an auditable master object and oversee distribution of spreadsheets generated from this object. • You can control access to selected objects Off-line working It is commonplace for managers and other business users to want to be able to work on spreadsheets off-line. This presents a number of issues with respect to security, audit and compliance, and manageability. First, it should be clear that there should be control over who can copy spreadsheets (which doesn’t just apply to off-line working). Next, for compliance purposes, at least with regards to SarbanesOxley, all changes to a spreadsheet have to be time-stamped, not simply with the time that the spreadsheet was saved but at the actual time that the change was made. How do you do this with respect to offline working? Since it would be impractical to install a new application on every user’s laptop the only solution must be that the relevant software is embedded alongside the spreadsheet at the point at which you copy the spreadsheet. Finally, you will need some sort of synchronisation capabilities when the off-line spreadsheet comes back on online. Other spreadsheets Excel 2007 It is important to consider whether the recent introduction of Excel 2007 has resolved any or all of the issues discussed in the previous sections. The answer is that it has resolved some issues though these have typically been addressed through the use of SharePoint 2007 and Excel Services rather than Excel per se. The most notable additional features that these provide are: • Version control (but at the document rather than cell level). • You can use Excel Calculation Services to provide centralised control of information so that there is a single version of the truth for Excel 2007 workbooks and you can control who has access to particular workbook data via user permissions. • You can ensure that Excel workbooks are only rendered within a web browser with View Only permission and, in conjunction with SharePoint, you can ensure that only authenticated users can have access to those workbooks. within a workbook (for example, PivotTable components and charts) when the workbook is published to an application server running Excel Calculation Services. Again, View Only permissions may be applied. Of course, the problem with this is that it assumes that everybody has migrated to Excel 2007 and has also licensed the additional capabilities described. Given the significant number of users still using Excel 97 it seems unlikely that such a mass migration to Excel 2007 will happen any time soon. Finally, it is also worth considering whether other spreadsheet products resolve any of the issues identified. There are a number of such options: StarOffice, OpenOffice (broadly the same as StarOffice), Google Spreadsheets, EditGrid and Lotus 1-2-3. The last of these we will not discuss because it has an established user community of its own and represents a significant potential investment, whereas the other products mentioned here do not require such a cost. Notable features of these other products include support for encryption and, in the case, of EditGrid encrypted traffic as well as encrypted authentication. EditGrid also has substantial shared read and write access control, as does Google, but it also has password protected read and write access, which Google does not. Excel has the latter but not the former. Notably, EditGrid also has range and cell locking, it maintains a cell last update record, provides spreadsheet usage reports, supports templates and has a number of other features not included in other products, whether Excel or otherwise. While it is not the purpose of this report to persuade companies to stop using Excel, if they wanted to do so by replacing it with another (inexpensive) spreadsheet solution then we would recommend taking a close look at EditGrid. Spreadsheet Management Chapter 3 - Thinking about Spreadsheet Management Third party vendors relate to Microsoft Excel in a variety of different ways. At the lowest level, suppliers simply provide the facility to export data into a spreadsheet or, a slightly more advanced offering, the ability to print a formatted, static spreadsheet, where data values and formats are saved as an Excel file. In either case, this is usually done for one of two reasons: either to rectify some deficiency in the vendor’s offering (such as a lack of graphical capability) or simply because customers like to be able to play around with the data in Excel. In either case, while there is some sort of guarantee that the data was accurate when it was initially loaded into the spreadsheet, all bets are off once the data has been exported (including, potentially, the introduction of new errors) and the users begin construction and design. A more sophisticated approach is adopted by some vendors which offer an Excel plug-in. The intention here is to provide direct access to the data sourced from the business intelligence environment and to (possibly) lock-down data values, such that these are dynamically related back to the source and cannot be changed. However, this does not prevent specification or placement errors, nor eliminate errors in either formulae or macros. Moreover, because it does not provide either security or auditing within the spreadsheet environment there is a higher likelihood of misplaced trust in the reuse of these files and therefore increased opportunity for template errors. Moreover, it is always possible to copy the data from the spreadsheet into another one (on a laptop, say), amend the data and then create a new spreadsheet on the main system. Similarly, you can also e-mail a spreadsheet to a colleague and, again, there is no control over what he or she can do with the data. In other words, this sort of solution has only limited value and does not prevent abuse. An alternative adopted by some suppliers is to encapsulate and embrace spreadsheet capabilities into their own environment. This may be based on the fact that they have duplicated the Excel environment within their own system, or they may have licensed Excel and embedded it. In either case, the effect is that the spreadsheet is plugged into the vendor’s application as opposed to plugging the application into Excel, as discussed above. The advantage is that the whole environment is as well controlled as any other facility provided by that supplier. In addition, these sorts of products often provide a facility to automatically schedule, manufacture and distribute pure Excel spreadsheets to consumers, which should improve productivity and reduce construction and distribution errors. It also introduces the opportunity to deliver personalised views of the data within the spreadsheet. Further, in rare cases, these spreadsheets can be generated from templates or master spreadsheet designs (sometimes referred to as a spreadsheet blueprint) that manage data queries, workbook layout and assembly, the abstraction of recurring formulae and the inclusion of business macros. The net effect of this sort of approach is that every spreadsheet generated from a blueprint contains only as many errors as the original design, which of course increases the burden for testing and the application of proper design techniques. As we know, however, errors eliminated during design are significantly less costly than those identified later. However, Excel is likely to be much more widely used in any organisation than any business intelligence product. After all, 150 million licensed copies of Microsoft Office exist in the world, and the estimation of unlicensed use could be two or three times that. In other words, the approaches just discussed only address that tiny corner of the spreadsheet problem that is included in the business intelligence provider’s solution and it does not cover anything else. What is needed is a solution that spans all corporate spreadsheet resources and which is not limited to business intelligence environments. There are a number of these, which approach the problem of enterprise spreadsheet management from a variety of directions. However, before we discuss these in detail (in the next section) it will be worth considering the major elements of such a solution. page 9 Spreadsheet Management Chapter 3 - Thinking about Spreadsheet Management page 10 Requirements for a solution The following table shows the major features that we would like to see vendors provide in spreadsheet management solutions. We have divided these into “must-have” and “advanced” facilities, where the former are essential and the latter would be nice to have. Must have features Role-based security from query to file to spreadsheet elements, all the way down to the cell level Encryption Locking: at the spreadsheet level, for data down to the cell level, and for objects including formulae and macros Full audit trail for all changes, including macros Auto-discovery capability for existing spreadsheets Management and control of distribution and scheduling Spreadsheet hierarchy management Support for IT-based testing of formulae and procedures Support for segregation of roles Where-used capabilities so that you can track the use of data and formulae across spreadsheets Template management Advanced features Federated availability for heterogeneous data source access Version control: comparison, difference and merge capabilities Smart, server-side spreadsheet objects that contain layout definitions and query results that are ready to be personally and dynamically delivered at view time Audit trail to include attempted, unauthorised changes The ability to enforce notes to be appended explaining spreadsheet changes Workflow to support the segregation of roles The ability to generate alerts to be sent to relevant parties when a particular change is made The ability to recognise that inserting a row, say, is one change, not a change to every cell in the spreadsheet Integration with SharePoint 2007 or document management systems providing version control Thin client capability so that nothing has to be installed on the user’s desktop Off-line and stand-alone working While most of these requirements should be self-explanatory, or have already been discussed in some detail, it is worth briefly discussing template management. What we mean here is the ability to not merely manage but also to automate the use of templates so that if, for example, you use templates for monthly spreadsheets then the details for each month will be automatically generated for you so that the potential for using the wrong template is eliminated. The underlying templates that are being reused in this way are sometimes referred to as blueprints. Dealing with errors There are two approaches to errors: one is to prevent them occurring in production spreadsheets and the other is to detect and correct them when they do occur. In the latter case, there are a variety of applications available for detecting and correcting errors in single spreadsheets. Indeed, Microsoft also provides a (limited) number of facilities within Excel for helping to identify errors, such as the ability to calculate nested formulae one step at a time, to trace relationships between formulae and cells, and to watch a formula and its result in a cell. In other words, there are some features to support the testing of spreadsheets as they are being built, though one would not say that these were equivalent to the sort of testing that would be standard for applications designed and developed by the IT department, for example. However, as with all software applications it is much more efficient (and less expensive) to prevent errors rather than to attempt to detect them after the event. Indeed, HM Customs and Excise states in its “Methodology for the Audit of Spreadsheet Models” that “detailed testing can be extremely laborious” even when using the software that it supplies for this purpose (SpACE, see www.lexisnexis.co.uk/space)—and remember that you pay for this auditor’s time. Spreadsheet Management Chapter 3 - Thinking about Spreadsheet Management Best Practices Guide for Building Spreadsheets and Preventing Errors It is worth going into some detail with respect to this HM Customs and Excise report. It suggests that the auditor start by assessing the risk that is associated with each spreadsheet and to concentrate upon the spreadsheets that have the greatest implications for the business. This only makes sense. It then goes on to recommend that the auditor assess the degree of risk associated with each spreadsheet. It is worth reporting what the methodology has to say with respect to this: • “If the developer does not fully understand the business, there is a high risk of errors in the logic and design of the spreadsheet.” • “Are the areas for input of raw data segregated from the computational areas?” • “Is there a separate sheet containing a table of contents and a description of the purpose of the model?” • “What evidence of testing and other documentation exists?” • “If testing was thorough, the risk of undetected error is lower. If testing of the initial model and/ or subsequent amendments was sketchy or non-existent, the risk of error is much higher.” • “You must consider the adequacy as well as the mere fact of testing as evidence that the model or application presents a low risk of error.” • “Has the developer documented the spreadsheet, to make clear: what it’s for; what it does; how it does it; what assumptions were made in its design; what constants are used and where they are held; who developed it; when; when and how it has been changed since being brought into use; the presence and purpose of any macros?” • “The better the documentation, the less scope there is for error or misunderstanding between the developer and the user.” • “A good practice in design is to include the documentation as part of the workbook on a separate sheet.” • “Again, consider the quality as well as the existence of documentation.” We make no apologies for quoting from this at length as it effectively provides a high-level best practice guide for building spreadsheets and for preventing errors. Moreover, in our view the sort of structured approach that is recommended for developers should be followed even if the developer and user is one and the same person. The guide goes on to suggest that if the spreadsheet passes these criteria then it should need no more than a routine audit rather than the detailed (and extremely laborious) testing mentioned above. In other words, this planned approach substantially reduces the likelihood of error. Consider, however, the impact of employing these recommendations within an environment in which spreadsheet design is abstracted, as discussed previously, and not simply held within each spreadsheet. In essence we view the creation of a spreadsheet model or blueprint as the ideal method of applying these principles, due to the fact that every spreadsheet generated from a design blueprint is guaranteed to be as error-free as the original design. In addition, design abstraction offers other unique capabilities that are not possible when working within Excel, such as multi-sheet workbook definition, multi-dimensional summary table aggregation, formula and macro reuse, and dynamic control over multi-source query results. Obviously, the notion of building and maintaining a single design that serves thousands of spreadsheet consumers is very appealing. page 11 Spreadsheet Management Chapter 3 - Thinking about Spreadsheet Management What you should do There are various types of software solution for the resolution of the various issues we have highlighted. However, before we discuss these (in the next section) it is worth considering what organisations should do, regardless of any potential software supplier. The steps that organisations need to follow include: • Identify all the spreadsheets in your organisation: who owns them, what they are called and what they are for, how widely they are distributed and used and by whom, what associated documentation is available, and how often they change and by how much, and so on. If you can do this in an automated fashion so much the better. • Prioritise these according to their importance to the enterprise both in terms of their impact on corporate strategy and their scope for aiding and abetting fraud. Note that, in part, the risks associated with any particular spreadsheet will depend on the size and complexity of that spreadsheet: something that tools can help you to calculate. Complexity can be rated as low, medium or high depending on input sources, the complexity of calculations, dependencies between spreadsheets and workbooks, the use of macros, financial modelling and so forth. According to PriceWaterhouseCoopers in its “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act” the uses of spreadsheets can be put into three categories, which reflect increasing levels of significance and priority: operational, analytical (or management information) and financial. • High priority spreadsheets should be individually audited for design correctness, tested, published and generally managed by the IT department. Version control will be an advantage and automated generation from design templates will eliminate many classes of errors (data, formulaic, macro, and template) and provide a strong framework for addressing the other management issues highlighted herein. • Medium (as well as higher) priority spreadsheets should at least be serverbased so that there is some form of central control. • Where feasible, store Excel data in XML format, so that you can validate fields and enforce integrity through use of an appropriate XML schema. This may not be necessary if you are using a very tightly managed and controlled approach or if your solution not only stores designs but also intelligent spreadsheet master objects on the server. • The password and auditing facilities supplied within Excel should be used for all sorts of spreadsheets. Control over the use of macros (digital signatures and the use of trusted publishers) should be encouraged. Default settings that make calculations invisible should be turned off. Hiding of data should be discouraged. • You may wish to treat older versions of spreadsheets differently from current ones. Clearly, there are fewer user obstacles to be overcome when applying security to the former. Versioning of spreadsheets is also something that you may want to explore as well as methods of evolving older spreadsheets into newer, server-controlled ones. • Publish best practise guides for users (based on the HM Customs & Excise model above)— there are many features of spreadsheet applications that users are simply not aware of. No doubt there are many users that would implement passwords if they knew about it. • Publish spreadsheet designs including formula definitions, query definitions, worksheet formats and all assumptions that make up the design. • Consider the implementation of information rights management software so that you can limit the use of published spreadsheets. This is by no means an exhaustive list (other considerations, which are not specific to spreadsheets, include the application of access control and security, documentation, backups and archiving, analytics on the use of spreadsheets, the development lifecycle and change management) and the implementation of these techniques will not take the place of the management solutions discussed in the next chapter or the need for error detection and correction. However, implementing a policy for managing spreadsheet management is the first step that you need to take, and the points above represent some of the basic things that you need to consider. page 12 Spreadsheet Management Chapter 4 - Spreadsheet Management Approaches In the section of this report dealing with spreadsheet problems we highlighted five major areas where there are issues with spreadsheets: errors, security, auditing, productivity and spreadsheets as an enterprise resource. Arguably, there is also a sixth issue, in that it would not hurt to have facilities that speeded up the process of developing spreadsheets. In this section we are going to consider the various types of approaches that vendors have taken to resolving the issues and problems we have highlighted. Auditor’s tools Auditor’s tools are primarily focused on discovering errors and in assisting both internal and external auditors, though some tools also provide some (limited) capabilities for helping with the development of spreadsheets. In so far as their error detection/auditor support functions are concerned, common features of these tools include: • Spreadsheet comparisons—either between two versions of the same spreadsheet or, in some cases, different spreadsheets. It is preferable to be able to see both spreadsheets side-by-side: a tool that automatically lines up the two spreadsheets (that is, inserting blank rows where one spreadsheet has more rows than the other) will be an additional benefit. • Formula mapping—the ability to see how formulae have been copied (or not) across cells: this can be used to visually identify where incorrect or missing copies have been made. In our view this is easier to understand if the mapping is displayed on the spreadsheet rather than as a separate function. • Precedent and dependent mapping—to see relationships and references across spreadsheets. Not all products support both precedents and dependents. Good visualisation will be useful here. • Detection of formula and other errors such as text in a data field, a sum that is adding up non-numeric fields or range checking. • Facilities to understand formulae more easily, either by expansion and/or through the use of AutoNames (that is, putting a name in place of a cell reference). • The ability to answer the question “where did this number come from?” • Circular reference detection, where spreadsheet A refers to spreadsheet B which in turn references spreadsheet A. For obvious reasons the more mature products in this area tend to have more of these functions, as well as a variety of reporting and other capabilities (for example, sensitivity analysis is useful), than offerings that have been more recently introduced. There is also a wide variety in the degree of visualisation offered, with some companies only offering reports and other data in spreadsheet format while other suppliers make use of more advanced graphical techniques. It is also noteworthy that while most products consist of pure play suites of tools, two of the offerings considered in this report, from Operis and Risk Integrated (in the Automation Tools category), are products that were originally developed for in-house use and which have subsequently been made available to clients on a stand-alone basis. Both of these companies are consulting houses with Operis specialising in complex financial modelling and Risk Integrated, as its name implies, focusing on risk management. Products in this category are typically available on a free 30 day trial basis with a typical per user licence of between $200 and $600 (with the bulk at the lower end): bulk discounts for enterprise licences are usually available. Support is via e-mail. Note that some of the control and compliance vendors (see next sub-section) also incorporate Auditor’s Tools within their offerings. Control and Compliance tools Control and compliance tools come in a variety of shapes and sizes. In principle, products within this category would address security, auditing and compliance first and foremost and, as a consequence of the way that they do these things, also provide enterprise resource management and productivity gains. However, there is by no means a common approach across all of the vendors in this grouping. However, before we discuss these differences we should consider what we mean by ‘control’ and ‘compliance’. The idea behind a controlled approach is that you will fully control everything that is done within the spreadsheet environment. Using a role-based security system, you will apply security at all levels, from the queries against the original data sources, to the files and directories accessed by users all the way to locking down changes at the cell-level, so that only authorised personnel can change data, with similar strictures being applied to formulae and other facilities within the spreadsheet environment. The way that this is typically accomplished is by means of a centralised repository, as illustrated in Figure 1, which represents CIMCON’s architecture. page 13 Spreadsheet Management Chapter 4 - Spreadsheet Management Approaches Figure 1: Architecture using a centralised repository (from CIMCON) The point here is that the user continues to work in Excel as he has always done but that the environment is controlled from the repository where version control, security and so forth is running. Typically, the repository is based around a document management system but that is not always the case: SmartDB, for example, uses an Oracle (or, in theory, any other relational) database. In some cases, notably the Automation Tools vendors (see next section) user spreadsheets are populated directly from the repository/server at runtime in a dynamic fashion. An important point here is that there is a natural aversion to the centralisation of spreadsheets: it therefore needs to be as simple and painless as possible. Needless to say, in order to be fully effective, control tools need to have discovery capabilities (not all products do) so that these capabilities can be retrospectively fitted to existing spreadsheets as well as applied to new developments. Moreover, the way that discovery is implemented is also important, because you want to be able to discover and import spreadsheets into your management environment as efficiently as possible but you also don’t want to interrupt or impose any performance penalty on conventional operations. The ability to assess the risk associated with each spreadsheet is also important. The compliance approach is about monitoring current activities, sometimes referred to as “closed circuit TV” (CCTV) option. In this approach, everything that you do is logged, every change to a macro or a formula, every change to the data, who did it and when. Now, there are products that combine both control and compliance but there is also one product (from ClusterSeven) that provides compliance only. In the latter case, no attempt is made to prevent anybody from making a change or, as a result, introducing the variety of error types mentioned earlier. In other words, this is auditing without control. This has the advantage that you do not need to centralise the whole environment but it will only be appropriate for companies that already have tight control over their spreadsheets. That is, those organisations that have already recognised that spreadsheets represent a corporate resource. However, the distinction between compliance and control and compliance tools is not the only differentiator within companies within this grouping. In particular, while all companies in this group provide security there is one vendor (ROISoft) that specialises in security and has then built control and compliance on top of that, rather than the other way around—it might make a good partner for ClusterSeven. A further differentiator is that some control and compliance products include auditor’s tools while others do not. Finally, eXpresso (which is the only vendor we know of to have a Software as a Service—SaaS—offering in this area), offers significant collaborative capabilities that are absent from most competitive products. Control and compliance solutions represent a much larger investment that auditor’s tools, with a typical enterprise-wide implementation running to at least 6 figures and sometimes 7, though the SaaS offering from eXpresso (which is also available via a stand-alone licence) and Lyquidity are exceptions to this rule, with the latter offering enterprise licenses in just 4 figures. On the other hand this is less highly featured than some of its rivals. A number of the products in this area also have the ability to discover other resources aside from spreadsheets such as PowerPoint files, Word documents, Access databases and so forth. page 14 Spreadsheet Management Chapter 4 - Spreadsheet Management Approaches Automation tools The third class of tools in the enterprise spreadsheet management space are automation tools. That is, products that have been specifically designed to aid in the development of spreadsheet applications (that is, where there are repeated processes rather than one-off spreadsheets, such as for sales reporting, financial consolidation and so forth). These environments are typically templatebased and provide classical development methodologies to ensure that applications are properly tested prior to deployment. These tools may also offer control and compliance capabilities but only for the spreadsheets that have been developed within this environment. Neither of the products (we have discovered only two) in this area have discovery capabilities nor the ability to bring pre-existing spreadsheets under their wing, so to speak. We should comment that the development capabilities provided by these products is much, much stronger than those of products in any other category and that the use of these tools to prevent errors is a lot more powerful and useful than merely being able to detect them after the event. Products in this category have typical implementation licences in 5 figures, with the exception of Risk Integrated, which only provides a partial solution (see next chapter). page 15 Spreadsheet Management Chapter 5 – Product Evaluations This chapter includes our evaluations of the various products reviewed in preparing this report. They are presented in alphabetical order. Note that the evaluations of Auditor’s tools are significantly shorter than those of the Control and Compliance and Automation Tools (with the exception of Risk Integrated) included herein. The following list of products have interactive links and clicking the vendor/product name in a PDF file will take you to the relevant evaluation. Auditor’s Tools Operis OAK Sheetware XDrill Spreadsheet Advantage Spreadsheet Detective Spreadsheet Innovations Spreadsheet Professional Others (no evaluation) Codematic XLAnalyst UTS MathLook for Excel & Galaxy Enterprise Knowledge Management System Control & Compliance Tools CIMCON Spreadsheet Compliance Solutions ClusterSeven Enterprise Spreadsheet Management Compassoft Lyquidity ComplyXL Mobius ABS for Spreadsheet Compliance Prodiance Spreadsheet Compliance ROISoft ExSafe SmartDB eXpresso Automation Tools Actuate e.Spreadsheet Qtier-Rapor Risk Integrated Enterprise Spreadsheet Platform page 17 Actuate e.Spreadsheet Fast facts Actuate provides Enterprise Reporting solutions. By this it means that it can provide all of the reporting, query and analytic capability (with the exception of data mining) that an enterprise might require, both at a technical level and in terms of the types of users it supports, from those who simply want to see a particular report on their desktop once in a while, to power users and business analysts. As a part of this landscape the company provides Actuate e.Spreadsheet as a solution that is designed to provide centralised control and management over the design and use of spreadsheets. Actuate e.Spreadsheet is an integral part of the Actuate 9 Enterprise Reporting platform (technically it is referred to as Actuate 9 e. Spreadsheet) but this report focuses on e. Spreadsheet rather than the other elements of the Actuate product set, except where the latter are relevant to the operation of e. Spreadsheet. page 19 • Once defined, spreadsheet blueprints are stored on the Actuate server and user spreadsheets are dynamically generated at run-time depending on the user’s role and permissions. • Note that the Actuate platform offers federated query capability so that this dynamic generation of spreadsheets may be based on data derived from multiple (heterogeneous) data sources. • A major advantage of the dynamic serverbased approach adopted by Actuate is that it does not matter if data sizes change, since this is automatically taken care of when the user’s spreadsheet is generated at runtime. • Actuate e.Spreadsheet offers significant advantages when compared to traditional BI approaches such as plug-ins and ‘save to Excel’. Key findings The bottom line In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: Actuate e.Spreadsheet automates the development and deployment of spreadsheets. This doesn’t just speed up the development process and make deployment more efficient: in governance and compliance terms it also reduces the risk of error, provides built-in security and makes change tracking into a byproduct of the environment. In other words, because use of e.Spreadsheet means that spreadsheets are deployed as an enterprise resource there is a reduced need for auditor’s tools (and auditor’s fees) and change tracking. Further, our view is that native, stand-alone use of (unmanaged) Excel spreadsheets is a potential hazard when it comes to corporate governance and regulatory issues. • Actuate e.Spreadsheet allows your users to continue to use Microsoft Excel in exactly the way that they are used to but, behind the scenes, you use the Actuate platform to develop, manage, secure, audit and control the distribution of these spreadsheets. • In particular, e.Spreadsheet is used to manage the development of repetitive spreadsheet applications such as sales forecasts, account statements, budgeting and planning, financial consolidations and so on. • Complete, cell level version control is maintained as a part of the development environment provided by e.Spreadsheet so that you can manage who is authorised to make changes and so that any such changes to editable cells can be logged and audited. • Actuate e.Spreadsheet does not include formal support for the segregation of roles—author, editor and (internal) auditor—required by auditors; nor for the sort of workflow that would support this checking and approval process. Instead, the product takes a more conventional approach to development and security, securing both the data that populates a spreadsheet, and also the structure of the workbook presenting it. (which might, of course, be acceptable to auditors in its own right). You could, of course, use an appropriate third party change management tool to support the segregation of consumer roles. As a result, a solution such as Actuate’s, which allows proper control of the spreadsheet environment, is much to be preferred and should be considered seriously, especially by any company that deploys spreadsheet applications. Actuate e.Spreadsheet Vendor information page 20 Background information Product availability Actuate was founded in 1993 and initially focused on reporting solutions that were deployable across the enterprise to all classes of users. That is, it focused on users that didn’t want to learn anything about the reporting environment but simply wanted to access information that would help them to do their jobs. In other words, Actuate had a focus on reporting per se, and reporting applications in particular. The current version of the Actuate product set is 9.0 and the same is true for e.Spreadsheet. At the platform level, Actuate’s general approach is to run under Windows, AIX, Sun Solaris, Linux and HP-UX with Windows-based development tools, with the Actuate iServer (which provides the infrastructure upon which all Actuate products are based) providing full cluster support. Mac OS, Solaris and OS/2 are supported at the browser client level, using either Internet Explorer or Mozilla Firefox. Although there were a series of extensions (for example, web-based reporting) to the product set throughout the ‘90s, this position remained essentially unchanged until 2003, when the company introduced spreadsheet reporting for business users and then analytic reporting aimed at power users. Also in 2003, Actuate acquired Nimble Technologies, a vendor of data federation and enterprise information integration (EII) solutions, whose technology is integrated within the remainder of the Actuate product set, including e. Spreadsheet. As far as e.Spreadsheet components are concerned, e.Spreadsheet Designer runs on Windows. How the product fits into the overall architecture of the Actuate suite is illustrated in Figure 1. More recently (in early 2006) the company has bought Performancesoft, a scorecard application vendor specialising in the performance management arena, and Actuate is also the driving force behind BIRT (business intelligence & reporting tools), which is a toplevel Eclipse project for developing open source reporting tools. Actuate BIRT is available, including chargeable support provided by Actuate. Actuate markets its products via both a direct and indirect channel, with around a third of corporate revenues coming from partnerships, especially where the product has been embedded into third party products such as those of Chordiant and Siebel (Oracle). Actuate web address: www.actuate.com Figure 1: Architecture of the Actuate suite Actuate presentation services are provided through either iPortal (J2EE) or Active Portal (.NET environments) and, in the case of the former, supported platforms include Tomcat, IBM WebSphere, BEA WebLogic and the Sun Java System Application Server. For data access, native drivers are provided to access Oracle, DB2, SQL Server, Informix, Sybase and Progress databases and both ODBC and JDBC are supported for other environments. XML and flat file access is also supported and there are special pre-built facilities for extracting information from SAP and PeopleSoft environments. Business logic, in the form of Java or COM objects can also be accessed as data sources within the afore-mentioned J2EE and .NET environments. A software developer kit (SDK) is available for building comparable facilities for, say, Oracle Financials. While this information may not seem immediately relevant, one of the features of e.Spreadsheet is that it leverages Information Objects, the EII technology acquired from Nimble, meaning that you can build spreadsheets based on information derived from multiple, heterogeneous sources. Actuate e.Spreadsheet Vendor information Note that Actuate describes the iServer as a ‘scalable platform’ in Figure 1. There are various points to note about this. First, there are the technical features such as multiproject support, server-specific service tuning, multi-threading, page delivery on demand, multi-tiered cluster and failover support; secondly, there is the fact that Actuate has existing customers with over 100,000 users (for example, the Bank of America); and thirdly, there are the independent benchmarks that you can examine on Actuate’s web site, favourably comparing the performance of Actuate with Crystal Reports (now part of Business Objects) and Cognos ReportNet. Licensing fees for e.Spreadsheet are relatively inexpensive compared to some products in this market, with pricing starting at $495 for a copy of e.Spreadsheet Designer and $500 per user for the e.Spreadsheet Option within the iServer. page 21 Financial results Actuate floated on NASDAQ in 1998 and in the last financial year (2006) it reported revenues of $128.6m (a record) compared to $106.4m in 2005. On a GAAP basis, net income for 2006 was $13.8m compared to a profit of $11.6m in 2005. In the most recent quarter (Q4, 2006) revenues were $35.1m, as opposed to $29.2m in the same period last year. Net income similarly rose from $4.1 to $10.2m. The company is cash rich and has no long-term debt. Actuate has over 500 employees at offices in Canada, the United States, Australia, Hong Kong, Japan, Singapore, France, the UK, Switzerland and Germany. It also has development facilities in China, though not sales offices. Distributors are based in Brazil, Mexico, South Africa, India, South Korea, New Zealand, the Netherlands, Portugal, Russia, Spain and Sweden. In addition to its direct customers the company also has more than 300 OEM partnerships. Actuate e.Spreadsheet Product description Introduction Actuate e.Spreadsheet competes in two markets: the ‘how to be more productive with Excel’ market and the ‘how do I manage, secure and comply with Excel’ market. In the first of these Actuate competes with Excel on its own, or with other business intelligence vendors that offer either Excel plug-ins or which have ‘save to Excel’ options. As we shall see, Actuate offers a number of advantages when compared to all three of these alternatives. However, in the control and compliance part of the market we cannot make such sweeping statements, precisely because of the complexity of the market. There are a variety of compliance and governance issues that arise from the widespread adoption of Microsoft Excel, of which the three most well-known are its limited auditing and compliance capabilities, its weak security and the prevalence of errors. Failure to exert proper control over the first of these can land you in jail, the second can lead to fraud and the third can simply cost you money. There are also additional issues, which we will touch on during the course of this report, but these are ‘the big three’. As a result of there being multiple compliance issues with Excel, there are three main types of tools that address these: page 22 corporate spreadsheets rather than individual ones), which will mean that spreadsheets are developed and tested prior to production, just like any other software application. Whether or not this control and management of spreadsheet applications is within the domain of IT or within the originating department is a separate question. Actuate e.Spreadsheet, which is template based, will be most suitable for environments where spreadsheet applications are used to automate repetitive tasks such as financial consolidations, sales forecasts, account statements, budgets and planning, and so forth. Architecture What e.Spreadsheet allows you to do is to use Microsoft Excel within the Actuate environment and supported by the Actuate iServer. In technical terms, the product works by sourcing data natively and then generating an xls file for viewing. You can also import existing Excel-based information so that it can be managed through the iServer (and you can also use an existing spreadsheet as a template for future development). What this means is that security (iServer supports LDAP directories, Windows Active Directory and the Sun Java System Identity Server), an audit trail, and other management facilities are provided for the spreadsheet environment. 1. Auditor’s tools, which are used to examine formulae, discover errors and determine data lineage after the fact. 2. Control and compliance tools that track and audit changes to spreadsheets (and associated macros, documentation, VBA and so forth) reporting on anomalistic events after they occur. 3. Automation tools that take a more preventative approach whereby you try to eliminate errors (and, therefore, the same degree of need for auditor’s tools) and prevent fraud by taking a pro-active role in managing the spreadsheet development and deployment environments. Since development is an intrinsic part of this environment, tools in this category typically provide version management down to the cell level (SharePoint only provides it at the documents level) so that changing tracking and auditing is built-in. Whether a pro-active or a reactive approach will suit your company will depend on your situation: in our view, a pro-active methodology, which is the approach that Actuate has adopted, will be most suitable where the organisation has recognised that spreadsheets need to be treated as an enterprise resource (we are talking about Figure 2: e.Spreadsheet architecture in Actuate 9 In practice, e.Spreadsheet is not a single product, as is illustrated in Figure 2. As can be seen there are a number of components within e.Spreadsheet: the Designer, the generation option, the Smartsheet Security option, the object catalogue and the use of Information Objects. While the last of these will be discussed separately later it is probably more useful to discuss the first four components in logical terms (that is, how you would use the product) rather than purely in terms of what each module does. Actuate e.Spreadsheet Product description page 23 Building a spreadsheet application Perhaps the main feature of e.Spreadsheet is the way that spreadsheets are built and delivered, which is achieved through the e. Spreadsheet Designer. The definition of an e. Spreadsheet design template or blueprint is, effectively, a five step process: 1. The data sources from which a spreadsheet is to be built are defined use the Data Explorer (see Figure 3) along with relevant parameters and fields. If this involves multiple sources of data then this will leverage an option to the Actuate platform called the Data Integration (EII) option. Since this requires some discussion it is covered in its own section, which follows later in this report. Inset in this screenshot is the Data Range Editor, which provides a drag-and-drop environment for creating multi-dimensional workbooks, functions and locks. In addition, there is also a Pivot Range Editor for creating pivot tables with filtering and drill-down. It is worth noting that Actuate offers considerably more data source flexibility than Excel 2007, not least through its Data Integration (EII) option but also thanks to its understanding of metadata. There are also mechanisms provided to overcome the 64k row limit on spreadsheets, either by dynamically rolling data over into new worksheets in the workbook, or by staging data sets in the server catalogue. 2. The logic (formulae, macros and so forth) to be used in any particular spreadsheet is abstracted within the design blueprint, which helps to remove design and formula replication errors. Here you can make use of the Designer’s reporting functions, which define how the design blueprint should manipulate, summarise or use data within calculations. e.Spreadsheet Designer provides built-in formula-like capability that controls data expansion within workbooks. 3. Formatting—formatting the spreadsheet is integral to the design process, which not only helps to make designs more visually appealing (with bolded column headers and sub totals, conditional highlights outlining and so forth) but also includes the ability to define security privileges all the way down to cell-level access. Apart from the e.Spreadsheet Designer itself and its template-based approach, features leveraged here that are not in Excel 2007 include user-based cell, section, range and worksheet locking, which Actuate calls ‘SmartSheet Security’; and programmatic interfaces in Java, VB, XSLT and C++. Figure 3: The Data Explorer screen 4. Data-driven spreadsheet population—data can be extracted in real-time to populate spreadsheets so that they are always upto-date (including adding new hierarchy members and worksheets) without ever breaking or exceeding the limits of the template, which is a common issue with templates built within Excel directly or when using Excel plug-ins. In addition, worksheets in a workbook may be parameterised based on data values. Facilities that are not available in Excel 2007 (let alone other BI tools) include support for side-by-side (sibling) hierarchies that can be grouped across a third hierarchy, some of the features of the Editor (notably the ability to expand, replicate and reproduce formulae and references as data expands and contracts; and the ability to define dynamic worksheet bursting within a workbook) and the builtin parameter control that is provided. 5. Server-based distribution—when a user wants to use a spreadsheet, it is generated and delivered based on the template for that spreadsheet, from the iServer, with dynamic population of the data and personalisation of formatting. Other dynamic facilities provided include support for live pivot tables; the use of live data filters in, for example, exception reports; and live 3-D charts that you might use, say, in conjunction with ‘what-if?’ analysis. The fact that spreadsheets are generated dynamically at run-time means that full security is maintained at all times as well as an audit trail of who has requested which spreadsheet. The software can also present the data, showing which cells are locked (but viewable by this user) and Actuate e.Spreadsheet Product description which are unlocked but available for update. The design template can define and enable Excel’s built-in change tracking facilities where user activity is logged within a worksheet in the document. When a spreadsheet is written back to the server with updated information (for example, in a budgeting application) then that entry, and the workbook’s activity list, is logged for auditing purposes. In terms of its advantages over native Excel 2007, at this level the most important is surely the iServer’s scalability, as previously discussed, as well as its ability to work across Windows, Linux and UNIX environments. Perhaps the most notable of its other advantages is the power that it puts into the hands of users through runtime parameterisation, for example to use in selecting data to display or for selecting layout preferences. It is also worth noting the extensive use of wizard-based facilities in the product, which can be used for formatting cells and worksheets, adjusting formulae and data groupings, summarising data, inserting graphs and using pivot tables, amongst others. Finally, it is worth illustrating the fact that e. Spreadsheet does not simply deliver spreadsheets but that these spreadsheets can be embedded within a more comprehensive portal, along with other Actuate generated reports, as shown in Figure 4. page 24 Figure 4: Embedding the spreadsheets into Actuate-generated reports Actuate e.Spreadsheet Product description page 25 The Data Integration (EII) option Information Objects is Actuate’s technology for providing EII (enterprise information integration). That is, it allows you to access multiple, heterogeneous data sources, in realtime, to populate Actuate reports or, in this case, e.Spreadsheets. The way that it works is that you first create a mapping (in XML) from the data source to the Actuate environment. This is a developer task as it requires some knowledge of the source system. However, once these initial mappings are defined the resulting Information Objects can then be combined into consolidated views by end users (using the Data Explorer). In other words, once the base mappings are created, users can use these to create whatever reporting structures they like. Figure 5: e.Spreadsheet and the EII Option When a query based on one of these structures is activated, the query is decomposed and the relevant parts of the query sent to the relevant data sources. The EII Option has a built-in optimiser (like a database optimiser) and it can leverage source system facilities such as the DB2 optimiser in order to optimise performance at each data source and from a distributed perspective. Actuate also implements a cache so that you can reuse data, when appropriate, without overtaxing the source systems. Figure 5 illustrates and describes how the EII Option works in conjunction with e. Spreadsheet. Summary Companies addressing the Excel marketplace come from two general directions: either they are fundamentally business intelligence companies or they are control and compliance companies. In the former category there are BI ‘save as Excel’ vendors and there are BI Excel plug-in suppliers while in the latter category there are auditor’s tools and change tracking tools. The latter do nothing for the company that wants to manage his spreadsheet development and the former: well, the former don’t do much at all. Actuate, on the other hand, by focusing on the development and automation of spreadsheets, adds considerably to both the BI and control and compliance environments. Moreover, there are hardly any other companies providing comparable automation environments and no others that do so from the standpoint of a broader business intelligence capability. Actuate e.Spreadsheet is therefore strongly recommended. CIMCON Spreadsheet Compliance Solutions Fast facts CIMCON offers a suite of software products that, while they nominally have a particular emphasis on ensuring compliance with Sarbanes-Oxley, actually have broader application for spreadsheet management. The suite includes discovery capabilities (via XLRisk); auditors tools (XLAudit) for spreadsheet comparison, error detection and so forth; and change tracking and control (SOX-XL). There is also a companion product called SOX-XS that provides comparable features to SOX-XL but for Access databases rather than Excel. While the ‘SOX’ prefix to two of these products is understandable, there is a danger that it limits the potential usage of these offerings in user’s eyes. In practice, the SOX products from CIMCON support best practice that may well be applicable to companies that are not subject to the Sarbanes-Oxley regulations. Key findings In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: • XLRisk will automatically discover all of your corporate spreadsheets, Access databases and, indeed, other assets. This is accomplished during an overnight batch run and a data dictionary with all relevant metadata is created within the CIMCON environment. The other products in the suite run against this dictionary so that a non-intrusive approach is maintained throughout. • When SOX-XL is used (the products may be licensed independently) the software automatically pulls spreadsheets into its server to create new versions, on a scheduled basis, although there is also a manual option for creating versions. For ongoing monitoring, CIMCON uses an agentbased architecture that automatically detects and notifies the software of any changes, though you can still use a scheduled approach if you prefer. • Once spreadsheets are discovered they can be assessed for risk, both from the perspective of the risks associated with a spreadsheet per se (basically, how complex it is) and the business risks associated with the usage of this spreadsheet. This process is largely automated and has been significantly enhanced in the latest release—it now represents a significant strength of the product. page 26 • Once a risk assessment is complete, XLAudit is used to look in detail (with formula rectification, error detection, comparison capabilities and so on) at selected spreadsheets, typically those with the highest risk profiles. A dashboard is provided showing details of your compliance programme. • SOX-XL can be used to maintain a strict segregation of roles: authors, editors and auditors. • SOX-XL provides control as well as change tracking. In the former case, there is rolebased control of Excel menus and the available functions, you can enforce signoffs, employ digital signatures and so on. • Change tracking is down to the cell level and includes time-stamping for the time that changes were made, not just when they were saved. Note that all such changes are recorded, not just the ones made at the time of the file save. The bottom line CIMCON has a significant history in the compliance market, having originally focused its efforts on the pharmaceutical sector, where there are Federal Drug Administration regulations that need to be complied with. Since moving into spreadsheet management and compliance the company has established itself as one of the leaders in this market, with some 150 customers to-date. Moreover, its solutions tend to be less expensive than those of its major rivals (5 figures rather than 6) so the company appears to be well placed given that there is a growing concern across user companies to ensure not just that their spreadsheets are compliant but that they are error-free and less subject to fraud. CIMCON Spreadsheet Compliance Solutions Vendor information page 27 Background information Product availability and support CIMCON Software (which is not to be confused with Cincom Systems) has been in business, in one form or another, for some 19 years. Originally the company’s name was an acronym for computer information management and control and it focused on automation systems. However, some 10 years ago the company re-invented itself as a provider of compliance solutions, initially in the pharmaceutical sector (where CIMCON supports FDA CFR21 Part 11) and, more recently, for financial services. Its solutions in support of Sarbanes-Oxley were first introduced 4 years ago. Note that as a significant part of these compliance solutions the company offers a number of spreadsheet and associated software applications that would, of course, be applicable widely across industries and not just in the sectors in which the company specialises. The products provided by CIMCON are currently in version number 5.4.3 and they may be incrementally licensed and installed. Needless to say, they all run on Windows platforms, with support for all versions up to Windows Server 2003. The versions of Excel supported include Excel 97, 2000, XP, 2003 and 2007. While the company is primarily US-based in so far as sales is concerned, the global nature of the company’s customer base means that it needs to offer 24x7 support and it maintains U.S. and overseas offices in order to do this. Typical installations are measured in high five figures (dollars). In practice, CIMCON takes a lifecycle management approach to spreadsheets, as illustrated in Figure 1, which shows the three spreadsheet management products that the company provides: XLRisk, XLAudit and SOXXL, along with the major features of each of these elements of the suite. In addition to the products shown the company also has a solution called SOX-XS, which is designed to provide Sarbanes-Oxley compliance for users of Access databases. As these are commonly employed in conjunction with spreadsheets, especially in financial environments, we will briefly discuss the facilities offered by this product even though the focus of this report is on spreadsheet management. Financial information CIMCON is privately owned and financed (that is, no VC funding) and has approximately 150 staff. As noted, it has overseas offices for research and development and to support its global customer base. It has some distributor agreements for indirect sales and is in the process of expanding the number of these distributors in response to market demand. It has technical partnerships with both Microsoft and Hyperion and also has a partnership (in the UK) with Protiviti. Business Object’s Crystal Reports is embedded within the product for reporting purposes. Web addresses www.cimcon.com www.sarbox-solutions.com Figure 1: CIMCON’s lifecycle approach to managing spreadsheets CIMCON Spreadsheet Compliance Solutions Product information page 28 XLRisk XLRisk is a discovery and risk assessment tool. In the first instance, XLRisk will automatically discover all the spreadsheets on your local area network or intranet, along with all of your Access databases. It will also, incidentally, detect instances of other products such as Oracle databases, SAS applications and so on. As this detection process can be a fairly lengthy process it is typically run as a batch job overnight. As a result of the detection process XLRisk builds an inventory of the assets (spreadsheets in this case) it has detected, stored in a data dictionary file that records the name of the spreadsheet, its location, details of embedded queries therein, databases, database tables and database fields that are referenced, plus details of any required fields. In other words, it collects as much relevant detail as it possibly can, initially via a scheduled batch run but subsequently on an incremental basis (though scheduling remains an option). Once this metadata is collected, the next phase in the use of XLRisk is to conduct a risk assessment. There are two elements within this process, one of which is automatic and the other is manual. The automated part is an analysis of the potential risk within any spreadsheet based on the number of external links involved and the number of formulae and other characteristics associated with the spreadsheet. In effect, the software determines how complex the spreadsheet is, on the basis that the more complicated it is the more likely it is to have errors within it, as well as detecting any reported errors or warnings. A Risk Scorecard is automatically assigned to each spreadsheet based on risk criteria that can be configured based on client-specific spreadsheet processes and risk indicators. Provision is also there to include the materiality (that is, how significant the spreadsheet is within the overall financial reporting process) of the spreadsheet for financial reporting when assigning a risk scorecard. In addition, you need to be able to recognise the importance of the spreadsheet to the business: whether it represents a low, medium or high-risk depending on its impact on the company. To a large extent this is automated in that XLRisk (in the latest release) reuses facilities from XLAudit (see next section) that collects statistics regarding all of the spreadsheets you are scanning and assigns risk criteria based on given risk factors. For example, the software would recognise that a Statement of Earnings would represent a higher risk that a sales report based on various factors such as the maximum value in the spreadsheet and the presence of keywords such as ‘balance’ and ‘millions’ rather than ‘thousands’. Also relevant would be the presence or absence of particular formulae, the amount of activity and various technical measures such as the number of links, errors, warnings and so forth. Thus, from a Sarbanes-Oxley perspective, if you produce your Balance Sheet or Statement of Earnings via spreadsheets, then these would be high-risk whereas Cash Flow statements might be classed as medium-risk and sales reports might be low-risk. However, it is important to appreciate that this should not be looked at purely from a compliance perspective; if you use spreadsheet applications for mission-critical applications then these too should be regarded as highrisk. So, ultimately you will have a defined risk profile for each spreadsheet, based on its importance to the business and the degree of complexity inherent in the spreadsheet. Finally, note that the dictionary XLRisk builds forms the basis for doing impact analysis. That is, to see what would be affected by any change, whether that is database change affecting a spreadsheet or a change in one spreadsheet affecting another spreadsheet. Moreover, such changes can often have ripple affects that have impacts in multiple places and CIMCON provides ad hoc query, search, reporting capabilities within XLRisk (and graphical tools are provided in the XLAudit product) for this purpose. CIMCON Spreadsheet Compliance Solutions Product information page 29 XLAudit XLAudit is the tool provided for CIMCON to identify problems within spreadsheets and to aid in remediation. What XLAudit allows you to do is to go into finer detail, for auditing and verification purposes, for critical spreadsheets. The features that XLAudit provide are: • Formula analysis, which will highlight all the cells or ranges of cells that are affected by a formula; • A formula rectification wizard that helps you to identify errors (including blank and text cells within formulae) and correct them; • A referencing facility that allows you to identify any cells that contain references to other spreadsheets, as well the ability to lock these cells if the spreadsheet being analysed is subsequently used off-line; • Graphical analysis, as illustrated in Figure 2, for visually inspecting any nested dependencies (and precedents) that may exist for a cell. This same graphical technique is also used for showing relationships. • Spreadsheet intelligence, which provides additional querying capability against a spreadsheet, including drill-down, filtering and so forth. In other words, it provides business intelligence capability with respect to your spreadsheets. This facility is multithreaded in order to optimise performance. Figure 2: Graphical analysis showing dependencies and precedents • Lookout capabilities that offer the ability to identify cell ranges and names, any validation rules that may be in place, hidden rows and columns, cells comments and charts that span multiple worksheets, and so on. • Utilities that provide a variety of functions including cell formatting templates, a text case change function, configurable colour palettes (which can be different for each type of analysis done: the example in Figure 3 shows the results of a formula analysis) so that it can be easier to spot errors, reporting capabilities that will detail all of the analyses that have been applied to a spreadsheet, and so on. Figure 3: Configurable colour palettes per type of analysis CIMCON Spreadsheet Compliance Solutions Product information page 30 SOX-XL SOX-XL, as its name implies, is all about compliance with Sarbanes-Oxley and, in particular, the ability to monitor and track changes that are made to your spreadsheets. However, unlike some products in the marketplace, it is not limited to monitoring changes but can also be used to implement an element of control over who can do what and when. In particular, in control terms, SOX-XL can enforce a segregation of duties (which is regarded as best practice) between authors, editors and auditors of spreadsheets. Specifically, it can control Excel menus (which options, such as cut and paste, are available), it can implement a sign-off process (using a workflow-based approach) or it can enforce a requirement to input a comment (reason) whenever a change is made. Moreover, these controls can be implemented at spreadsheet, column, row or cell level, as required. A notable point is that, in order to do all of these things, not to mention the tracking capabilities of the product that we have not yet discussed, you can simply leave all spreadsheets in situ and rely upon the capabilities provided by SOX-XL for discovery and compliance purposes. SOX-XL uses an architecture, as shown in Figure 4, wherein a centralised, secure, web-based repository of all spreadsheets is used. The way that this works is that the server automatically pulls existing sheets into the server to create new versions on a scheduled basis although there is a manual option to save a version to the server when necessary. Users continue to work with their existing spreadsheets on shared file servers and may hardly notice the change to their existing environment. In effect, in the background, the SOX-XL repository acts as a content management system, together with role-based security, version control and so on. This replaces the functions that, in Excel 2007, would otherwise be provided by Microsoft SharePoint Services. That said, however, SharePoint is limited to document-level change management whereas SOX-XL goes down to cell level, as required by Sarbanes-Oxley. Fundamentally, there are three types of control that you can implement with respect to any particular spreadsheet, in so far as SOXXL is concerned: you can implement security, you can insist on a complete audit trail and you can require electronic approvals (with electronic signatures) prior to a spreadsheet going into production. Regardless of whether you want any one of these, or all three, the process of setting it up is very simple, as all an authorised user has to do is to log in and request that the appropriate internal control(s) be implemented, otherwise the process is automatic. Figure 4: Architecture of SOX-XL In terms of these three control areas, the major features of the product include: • Auditing—SOX-XL provides change tracking down to cell level, including macros, for all amendments. Further, in compliance with Sarbanes-Oxley, all changes are timestamped with the time that the changes were made (not when the spreadsheet was saved). As a corollary, all changes are tracked that are made before the file is saved. This is important because in cases of fraud you might change a spreadsheet to meet your own nefarious purposes and then change it back again prior to saving. • Accountability—as already noted, SOX-XL implements segregation of duties, with role-based (by user or group) access control to relevant Excel features (by spreadsheet) and this is backed up by the ability to mandate electronic signatures. Moreover, the audit trail provided by CIMCON is colour coded (see Figure 5) so that auditors and others can easily see the use of electronic signatures against activity. Figure 5: Colour-coded audit trail • Security—while some security features overlap with Accountability (who can do what), SOX-XL provides additional functionality so that you can: lock workbooks, formulae or cell ranges; there are session timeouts to protect against unauthorised use at unattended workstations; and you can block access after failed password attempts. There is support for both LDAP and Active Directory authentication. CIMCON Spreadsheet Compliance Solutions Product information Other features of the product include the ability to archive the audit trail; support for workflow, as already discussed; the ability to create read-only copies of a spreadsheet; support for multiple time zones, which is important for time stamping amongst other things; the ability to enforce the entry of the reason for a change and, if you do this, then you can either allow free-form entry or selection from a drop-down list of valid reasons; and there is support for workbook templates, whose functions can be managed in the same way as spreadsheets. Finally, there are also reporting and query capabilities. In terms of reports, Business Objects’ Crystal Reports is embedded within the product and there are a number of prebuilt reports that come with the products and you can also customise these or design your own. In addition, there is a Query Builder that you can use to slice and dice the stored audit trail to investigate what has happened on the basis of date, time, person and so forth. page 31 SOX-XS As we have noted, CIMCON also has SOX-XS for Access databases that is complementary to its SOX-XL product. Its importance rests on the fact that large numbers of users employ Access databases in conjunction with Excel. Briefly (as spreadsheet management is the focus of this report rather than compliance in broader terms), SOX-XS provides comparable facilities for Access as SOX-XL does for Excel. It offers version control, a record/field level audit trail that can be maintained at a fine level of detail, and VBA code control and comparison capabilities. Summary Over the last two years the market has become increasingly aware of the dangers of simply allowing the uncontrolled and unmanaged growth of spreadsheets. While this has been brought to the fore by the need to comply with regulations such as Sarbanes-Oxley, there are also sound business reasons why spreadsheets should be managed as a corporate resource. Needless to say, this growing requirement has led to a significant number of companies entering this market, particularly since 2005. CIMCON is one of the few that is not just wellestablished but which has focused on the compliance arena for considerably longer than this. That is a major strength. However, that is not to say that it does not face threats from the increasing levels of competition it faces. While we expect the company to continue to fare well in its native market of the United States, we would like to see it take a more aggressive stance in other markets (perhaps with a name change for its ‘SOX’ products), where there is the potential for significant future growth. ClusterSeven Enterprise Spreadsheet Management Fast facts Microsoft Excel is one of the most widely deployed applications on the planet. However, it is used in a variety of different ways. For example, it may be used simply for reporting or presentation purposes while, on the other hand, it may be employed for important business applications such as budgeting, planning and financial consolidation. In some environments, like investment banking, utility trading and hedge funds the use of spreadsheets represent not just mission critical applications but key differentiators that represent the company’s trading advantage over its competitors. Thus the use of spreadsheets can be divided between personal deployment and what we might call operational deployment, where spreadsheets represent the encapsulation of a business process. In effect, each spreadsheet hierarchy represents a business application in its own right. For all sorts of spreadsheet users, Microsoft Excel (and other spreadsheet products for that matter) suffers from a number of drawbacks. In particular, spreadsheets are prone to error, susceptible to fraud, lack adequate security and cannot be easily audited. While these issues may be of little consequence when it comes to the personal use of spreadsheets they are of much greater significance when it comes to their operational use: apart from the costs that may derive from spreadsheet errors, there are issues of compliance (Sarbanes-Oxley, Basel II and so forth) and data governance, and there may also be direct costs involved in that external auditors may charge additional fees for auditing spreadsheet applications if appropriate internal processes have not been put in place. For all of these reasons, operational spreadsheets are increasingly being perceived to be a corporate resource where appropriate testing and control of these assets needs to be provided via an independent risk management department (this may be another part of the business or IT) rather than at the user level. However, at the same time, such control needs to be implemented in such a way that it does not impede the user’s deployment and utilisation of spreadsheet applications. It is this function—non-invasive spreadsheet management—which ClusterSeven provides through its Enterprise Spreadsheet Management application. page 32 ClusterSeven Enterprise Spreadsheet Management Fast facts Key findings In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: • Microsoft Excel 2007 offers expanded auditing capabilities through integration with Microsoft SharePoint 2007. However, this is at the document level—that is, treating a spreadsheet as a whole. ClusterSeven, on the other hand, provides auditing and tracking of spreadsheet changes down to the cell level. It leverages SharePoint (and other content management systems) for document level versioning, management and access control and security. • ClusterSeven does not offer the ability to stop erroneous or fraudulent changes to a spreadsheet. What it does is to allow you to monitor all changes to designated spreadsheets so that you can check these for yourself. Note that you can export a spreadsheet to your personal computer and change it, but ClusterSeven will discover the changes when you log back in and update the original. • ClusterSeven offers significant time-based capabilities. To begin with, it can record and present the full history of any spreadsheet, right down to the cell level. This, in turn, can be used for trend analysis for developing things such as yield curves as well as detecting anomalies that might suggest fraud. • A major feature is that ClusterSeven not only monitors events in a spreadsheet, down to cell level, but it can also monitor any macros that are built into the spreadsheet, providing visual (highlighted) comparisons between the old and new version. • ClusterSeven understands not just individual spreadsheets but also the relationships that exist between different spreadsheets. Thus it understands hierarchies, workbooks and so on, and can use this understanding to provide facilities such as root cause analysis. • Although ClusterSeven is primarily aimed at compliance officers, data stewards and so on, it also has a number of features targeted directly at business users. • A significant number of standard reports are provided by ClusterSeven, enabling changes to be filtered against user-defined integrity rules, which can be extended through the use of Microsoft Reporting Services. You can also feed data into Microsoft Analysis Services and similar tools. The bottom line It is only since the advent of Sarbanes-Oxley, Basel II and similar regulations, and today’s increased focus on data governance that the market has begun to appreciate the shortcomings of Excel. As a result, the market for products that fill the gaps in Microsoft Excel is relatively new. With ClusterSeven being one of the earlier entrants into the market the company has a pedigree and its product a maturity that not all vendors can match. Of course, the market for Excel remediation is a broad one and ClusterSeven has opted to focus on the high end. Typical implementations are priced in six figures or more, so ClusterSeven is very definitely a large enterprise solution, with features and scalability to match. If you are in that category (say, the Fortune 500) then ClusterSeven is well worth consideration. page 33 ClusterSeven Enterprise Spreadsheet Management Vendor information Background information Product availability ClusterSeven was formed in 2003 to provide security, auditing and compliance requirements for users of applications that lack those capabilities and, specifically, for Microsoft Office environments. The company is especially focused on providing Enterprise Spreadsheet Management to complement Microsoft Office Excel. The current release of ClusterSeven Enterprise Spreadsheet Management, which supports all versions of Microsoft Excel from Excel 97 onwards, is version 3. Version 4 will be released in April 2007. The product requires Microsoft SQL Server (2000 or 2005) to store data, runs under Windows XP or Windows 2000 (Vista is scheduled), and it leverages Microsoft Reporting Services for reporting purposes, which means that it can provide XBRL (eXtensible business reporting language) based reports for compliance purposes. The company is privately owned, with venture capital backing, and is based in London though there is also a New York office. The company employs some 33 people at present and uses a direct sales model. It focuses on the Fortune 500, managing spreadsheet applications of all sizes. Its largest managed spreadsheets exceed 250 individual internal sheets and 150MB in size, properties which are especially common within capital markets (investment banks, hedge funds and so forth). Needless to say, Microsoft is a major partner. ClusterSeven web address: www.clusterseven.com ClusterSeven includes a generic ECM (enterprise content management) manager that co-ordinates between ClusterSeven and the ECM product, where the latter is providing document level auditing and version control. There are also specific plug-ins provided by ClusterSeven for the Microsoft (SharePoint 2007) and Hummingbird (now OpenText) ECM products. page 34 ClusterSeven Enterprise Spreadsheet Management Background Introduction ClusterSeven Enterprise Spreadsheet Management provides advantages for both end users (the people actually deploying the spreadsheets) and for people (compliance officers and so forth) that actually need to manage that environment. While the former are useful and will help ClusterSeven to market its product, it is the compliance features of the product that are most important. Before we discuss the actual capabilities of the product it is therefore appropriate to outline the problem that ClusterSeven is solving. Put simply, Excel spreadsheets have poor security, an inadequate audit trail and are not reliable. If we take this last point first, the following paragraph is excerpted from a PriceWaterhouseCoopers report published on the use of spreadsheets and the SarbanesOxley Act, in July 2004: “An article in the May 24, 2004 issue of Computer World indicated that, “Anecdotal evidence suggests that 20% to 40% of spreadsheets have errors, but recent audits of 54 spreadsheets found that 49 (or 91%) had errors, according to research by Raymond R. Panko, a professor at the University of Hawaii.” The Journal of Property Management on July 1, 2002 stated, “30 to 90 percent of all spreadsheets suffer from at least one major user error. The range in error rates depends on the complexity of the spreadsheet being tested. In addition, none of the tests included spreadsheets with more than 200 line items where the probability of error approaches 100 percent.” Perform an online search for spreadsheet errors or spreadsheet audit, and you will find a number of major failures attributed to spreadsheet inaccuracies that hit the press in the past year alone.” Of course, spreadsheets are used for lots of different purposes. You may simply want to analyse sales data. If your analysis is faulty because of an incorrectly entered equation then that may not have any very significant effect upon the organisation. However, if you are using a similar spreadsheet to help you make investment decisions, then any mistakes could end up being very costly indeed. Moreover, the problem is not simply that errors may creep into the spreadsheets but that, because of the lack of appropriate controls, errors can be deliberately perpetrated for the purposes of fraud. That is not the whole problem. The SarbanesOxley Act, and other compliance regulations in other jurisdictions, means that you have to be able to understand how data has moved around within your organisation. It is here that the use of spreadsheets in the raw can become extremely dangerous. To take a simple example, you cannot easily go into your company’s General Ledger and change the data, but you can extract that data into a spreadsheet and do whatever you like with it. Moreover, many companies use spreadsheets for much more important purposes. Many, despite purpose-built software being available, still use spreadsheets for corporate consolidations and to prepare statutory reporting documents, or for planning and budgeting applications. Sarbanes-Oxley means that this process will no longer be acceptable unless you can prove to the auditors exactly how your data was manipulated during this process. Actually, the problem goes beyond even financial reporting. Spreadsheets are widely used for mission-critical purposes within financial markets and utility trading, for example, where very sophisticated suites of spreadsheets add substantial business value to the enterprise. Indeed, they often encapsulate the company’s key differentiators over its competitors. However, there is no facility to track whether anyone has changed a calculation within a spreadsheet or, if they have, what it is and who did it. It terms of risk management this is a clear no-no. It should be clear then, that it makes sense to properly manage spreadsheets. Moreover, this is because it makes business sense and not just because it is necessary from an auditing and compliance perspective. page 35 ClusterSeven Enterprise Spreadsheet Management Background Excel 2007 At the time of writing Microsoft Office Excel 2007 is just about to be released and while many users will no doubt continue to use Excel 2003, not to mention earlier versions, it is pertinent to outline the enhancements that Microsoft has made to Excel in this release with respect to errors, security and auditing. • Errors—there are no significant improvements in this release. The Help system has some facilities in this area but they are limited. • Security—in this release Microsoft has taken a different approach to the challenge of managing spreadsheet access. Rather than provide further functionality to protect files or parts of files when they are distributed, Microsoft is using SharePoint as a centralised repository from which parts of spreadsheets may be selectively published to the web. Hence other users (even if they are given access to parts of the Figure 1: ClusterSeven working with Excel and SharePoint file) have no access to the main file or hidden parts. It is therefore far more difficult for them to attempt to break the security over the parts they cannot see. • Auditing—again, if you use SharePoint then versioning and auditing is now available at the document level but this does not provide any auditing of the information within a spreadsheet. There are existing facilities with Excel that allow you to capture changes to a spreadsheet by writing a new spreadsheet, however this is more of a logging mechanism than an auditing one: you cannot, for example, trigger alerts or notifications from this facility and nor could you track changes to macros. How ClusterSeven works in conjunction with the latest facilities provided in Excel and SharePoint 2007 is illustrated in Figure 1, which also shows the high-level capabilities of the ClusterSeven product. page 36 ClusterSeven Enterprise Spreadsheet Management Product description Architecture The components of ClusterSeven Enterprise Spreadsheet Management are illustrated in Figure 2, along with its integration possibilities. Figure 2: Architecture of the ClusterSeven solution There are a number of elements within this diagram, as well as some that are not explicitly mentioned, that merit further explanation. In particular, core elements of the product include: 1. Discovery against designated servers— ClusterSeven includes a non-intrusive scanning capability that allows you to discover spreadsheets on designated servers. 2. Non-intrusive watching—this is a key point for ClusterSeven, particularly for trading systems where it is important not to have any impact on performance. The component provides a passive server, directory or file watching capability that allows you to monitor files that have been referenced, so that you can automatically detect any changes made to those files (down to cell level) or any new creations. As with scanning, you can have multiple watchers and they can be run on either a real-time or scheduled basis, as required. Note the importance of the fact that ClusterSeven’s approach is non-invasive— the other obvious way to continually monitor spreadsheet changes would be to use the Excel event model—but this can be turned off by third party Excel add-in products, which would mean that you could not guarantee to capture all changes. In version 4.0 (see the ‘Product futures’ section) this watching capability will be extended to enterprise content management repositories. 3. Engine—this performs difference analysis, the population of reports, the servicing of the client workflow and the creation of alerts. 4. Storage—this is triggered when a watcher detects a changed or new spreadsheet, and it records the changes (or new entries) that are made in the referenced file(s), and stores them in a structured XML repository within Microsoft SQL Server. Note that it is only substantive changes (that is, changes to data rather than formatting) that are recorded, but these cover everything from raw data changes to document link changes, and changes to macros. Embedded file references are automatically traversed, bringing contributing documents into the management framework as well, so that you can trace dependencies and establish causality, where required. If you want or need to capture formatting information as well, then there is a snapshot facility, with the results being stored in compressed format. ClusterSeven integrates with other products (such as file security systems or Enterprise Content Management providers) to deliver file level security. ClusterSeven itself is designed to monitor and audit what you are doing rather than prevent your activities. As the company puts it: “what we provide is like a CCTV that watches activities and reports on them but the software does not play any sort of preventive role.” page 37 ClusterSeven Enterprise Spreadsheet Management Product description Compliance reporting On the compliance side, ClusterSeven is mainly focused on reporting and auditing, and Figure 3 shows one example of the built-in reporting capabilities, in this case demonstrating the series of users who have worked on a spreadsheet using the product’s client utility. Figure 3: Monitoring which users have worked on the file For each user-designated period a dashboard report (Figure 4) is available. This allows you to select integrity rules that have been previously defined and then view any changes that have broken these rules, while ignoring any other spreadsheet changes though, you can, of course, inspect these at any time. Figure 4: Dashboard report Drilling down from this dashboard takes you to the specific locations within the spreadsheet where integrity rules have been broken, as shown in Figure 5. page 38 ClusterSeven Enterprise Spreadsheet Management Product description Figure 5: Drilling down to discover where integrity rules have been broken Here, the full cell history behind each cell is also provided, enabling any change to be seen in the context of past activity. Thus, in Figure 5, which shows the results of clicking on cell P6, the lower panel displays how its values have changed across a series of events. You can see that Peter Murthwaite overwrote a function in this cell with a hard coded data value. As a corollary to the fact that ClusterSeven understands spreadsheet relationships, you can also do impact analysis: see how other spreadsheets will be affected by a change in this cell. Further, because all changes to a cell are tracked over time, you can see the history of a cell and you can look at in trend terms as the product provides time-based analysis capabilities. This can be used for things like yield curves and, since this is particularly useful for spotting anomalies, for fraud detection and to ensure that traders are compliant in their activities. just emails but in the next release (see later) you will be to embed alerts into third party workflow products so that you can use these to trigger required actions. Another major feature is that you can define rules that you can apply down to the cell level. These might be as simple as a range rule that says that the value in a particular cell must lie within a particular range or they can be much more complex than that. In either case, if the rule is broken, then you can define an alert to be raised. At present such alerts are typically There are a variety of other facilities: for example, you can look at changes not just by cell, spreadsheet or workbook, but also by user or by activity type. You can also track remediation tasks, rollback changes to a point in time, ask for comments from the originator of a change and so on. In addition to capturing change information down to the cell level, ClusterSeven also captures all changes to macros. This is important because macros often comprise a large part of sophisticated spreadsheet applications: as much as 50 percent in some instances. Moreover, all you get as standard with Excel is a conventional editor. What ClusterSeven allows you to do is to not just track changes in macros but also to visually compare previous and new versions of a changed macro, with any changes being highlighted in an appropriate colour. Similar facilities exist for comparing different versions of the same spreadsheet and for comparing different spreadsheets. page 39 ClusterSeven Enterprise Spreadsheet Management Product description User functions ClusterSeven primarily markets its spreadsheet management to operational risk and compliance officers and IT departments. However, it also provides facilities for business users and the principle benefit that ClusterSeven can offer these people derives from the fact that it understands the relationships that exist between spreadsheets, especially when these are hierarchically organised. In other words, the software makes it very much easier to understand how the spreadsheets work together. Figure 6: Defining KPIs and KRIs On top of this understanding the company has built specific features to leverage this knowledge. In particular, it means that you can define KPIs and KRIs (see Figure 6) that span multiple spreadsheets and which can be tracked across cells, workbooks and so on. These KPIs may then be presented in a portal or imported into a third party dashboard or scorecard for performance management and monitoring purposes. In effect, you can define metrics within a spreadsheet that you can roll-up and monitor at a high level. Note that, as illustrated in Figure 2, ClusterSeven can also integrate with conventional reporting environments. page 40 ClusterSeven Enterprise Spreadsheet Management Product description Product futures As stated previously, version 4 of Enterprise Spreadsheet Management is scheduled for release in April 2007. Three notable new features will be: 1. Protected cell management—so that you will be able to see when a cell’s status (as opposed to its value) has been changed. In other words, you will be able to see when a cell is changed from locked to unlocked or the other way around. 2. Extended alert support—currently you can generate alerts and notifications when particular changes are made. You can also generate alerts if the software detects trend anomalies (that is, a change that breaks a trend) or if a rule is broken. In release 4, you will be able to build these alerts into workflows built using SharePoint so that you could automatically generate a remediation task, for example. For non-users of SharePoint or for those using other workflow tools there will be an API to support this functionality within such third party environments. 3. Easier to use comparison capabilities— when you are doing comparisons between say, different versions of the same spreadsheet or between spreadsheets, currently you will have both spreadsheets open in separate windows. This means that one window is active at a time and you have to actively move from one window to another. In this release, you will be able to move your cursor across the sheets without regard to this constraint. The other major new feature that is planned is support for Windows Vista but this will be introduced as a point release. Summary Excel spreadsheets are seriously dangerous: they lead to fraud, non-compliance, costly business errors and more. The first thing that companies need to do is to treat operational spreadsheets as corporate resources: there needs to be at least an element of IT control. However, while putting appropriate procedures and processes in place (for example, for spreadsheet testing prior to deployment) is necessary it is not sufficient to meet the data governance and compliance requirements of today’s world: for that, an appropriate tool is required. For complex, large scale spreadsheet environments ClusterSeven is just such a tool. page 41 Compassoft Fast facts The market for spreadsheet (and, indeed, EUC) solutions is broadly split into four areas: monitoring tools, which audit what anybody does to any spreadsheet at any time; control and compliance tools that extend monitoring to include security and management of who is allowed to do what; auditor’s tools that allow you to compare spreadsheets, detect errors in formulae, find out where data came from and so on; and automation tools that provide controlled development environments for creating new spreadsheet applications (but only new applications—no facilities are provided for existing spreadsheets). Compassoft offers monitoring, control and compliance, and auditor’s tools for all spreadsheets within the organisation. The basic principle is that the company provides mechanisms to automatically discover all of your spreadsheets; helps you to assess what level of control is required for each spreadsheet, (which can be passive, active or real-time depending on the importance of the spreadsheet) and then the company provides the relevant level of functionality to support that control. Key findings In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: • The first thing that you do with Compassoft is to discover the spreadsheets (or other relevant resources) that you have running. This process not only discovers the spreadsheets but also metadata about those spreadsheets. Compassoft uses advanced parsing technology that knows in depth about the resources it is discovering so that it can capture more detailed information about them. • As a part of the discovery process Compassoft will uncover details of any worksheets that have been hidden within the spreadsheet, as well as such things as invisible cells (where data is white on a white background, say, or hidden behind a graphic). Moreover, one of the notable features of Compassoft is that the software will also highlight any spreadsheets with very hidden worksheets: these occur when worksheets have been deliberately hidden through programmatic means. As may be appreciated, these features are very important when it comes to detecting fraud. page 42 • Once the initial discovery process is complete, the information garnered needs to be kept up-to-date. Compassoft allows you to do this either in real-time or using scheduled batch operations. This is a significant advantage over some other products that only offer scheduled capability. Compassoft also maintains a history of what it discovers for change tracking purposes, and it also tracks accesses from spreadsheets to external data sources such as ERP systems. • The validation and error checking capabilities (auditor’s tools) provided by Compassoft are extensive. We particularly like some of the visualisation capabilities provided. • As noted previously, Compassoft supports the concept of different levels of control depending on the risk profile associated with particular spreadsheets. It would be useful to have a dashboard facility whereby you could see the current and on-going status of these so that you could monitor your progress over time. • Compassoft supports the segregation of roles whereby authors, owners, editors and (internal) auditors have specific functions that they are allowed to apply to any given spreadsheet, within a standardised approval process. The bottom line Compassoft is the market leader for enterprise spreadsheet management. It has around 150 customers to date and, as far as we can determine, this is more than any other vendor. We are not surprised by this fact: the company has a comprehensive offering that covers all of the major requirements (other than automation, which is really a complementary function) for managing spreadsheets at a corporate level. It’s true to say that Compassoft does have competition but we expect the company to retain a leadership position within this market. Compassoft Vendor information Background information Compassoft was founded in 2002 as a company specialising in the use of artificial intelligence, especially as that pertains to change management. However, the company soon saw an opportunity in the compliance arena for what the company describes as the “discovery, validation and control of end-user computing (EUC)”. This applies not just to spreadsheets, for which the company first introduced a product in 2005 but also for other Microsoft Office applications such as Microsoft Access and for the pharmaceutical industry (FDA CRC21 Part 11). The company uses a direct sales model in the United States but leverages partnerships elsewhere. It has over 150 customers. Compassoft web address: www.compassoft.com page 43 Product availability & support commitment Compassoft markets three products: Compassoft Enterprise, Compassoft EXChecker and Compassoft DaCS (data acquisition control system). The products are formally in version 3.1 though this reflects the longevity of the Enterprise product rather than the others necessarily (EXChecker, for example, was acquired towards the end of 2005). The products support versions of Microsoft Excel from ’97 through 2003. You can use them with Excel 2007 if you store spreadsheets in a traditional manner but not if you use the new XML storage capability in Excel. Full support of Excel 2007 can be expected during the course of 2007, as can support for Windows Vista. Compassoft Enterprise license costs typically start in low 6 figures (dollars) and can range into 7 figures. Compassoft EXChecker is included as a component of Compassoft Enterprise, or a less functional version can be licensed for stand-alone use, for which the price is around $1,000 per seat. Compassoft offers round-the-clock support through its overseas offices. Financial results Compassoft is a privately owned company that is backed by venture capital. It has something over 40 employees (and this number is increasing) located in offices in the United States, India and Australia, though these last two represent support rather than sales offices. The product is resold by ABB across Europe. The company also has a number of technology partnerships, most notably with EMC (Documentum) but also with SAP and Microsoft. Compassoft Product description page 44 Introduction The different elements of Compassoft’s solution, and their major functions, are illustrated in Figure 1. The Compassoft DaCS product is a plug-in specifically for those spreadsheets that are mission critical, or high risk, that are going to be controlled in real-time. In practice, Compassoft describes its solution as being about discovery, validation and control and we will use these headings to discuss the product suite rather than by product, since there are clearly overlaps between the products in certain areas. Discovery One of the major problems with spreadsheets (and other EUC assets) is that they are not centrally managed. And, because they are not managed in any co-ordinated way, they tend not to be documented. Put simply, this means that most enterprises will have spreadsheets that they (as an organisation) know nothing about. Needless to say, if you do not know of the existence of some (or many) of your spreadsheets then you will not be in a position to manage, audit or control them. So, the first thing that you need to do is to discover the spreadsheets that are actually in use. However, it is not as simple as discovering spreadsheets per se. Many spreadsheets will have links to other spreadsheets or will be versions of one particular spreadsheet. In order to take control of the spreadsheet environment you need to understand all of this. You also need to know details about individual spreadsheets such as who the owner is, whether there are associated macros, if there are hidden sheets or very hidden sheets (the latter being where a programmer has hidden the sheet rather than just using Excel’s features), if there are invisible cells (white on white, say, or hidden behind graphics), and so on. Now, all of this would be a horrendous exercise if you attempted it manually and it would probably be impossible, but Compassoft automates this process across servers (UNIX or Windows), desktops, notebooks and so on. As may be imagined it can be lengthy process to search through a large company’s entire network so Compassoft has a facility to throttle Figure 1: Elements of Compassoft’s solution its discovery software so that, in a typical installation, you would run discovery at maybe 2 or 3% of capacity for the first month to discover all of the spreadsheets, rather than trying to do this all at once. However, initial discovery on its own is not enough as you need to keep on top of any changes that occur, so you would now normally ramp up the Compassoft software so that you recognise any changes that may take place in real-time (at least, for highest risk spreadsheets). Alternatively, there is also a scheduled option whereby, perhaps, you simply check for changes overnight. Depending on the environment, either method may be appropriate but this gives Compassoft a significant advantage over some of its competitors that can only offer a scheduled option. What the discovery process actually does is to take a snapshot of each spreadsheet that it discovers and then this is encrypted, compressed and stored in a secured database (either using one designated by the user or a supplied internal Compassoft database). Alongside this snapshot, metadata about the spreadsheet is captured, as previously discussed, including relationship information such as what relates to what, where the data originates, what data feeds other applications, and so on. Compassoft Product description page 45 Figure 2: Maintaining a historical record Finally, note that as discovery is run on an ongoing basis you will take snapshots of spreadsheets as they change. This will enable you to identify structural changes (new columns or rows), reference changes (to data locations and to other spreadsheets) and property changes (ownership transfers, change of location, formulae changes). Figure 2 shows the historical record maintained by Compassoft with application location, properties, summary analytics, review status, dependencies and so on. Note the tabs showing the different sorts of EUC supported. It is also important to recognise some types of reference changes in real-time: for example, if a database schema changes then any spreadsheet referencing that database may run incorrectly. Compassoft can alert you to conditions such as this, when they occur. Validation Validation is about ensuring the accuracy and validity of your spreadsheets, and also helps in the process of deciding which spreadsheets should be put under what sort of control. There are a variety of capabilities provided for this purpose, as follows: • Spreadsheet complexity analysis—the simple fact is that the more complex a spreadsheet is the more it is likely to have errors in it. According to PriceWaterhouseCoopers any spreadsheet of more than 200 rows has a greater than 90% chance of errors. But that’s just size; there are also considerations with respect to the use of macros, the number and complexity of formulae, the amount of referencing to other spreadsheets and dependencies on outside data sources, amongst others. This function will help you to determine the complexity of any spreadsheet and, therefore, the risk associated with it. This capability will therefore help in deciding which spreadsheets should be under what sort of control. Figure 3: Rules, template and policy enforcement • Rules, template and policy enforcement— this allows you to specify that a particular spreadsheet must conform to certain rules (for example, that a cell value must lie within a particular range (see Figure 3) or must be based on such-and-such a template. • Automated error discovery—while not all errors can necessarily be discovered by any tool, many can. Rules enforcement will prevent some errors but there are also errors that can be detected such as circular references, formulae referring to nonnumeric data and so on. • Graphical tracking—there are a variety of visual means provided to discover various facets of a spreadsheet. For example, you can visually see when adjacent cells have different formulae in them (which may, but may not) represent an error. There is also a Precedent Walker, as illustrated in Figure 4 which allows you to see where the data in any cell has come from. Similarly, there is a Dependency Walker so that you can see the whole lifecycle of any piece of data and there are visualisation capabilities to support both formula flows and impact analysis. Compassoft Product description page 46 Figure 4: The Precedent Walker In addition to validation per se, this part of Compassoft’s suite, along with its other components, will automatically generate documentation about the spreadsheets under inspection, and you can also append both notes and bookmarks to spreadsheets, as required. Within an approval process (see the ‘Control’ section) you can enforce a requirement to add notes explaining changes, if you want to. There are also facilities to raise alerts, where required. As previously noted, Compassoft provides the ability for you to define approval processes and this can be augmented by the product’s support for electronic signatures (see Figure 5). The way that these can be deployed is flexible: for example, you can implement multi-stage signatures within an approval process and it is also possible to require an electronic signature for just a part of a spreadsheet. Control While it is useful to have an inventory of all corporate spreadsheet assets it would not be reasonable, in a large organisation, to attempt to take detailed control of every single one. Normally this will be limited to spreadsheets that are mission critical, those that have high risks associated with them or those that are specifically mandated for oversight thanks to laws such as Sarbanes-Oxley or through the requirements of regulatory bodies. As already discussed, the product’s validation capabilities can help you to assess which spreadsheets are most at risk, but which ones to take under active or, more particularly, real-time control, is primarily a business decision. For those spreadsheet (and other) assets that you take under full control there are a number of additional facilities provided through use of the Compassoft DaCS plug-in. This provides role-based security, version control down to cell level, real-time logging with timestamps (at the moment of change not when the spreadsheet is saved) and check-in and check-out. This last is important because it allows multiple people to work on the same spreadsheet in a controlled fashion. Many other vendors providing version control do not offer check-in/out. Figure 5: Support for electronic signatures Summary The key point to note about Compassoft is that it can do all of the major things required to take control of existing spreadsheet mayhem, and manage that on an on-going basis going forward. As the market for enterprise spreadsheet management expands (and we expect it to do so rapidly in the next few years) the company is wellplaced to capitalise on that growth. Lyquidity ComplyXL Fast facts ComplyXL is a tool for gaining insight and greater understanding of your spreadsheets. However, this has a potentially greater benefit than merely ensuring that you comply with regulations such as Sarbanes-Oxley. For example, HM Customs and Excise describes in its “Methodology for the Audit of Spreadsheet Models” cases when auditors need to do no more than a routine audit of spreadsheets and, conversely, when spreadsheets require more detailed (and extremely laborious and expensive) testing: thus the use of a tool such as ComplyXL can directly impact on auditors’ fees to reduce costs. Further, because the spreadsheet is better understood it is easier to spot errors within a spreadsheet and thereby eliminate or reduce the consequential costs that occur when erroneous business decisions are made based on the faulty information provided by error-prone spreadsheets. At present, ComplyXL does not understand the concept of hierarchies, which will make the product unsuitable for environments where you are using spreadsheets for consolidation, for example. Typically, ComplyXL should be seen as a product that is most suitable for SMEs (small to medium sized enterprises) and departmental implementations in larger companies. page 47 Key findings In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: • ComplyXL provides an auditing facility for spreadsheets that allows you to track all the changes that are made to a spreadsheet (including changes to associated functions such as macros). Lyquidity describes this function as version control though it would be more accurate to call it snapshot management. • ComplyXL has facilities to allow you to visually compare any particular changes of interest, whether these are for formulae, macros, changes to locked cells or whatever. • You may also view the history of a spreadsheet with both changes and approvals. • There are two versions of the product (but a single licence fee): one for internal use and one for external third parties such as auditors. • Apart from support for hierarchies the main additional feature that we would like to see Lyquidity add to its product is the ability to discover existing spreadsheets so that they can be taken under its embrace, so to speak. • In addition to its compliance functions, ComplyXL also includes a Formula Viewer that makes formulae easier to understand so that errors can be more easily investigated and identified. The bottom line It is important to put ComplyXL in context. Enterprise spreadsheet compliance solutions, with all of the functions that one might expect, typically cost 2 to 3 orders of magnitude more than ComplyXL: that is, they are hundreds to thousands of times more expensive. In our view, these products are not hundreds to thousands times better than ComplyXL. Moreover, while there is a significant gap between ComplyXL and these higher-end products, a large part of that differential is due to the lack of understanding of hierarchies; as we understand that this is an issue that Lyquidity is already considering how to address, we can expect that gap to narrow significantly. This will mean that while ComplyXL probably offers better value today than some of its more well-known competitors, in the right circumstances, that is even more likely to be true tomorrow. Lyquidity ComplyXL Vendor information page 48 Background information Product availability Lyquidity was originally established in 2001 to provide contract programming to companies such as Microsoft and AXA Insurance. However, the company’s founders had backgrounds in business intelligence and financial applications and soon recognised the need for an answer to the spreadsheet management problem engendered by the popularity of Microsoft Excel. As a result, they started to develop what became ComplyXL, which was launched in spring 2006. ComplyXL is currently in version 1.5 and there are two versions of the product, both of which are provided for the licence fee. These versions are the Standalone Version and the Excel Add-in Version. The former is intended for auditors and similar professionals who need to be able to connect to and inspect third party spreadsheets, whether for conventional auditing purposes or to support such things as compliance to Sarbanes-Oxley. The latter, on the other hand, is for internal use in conjunction with your own spreadsheet environment. The main difference between the two products is that the Excel add-in can automatically save new versions of a spreadsheet as they are amended while with the Standalone product this can only be done manually (after all, these may not be your spreadsheets that you are inspecting). Typically, the Standalone version is copied onto a USB memory stick for use and it integrates with Excel via Internet Explorer without needing Excel installed on the user’s system. The company’s business model is “try before you buy”, with free downloads available from the company’s web site so that you can try the product out for a limited period before licensing it. Pricing is based on a user and server basis but the whole is relatively inexpensive with a licence for unlimited use being currently $8,995. In general, Lyquidity is closely tied to a Microsoft environment (Windows 2000 Service Pack 2 or later) with the product having been developed in C# and .NET. That said, Linux web servers (Tomcat) are supported by the Standalone version. In the current version of ComplyXL spreadsheet versions are stored in Excel, however the company is planning to introduce an Enterprise Version of the product in the near future that will use a relational database (Oracle, MySQL or SQL Server) to store versions in. Details of the pricing for this license are not yet available. Financial results Lyquidity is private and self-funded. At present it consists of only a handful of people, though they are variously located in the UK (head office), Germany and the United States. Thanks to Sarbanes-Oxley the United States is probably the company’s biggest market. Lyquidity web address: www.lyquidity.com Lyquidity ComplyXL Product description page 49 Introduction Spreadsheet management Lyquidity has two major elements: various facilities for managing and comparing worksheets, workbooks and versions, which can loosely be defined as providing spreadsheet management; and the Formula Viewer which, as its name suggests, is intended to provide insight into the formulaic aspects of spreadsheets. We will discuss each of these in turn. However, before we do so, we should mention one limiting factor in ComplyXL, which is that it does not understand hierarchies, at least in the present release. If you only make occasional use of these then that may not be an issue but if you use them extensively then ComplyXL will not be suitable for your environment. ComplyXL is intended, as its name suggests, to support compliance with Sarbanes-Oxley and other regulatory standards. To do this Lyquidity provides version control. If you are using the plug-in version of ComplyXL then the process of saving a version may be automated so that a new version is created whenever a spreadsheet is saved but you may also do this on a manual basis. This has to be the approach if you are using the stand-alone version of the product. In both cases the version is not limited to the spreadsheet per se but also includes associated elements such as macros, so the versions can be used to track changes in macros as well as changes to the visible spreadsheet. When you save a version (whether automatically or not) the software will give you the option to append a comment to the snapshot. By default the user will subsequently work with this latest version. In the forthcoming Enterprise Version of the product, when a user opens a workbook document a check is made to see if the document being opened has been changed on the server.  If there is a later version the user is alerted and has the option to retrieve the most recent version.  Note that this behaviour is consistent with Microsoft’s SharePoint Services versioning. The Enterprise version will also offer the administrator the option to control whether or not added versions can be made at any time, security permissions permitting, or only if the user is working with the latest version as held in the repository.   Figure 1: Managing versions in ComplyXL As shown in Figure 1, there are facilities to add a version, export a version, review a version, delete a version, revert to a version, as well as saving a version to your clipboard. Note how the date, person and comments are shown. Lyquidity ComplyXL Product description In order to view changes, Lyquidity provides a reporting tool that allows you to visualise changes that have been implemented within a spreadsheet and to review the history of a spreadsheet, including changes and approvals. In the case of viewing changes, ComplyXL includes a worksheet comparison capability, which includes a function excluder so that routine changes are excluded as well as a change filtering capability that can be used to highlight differences in macros, formulae, locked and unlocked cells, blank cells and so on. This is illustrated in Figure 2. Figure 2: Screenshot of the worksheet comparison facility Note that this is an overview of the whole worksheet.  On the right hand side is the scroll bar.  The background to the scroll bar is a map of the rows of the worksheets. Each row containing one or more differences is represented by an orange line in the scroll bar background.  One of the most powerful features of the graphical display is its ability to alter the criteria that identify two cells as different. Using this feature you can have the graphical display highlight only those differences that are of interest (see the bottom of the screenshot). Also, as the mouse moves over the graphical display a note providing summary information about the cells under the mouse cursor is displayed. While this may be enough to help the user identify the main cause of a difference, more detailed information about the cell may be required.  For this purpose the ComplyXL graphical display includes a section that is able to display all known information about the differences between two cells represented in the display. page 50 Lyquidity ComplyXL Product description page 51 Formula Viewer The Formula Viewer is designed to help you understand the logic built into your spreadsheets and, thereby, help you identify and correct errors. Typically, in Excel, formulae are not easy to understand, at least in part because they are written in a single line. For example, =IF(Sum(EU9: EU10)<EU11,0,Sum(EU9:EU10, EV9:EV10)EU11) is not exactly transparent. The Formula Viewer, on the other hand, presents this in a nested, hierarchical fashion, with values inserted (as shown in Figure 3) so that it is much easier to understand what is happening. The display is updated automatically as you move from cell to cell and as formulas are updated so that you can see the structure of any formula.  Moreover, you don’t just have to do this after the fact, you can also have the Formula Viewer open while you inputting or amending formulae and changes and additions will be automatically reflected within the Viewer. Further, you can collapse parts of a formula that you are satisfied with, allowing you to focus more closely on any problem areas, and different elements of a formula are presented in different (customisable) colours. Alternatively, rather than by starting with a formula you can start with an error by clicking on a cell within the spreadsheet that is displaying an error, which will bring up the relevant formula. Now, because the Viewer shows values, finding errors can be relatively trivial. For example, you might find a component cell within the Viewer that is returning a value of #NAME!, which immediately lets you know that you should drill down into that cell. Within the Viewer you can drill into any cell references that are included in a formula and, Figure 3: The Formula Viewer where relevant, the product will offer you display options such as whether you want to see an array of cell values or a list of cells that make up a particular range. An exploration history is visually maintained so that you can easily navigate back to earlier stages in your investigations either by directly clicking on the relevant item or by using the back button provided. Finally, you can take a copy of the exploded view provided by the Viewer and paste that into a separate document at any time, perhaps for documentation purposes. Summary Lyquidity is a small company with some good technology. However, like most such vendors its biggest problem in the longer term will be marketing. At the moment, the company is very much focused on getting its technology right, and that is fair enough, but we are pleased that Lyquidity seems to be aware that it will need to encompass a more balanced stance between technology and marketing in the future. If the company can get that right then it should achieve the success that its technology merits. ABS for Spreadsheet Compliance Fast facts page 52 There are two major categories of spreadsheet management products: control and compliance tools and auditor’s tools. The former provide version control, security, auditing and so forth while the latter provide facilities for checking formulae, discovering errors, complexity assessment and so on. Some products combine these two sets of capabilities while there are others that have a narrower focus such as security only or monitoring only. There is also a third class of product, known as automation tools, which are designed to provide a development environment for building new spreadsheet applications. Mobius ABS for Spreadsheet Compliance is a spreadsheet compliance and control solution. It is designed for you to control who can do what to your spreadsheets, to monitor and audit what they actually do, and to ensure that you maintain consistency across linked spreadsheets. Key findings The bottom line In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: Mobius faces competition from a number of other direct competitors, several of which have a longer history within the market and which include facilities such as discovery capabilities and auditor’s tools. However, on the one hand Mobius will be introducing automated discovery into ABS for Spreadsheet Compliance within the next few months and, on the other, auditor’s tools are widely available for a few hundred dollars. For these reasons we do not see the current lack of these features in the Mobius product as a problem. In particular, Mobius has a long history in retention management and compliance, and this is reflected in ABS for Spreadsheet Compliance. Moreover, the company has a large existing user base that it can be expected to sell this solution into. Thus, despite its relatively recent entrance into the market, we expect to see Mobius gaining marketing momentum over the coming months and years. • The first thing that you want to do when taking control of your spreadsheets is to find out what spreadsheets you have. Mobius does not yet have an automated discovery tool for this purpose but it expects to be introducing such a product during the course of 2007. Once discovered, you can use auditor’s tools to decide which spreadsheets need to be brought under central control. • Once you know which spreadsheets need to be taken under management, Mobius provides facilities for automating the process of loading those into the ABS for Spreadsheet Compliance environment. The product is particularly strong in terms of its retention management (the company’s background), version control and allied capabilities. • ABS for Spreadsheet Management provides complete auditing capabilities, including the ability to add electronic signatures as part of its supported sign-off mechanisms. There is also a reporting tool that allows you to make ad hoc enquiries against the user log. • The product includes workflow-style capabilities to provide review and approval processes that include support for a segregation of roles (which is best practice) across authors (owners), editors, (internal) auditors and users. • We particularly like the template capabilities provided that allow frequently used spreadsheets to be reused on the basis of these templates rather than relying on making copies and the dangerous practice of ‘zeroing out’. • Extensive security capabilities are provided, including the User Manager through which you define (on a tick-box basis) user permissions. The User Manager integrates with LDAP directories and with Microsoft Active Directory. ABS for Spreadsheet Compliance Vendor information page 53 Creation Enterprise archiving & records management Usage 9Zh`ide 6eea^XVi^dch 8VeijgZ 8jhidbZg HZgk^XZ >cYZm H]VgZEd^ci DeZgVi^dch Hjeean8]V^c 6gX]^kZ :bV^a Z8dbbZgXZ 6jY^i ;Vm HZVgX] G^X]BZY^V 9^heaVn >bV\^c\ IgVchVXi^dch =daY 8dbejiZg 6eea^XVi^dch 9^hedhZ E]nh^XVa Di]Zg GZedh^idg^Zh BVg`Zi^c\ HVaZh ;^cVcX^Va GZedgi^c\ GZXdgYhVcY ZbV^aB\bci A^i^\Vi^dc Hjeedgi Z9^hXdkZgn 8dbea^VcXZ H]VgZEd^ci BdW^jhHd[ilVgZHdaji^dc Figure 1: Mobius Records Management Background information Mobius is 25 years old (it was founded in 1981) and its background is in document, records and content management and, more broadly, in managing digital information in general. Figure 1 illustrates the breadth of Mobius’ capabilities. As a significant part of the company’s activity it has developed relevant compliance solutions for archival, record and email management and so forth and, in particular, in 2002 it introduced the Mobius Audit and Balancing System (ABS) as a data quality control tool that automates crossplatform, cross-application report balancing with full audit capabilities. In 2006 a specific version of the ABS product was introduced to provide enterprise spreadsheet management, known as ABS for Spreadsheet Compliance. The company uses a direct sales model and although it is early days for the ABS for Spreadsheet Compliance product, the company has nearly 1,400 existing customers world-wide that it can leverage. This is in sharp contrast to most other vendors of spreadsheet management solutions, which tend to be much smaller, specialist suppliers that do not have an existing user base to exploit. The company reports that sales in the United States are primarily to financial departments where there are concerns about Sarbanes-Oxley and other relevant regulations. Outside the United States it has reported more widespread enterprise level interest in its solution. Mobius web address: www.Mobius.com ABS for Spreadsheet Compliance Vendor information page 54 Product availability Financial results The current version of ABS for Spreadsheet Compliance is 4.2, although that represents the longevity of the ABS solution as a whole rather that the spreadsheet product itself. It is sold either as a stand-alone application or in conjunction with Mobius ViewDirect, which is the company’s records management solution. The advantage of the latter approach is that it provides a richer archival capability so that, for example, you can store notes along with your spreadsheets within ViewDirect whereas ABS for Spreadsheet Compliance has a more limited capability. Mobius is a public company traded on the NASDAQ. In 2003/4 it made a profit (net income) of $4.8m but this turned into a loss of $2.7m in 2004/5. In its most recent year, 2005/6, the company turned this around to the extent that net income was once again positive at $2.1m on total income that increased to $89.2 compared to the previous year’s $77.7m. In the current financial year this improving trend continued in the first quarter but, in the second quarter, despite increased revenues, the company recorded an operating loss though net income was actually improved compared to a year previously, thanks to an advantageous tax position. According to the company’s CEO this was, at least in part, due to “the learning curve associated with new direct sales staff added and delays in executing on our new channel sales program”. Hopefully, the latest results are merely a blip. Moreover, recruitment of both direct and indirect sales staff bodes well for the future. The product does not yet support Excel 2007 although this is expected later during 2007 and at the same time we can expect to see support for non-Mobius repositories (particularly SharePoint—Mobius has a partnership with Microsoft). Expected rather sooner (mid-year) is an inventory utility that will automatically discover existing spreadsheets along with relevant metadata. ABS for Spreadsheet Compliance is available in a free trial version that includes both installation and training. A typical price for a complete installation would be in high five or low six figures. The company is headquartered in the United States and has 450 employees. It has offices in Australia, Canada, France, Germany, Italy, Japan, the Netherlands, Sweden, Switzerland and the UK, and it also has agents across South and Central America, the Far East and in South Africa and Portugal. However, these partners specialise in Mobius’ document and content management products rather than its spreadsheet solution. For this product, Mobius has a number of partners in the US (including Deloitte and Grant Thornton, amongst others) and Protiviti in the UK. ABS for Spreadsheet Compliance Product information page 55 The first thing that you want to do when you have decided to take control of your spreadsheets is to discover what spreadsheet assets you already have. At present Mobius does not offer such an automated discovery mechanism though this is planned for release during the course of 2007, so this will be a manual process for the moment. Once you have discovered your spreadsheets you need to determine which of them need to be brought under central control. While you might wish to do this for all such assets eventually, the sheer number of spreadsheets present in most organizations means that it is likely that you will want to do this in an incremental fashion, beginning with those spreadsheets that are most mission-critical or represent high risk to the business, as well as those that you need to manage for compliance reasons. In part this is simply a business decision for which no software can provide assistance but it may also be a function of the complexity (references, formulae, macros and so on) and size of the relevant spreadsheets. A number of inexpensive auditor’s tools are available on the market to help with this analysis. Figure 2: Complete audit trail of repository system also means that you can enforce usage of the most current version of a spreadsheet. The repository also stores a complete audit trail (see Figure 2) of all changes to a spreadsheet along with who made what change and when. If there are any formulae that auditors have highlighted as problematic, then any changes to these can identified separately. Note that while you can sort the results of this audit for presentation purposes it is not possible to turn this auditing function off. The audit trail is a part of the review and approval process (see next section) in ABS. Once you know which spreadsheets you want to actively manage then Mobius provides the ability to import either single spreadsheets or entire folders into the ABS environment, where the product’s central repository mirrors the original folder structure so that users will see no difference to their use of spreadsheets. Repository Unlike other vendors in the spreadsheet management market Mobius is a specialist in records retention management and it offers facilities in its repository that go further in its capabilities than most competitive products. In particular, you can use the company’s retention management features for managing the archival of spreadsheets over whatever period is necessary. We know of no other vendor in this market that has such a capability. In addition, while most vendors of spreadsheet management solutions offer some sort of version control, this is rarely comprehensive: often it relies, at least in part, on Microsoft SharePoint. Mobius, on the other hand, provides all the sorts of features you would expect from a comprehensive version control system without requiring you to use SharePoint (though the company will support SharePoint as an option later in 2007). In particular, ABS includes full check-in/checkout capabilities, which most other vendors do not. The advantage of this is that it means that multiple authors, editors and auditors can work on the same spreadsheet in a managed fashion. The use of a full version control Figure 3: The system audit log Further, you can query the system audit log, as shown in Figure 3, at any time. This allows you to define your own reporting requirements via the product’s Report Manager. So, for example, you could run a report looking at all activity by a particular individual or you could look at all items that were rejected. This sort of capability can be useful for fraud detection. In addition to its audit trail, the repository also records details of each time that each spreadsheet was ‘run’. As previously noted, while ABS has its own repository and can be used as a stand-alone product, it can also be implemented in conjunction with ViewDirect, ABS for Spreadsheet Compliance Product information page 56 Figure 4: Review / approval screen which will enable such things as notes, approvals and so forth to be stored in the repository alongside the spreadsheets to which they refer. Workflow In the previous section we have referred to both approvals and a variety of different types of people that may interact with spreadsheets. These are all enabled through ABS’ workflow capabilities, which allow you to set up approval processes and to ensure that roles are segregated between authors (owners), editors, (internal) auditors and users. The workflow in ABS does not use a graphical palette for defining your processes. Normally, we would criticise this approach as we find a graphical approach to be more intuitive. However, bearing in mind that this is an Excel environment, then it seems reasonable to use Excel for this purpose, though Mobius has needed to add some additional (non-Excel) facilities such as the review/approval screen illustrated in Figure 4. Here you can see a typical approval process in which there may be many people within the workgroup that wish to review the spreadsheet but only one person is authorized to approve or reject it. In some cases, where segregation of duties is formally applied, for example, then there may be multiple stages in the approval process. Additional facilities include the ability for reviewers or others to append comments to a spreadsheet and a facility to add an electronic signature to certify that this has been approved (which is important for SarbanesOxley compliance). Further, you can use this workflow to automate financial close activities such as reconciliation. Consistency The third aspect of ABS for Spreadsheet Compliance is consistency. In this respect, ABS addresses the problems that arise when spreadsheets are reused on a periodic basis. What tends to happen when a spreadsheet is used monthly (for example) is that the previous spreadsheet is ‘zeroed out’ and then reused. The danger is that when you do this you may delete formulae or formatting details by mistake. In order to prevent this, ABS supports the use of templates. This allows you to build a template, complete with all relevant formatting, formulae and so forth, which can be deployed as required. At the same time you can lock all the cells (or worksheets) that users should not touch leaving them simply to input relevant data into allowed cells. The net effect is that you reduce the likelihood of errors. In addition, there is the issue that spreadsheets often include links to other spreadsheets and you need to ensure that when you update one spreadsheet that all linked spreadsheets are similarly updated, as appropriate. Further, what if one spreadsheet has been taken under central control but linked spreadsheets have not? In order to resolve these issues Mobius includes all details of external links within its repository to ensure consistency of updating. This facility will also highlight broken links where the linked spreadsheet has not been updated when it should have been. ABS for Spreadsheet Compliance Product information page 57 Security Finally, ABS for Spreadsheet Compliance provides access control and security. We have already considered some aspects of this, as in the use of templates that allow developers to lock cells and worksheets so that users can only update those details that they are allowed to access. However, as we have discussed, there are multiple roles that interact with spreadsheets and there are also a wide number of actions that these various people might want to perform. In order to provide support for these, Mobius provides its User Manager, illustrated in Figure 5, which allows administrators to define relevant permissions in an easy-to-use manner. Note that ABS integrates with LDAP directories and Active Directory so that you can reuse details (such as passwords) therefrom. Summary Mobius is in an interesting position with regard to the enterprise spreadsheet management market: on the one hand it is a relatively late entrant and it has relatively few users; on the other, it is a well-established public company with a large and prestigious user base. However, it is only just recently that the market has really started to take off and if we take lessons from other markets in a similar position we can see that early entrants are frequently overtaken by established players that come into the market later. In our opinion, it is very likely that the same will happen to Mobius. While there are other companies in this sector that have some longevity, none of them have the size or international reach of Mobius. We therefore expect Mobius to become a leading vendor in this market within a relatively short space of time. Figure 5: The User Manager Operis Analysis Kit (OAK) Fast facts The market for providing complementary products to Microsoft Excel comes from two directions: business intelligence vendors aiming to provide additional functionality, especially in the area of automation and development, and a second group of suppliers that address this market from the perspective of governance and compliance, providing the auditing, security and control that is lacking in Excel. In this latter category there are two broad categories of products: control and compliance tools and auditor’s tools. The Operis Analysis Kit (OAK) is a suite of tools that addresses the auditor’s market. That said, Operis’ background is in financial modelling either at a corporate or at a project level and OAK has been developed to assist in that process both from an analysis and a development perspective. This could mean that OAK would represent overkill for some types of auditing requirement where spreadsheets are only used for relatively simple purposes. In addition, OAK also includes features that will make the developer’s life easier as opposed to those for pure auditing purposes. page 58 Bottom line Operis has a significant number of companies using its product (around 500), which is substantial given that OAK is not the company’s primary focus. In particular, the product has model-specific features (notably the summary report, see later) that we have not found in other tools in this class, which is why OAK is evidently popular amongst financial modellers. However, for more general use, OAK is at the top end of the price bracket for auditor’s tools and lacks some of the functionality that other vendors can offer, albeit that we prefer the visualisation offered by Operis. Operis Analysis Kit (OAK) Vendor information page 59 Vendor background Product availability Operis is a UK-based consulting firm that was founded in 1990. It specialises in corporate and project finance, working in a number of vertical sectors, with services that include financial modelling, model audit, training, and tax and accounting services. As a part of these services the company developed what is now OAK for internal use in 1992. As far as we know, this makes OAK the oldest established spreadsheet management product on the market, though it was not the first to be made commercially available. OAK was first formally released in 1998 with version 3 being launched in 2004. The current version of the product is 3.50, which has just been released (Spring 2007). This is entirely written in C# (a migration to which has been ongoing for some time). The product supports Excel ’97, 2000, 2002 and 2003/XP users. Support for Excel 2007 will be introduced with version 4.0 later this year. Free trial downloads of OAK are available through the company’s web site with prices for a fully licensed version starting at £395, with discounts for multiple licenses. However, the details provided about the product on the site are sparse and it is most likely that customers will be introduced to the product through Operis’ consulting services. One notable customer, not least for its research into the requirements of spreadsheet management, is PriceWaterhouseCoopers, which has a licence covering all of its staff in Germany and the UK. Operis web address: www.operis.com The company’s policy is that free upgrades are provided for each version of the product within the same numbered series, these upgrades being made available roughly every three to four months. Thus, if you had licensed version 3.20 then upgrades to 3.30, 3.40 and 3.50 would have been free. However, there is normally an upgrade charge to move from one major version to another: currently £89 to migrate from earlier versions to version 3. The same can be expected for version 4. Support is via email and there is also a web link for feedback. Internationalisation is supported. Operis Analysis Kit (OAK) Product description page 60 Introduction Operis describes OAK as a product that helps in both the analysis and development of spreadsheet models, though in the latter case these are helpful utilities rather than the automated development environments that are provided by some (much more expensive) products. Analysis tools There are a number of tools in this category, of which the most significant are as follows: • Model mapping—this is designed so that you visually inspect a spreadsheet to see where formulae have (or have not) been copied across cells, to show text constants and so forth. Unlike some other tools of this type, OAK uses (customisable) colour coding as well as symbols (as shown in Figure 1) to show the relationships that exist between cells (and errors), which we find to much more intuitive than other approaches. • Formulae functions—there are a number of these, including facilities to determine where best practice rules have been broken (for example, where two worksheets both contain formulae that reference each other), the ability to see precedents (but not dependents), formulae ranking in order of complexity, a formula optimiser that removes redundant elements from a formula, and a tool to locate formulae that are the sources of error values. Figure 1: Using colour coding and symbols showing relationships and errors • Summary report—this details the composition of any particular model with details that include the number and names of sheets, together with statistics such as how many merge cells there are, how many array tables and so on. An example is illustrated in Figure 2. In addition, there are a number of other tools, including a Spreadsheet Comparison tool that allows you to inspect the differences between two versions of the same spreadsheet or two different spreadsheets, a tool to identify all cells that are not used in calculations, the ability to identify and display hidden sheets and cells, and various features that enable the discovery of errors. Figure 2: Workbook summary report Operis Analysis Kit (OAK) Product description page 61 Development utilities Summary There are extensive features provided in support of names including abilities to: Operis is not primarily a software provider. It is likely, therefore, that the product could be used much more widely than it is. However, it does have features that will not be useful for all spreadsheet users. On the other hand, as we have noted, there are features found in other products that are not in OAK. If you a financial modeller you should certainly consider the use of OAK. If not, OAK may still be suitable but you will need to ensure that the product matches your requirements and that it is not an issue that the product has features that you may not need. • Modify names to correct misspellings. • Define local names. • Apply (and de-apply) multiple range names. • Delete multiple names. • Replace range names with cell references throughout a worksheet. In addition there are facilities to reproduce formulae and to insert or delete rows or columns through arrays. In the latter case there is an extended facility that automates deletions based on having compared two versions of the same spreadsheet. Prodiance Spreadsheet Compliance Fast facts page 62 Prodiance Spreadsheet Compliance consists of a suite of products that forms a subset of the Prodiance Enterprise Compliance Platform. The main two products within the Spreadsheet Compliance suite are Prodiance Spreadsheet IQ, which provides spreadsheet discovery, inventory and analysis capabilities, and Prodiance Spreadsheet Compliance Manager, which provides control and compliance capabilities. These may be implemented independently or together. In addition, these are complemented by Prodiance Link Migration Manager and Prodiance KPI Dashboard. You may also choose to use other components of the Prodiance Enterprise Compliance Platform as a part of a spreadsheet management solution, most notably Prodiance BPM (business process management), which provides workflow capabilities. You might also choose to use Prodiance’s own content management software for version control and similar capabilities, though both Microsoft SharePoint and EMC Documentum are also supported. Key findings In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: • When taking control of your spreadsheets the first thing to do is to discover where they are and what they are. Prodiance offers federated search and inventory reporting capabilities built into Spreadsheet IQ (it is actually licensable as a separate product as well) that will do this. • Once discovered, spreadsheets need to be integrated into the content management repository. This can be dangerous because it is often the case that spreadsheets have links to one or more other spreadsheets and these links can easily be broken if migration is a manual process. And, of course, such a process is time consuming and tedious. Prodiance provides its Link Migration Manager to not only automate the process of moving spreadsheets into the repository but also to ensure that all links are maintained correctly. • Spreadsheet IQ provides analysis tools to help you identify common errors and to determine the risks associated with each spreadsheet. These details can help you to decide which spreadsheets you need to concentrate on. Spreadsheet IQ also provides graphical dependency mapping between cells, worksheets and workbooks so that you can investigate spreadsheet links; as well as a colour-coded facility for spreadsheet mapping. • For those spreadsheets that you are focusing on, Prodiance provides a KPI (key performance indicator) dashboard that allows you to monitor the state of those spreadsheets and their associated risks. • We particularly like the graphical capabilities, reporting and documentation offered by Prodiance. • The Spreadsheet Compliance Manager, particularly if used in conjunction with Prodiance BPM, supports the segregation of duties (that is, separate roles for authors, editors, auditors and users), electronic signatures and the definition of review processes, as well as the ability to track and audit changes. Version control is supported as are spreadsheet comparisons and differencing. The bottom line While Prodiance is by no means a market leader in the enterprise spreadsheet management marketplace in terms of the number of its customers (mostly because it has come to market later than some of its rivals) we certainly regard it as a market leader in terms of its capabilities. In particular, the company offers a breadth of capability that few, if any, of its competitors can match. We also feel that its graphical capabilities (not least for workflow) are superior and more intuitive. As this market continues to expand we expect Prodiance to establish itself as a leading vendor regardless of how you define that term. Prodiance Spreadsheet Compliance Vendor information page 63 Background information Prodiance is a spin-off from Scientific Software, which was previously (since the early 90s) a specialist compliance software provider to the pharmaceutical market. However, that company was acquired by Agilent Technologies in 2005 and, at that time, Prodiance was set up to develop and market compliance solutions outside of the pharmaceutical sector, where Agilent continues to market its software. Prodiance and Agilent have a joint development agreement so that the two company’s solutions continue to share common technology but whereas Agilent is focused on meeting FDA (Federal Drug Administration) requirements, Prodiance is focused on compliance more generally. The company is focused particularly on financial services, especially banking, and it uses a direct sales model. Outside the United States, Prodiance leverages partnerships for this purpose. The company currently has two resellers in the UK (Trintech and Quartus Solutions), one in Israel and it has a partnership with Atos Origin in the Far East. Prodiance web address: www.prodiance.com Product availability The Prodiance Enterprise Compliance Platform consists of a variety of products that provide not just spreadsheet management capabilities but also a number of other functions, which include: • Prodiance Database IQ, which provides change management and analysis capabilities for Microsoft Access databases. • Prodiance Search, which provides federated search capabilities across multiple content sources. Some of this product’s capabilities are leveraged by Spreadsheet IQ. • Prodiance Business Process Manager, which provides workflow and business process management capabilities. While this is a general-purpose tool its functionality may be used within a spreadsheet management environment to support review processes and the segregation of roles, so this product will be discussed within that context in the body of this review. • Prodiance Enterprise Content Manager, which is a stand-alone content management solution. This can be used to support spreadsheet management but Prodiance also supports both Microsoft SharePoint and EMC Documentum for this purpose. This review discusses Prodiance Spreadsheet Compliance in terms of its use with SharePoint. In terms of Prodiance Spreadsheet Compliance the first product that the company introduced (actually when the company was still part of Scientific Software) was Spreadsheet Compliance Manager, which is currently in version 4.2. More recently it released Spreadsheet IQ, which is currently in version 2.1. Both products can be used independently or in conjunction. Prodiance supports versions of Excel from Excel 2000 onwards, though it prefers Excel XP or later because of the richer APIs that are available within the later products. That said, provided you have a copy of Excel 2000 or later running, Prodiance can be used to manage spreadsheets based on earlier version of Excel. As far as platforms are concerned the server needs to be Windows 2003 based (support for Windows Vista is currently being tested) while clients may be using Windows 2000 or above. Spreadsheet Compliance Manager provides detailed audit trails for spreadsheet changes down to the cell level (in which case either Oracle or SQL Server is required as a database) while files may be managed through a variety of content management repositories, including Microsoft SharePoint, EMC Documentum, Windows NTFS, or Prodiance ECM. This report is based on how Prodiance works in conjunction with Excel 2007 and SharePoint 2007 but comparable facilities can be expected in other environments. Financial results Prodiance is privately owned and is angel funded as opposed to venture capital backed. It has 15 employees at present. Prodiance Spreadsheet Compliance Product description page 64 Architecture EgdY^VcXZ@E>9Vh]WdVgY The architecture of the Prodiance Spreadsheet Compliance solution is illustrated in Figure 1 and we will discuss each of the major elements (the Compliance Manager, Spreadsheet IQ, the Link Migration Manager and the Prodiance KPI Dashboard) in turn. BVcV\ZbZciGZedgi^c\d[`Zng^h`VcYeZg[dgbVcXZ^cY^XVidgh While this high-level architecture shows the major elements within Prodiance it is worth noting that there are also lower-level components such as the Documentation Manager and Federated Search. EgdY^VcXZHegZVYh]ZZi8dbea^VcXZBVcV\Zg The first thing you need to do when you are going to take control of your spreadsheets is to find out what they are and where they are, because most companies don’t know. To do this, Prodiance provides a Federated Search capability embedded with Spreadsheet IQ that will automatically discover all the spreadsheets that exist on your corporate network. In fact, if you use the stand-alone Federated Search product (see screenshot, Figure 2) it will not just discover spreadsheets but also PowerPoint files, Access databases and other end-user computing resources. Alternatively, you can narrow down your discovery process by using the product’s keyword search capabilities so that you can look for specific spreadsheets or other resources. :cYJhZgh G^h`"WVhZY6cVani^Xh!>ckZcidgn!9dXjbZciVi^dc!8Zaa$Ldg`Wdd` 9ZeZcYZcX^Zh!Bjai^"Ldg`Wdd`GZedgi^c\!BVcV\ZbZciGZedgih 8Zaa8dadgHX]ZbZh!:ggdg8]ZX`^c\ 8]Vc\Z6jY^i^c\GZedgi^c\!8ZaaAdX`^c\!9^[[ZgZcX^c\ 6aZgihVcYCdi^[^XVi^dch B^Xgdhd[iD[[^XZ :mXZa'%%, EgdY^VcXZA^c` B^\gVi^dcBVcV\Zg HegZVYh]ZZiB^\gVi^dc A^c`JeYVi^c\ 6cVanh^hd[XdbeaZm [^cVcX^VaYViV B^Xgdhd[iD[[^XZH]VgZEd^ciHZgkZg'%%,EaVi[dgb 9dXjbZci8daaVWdgVi^dc Ldg`[adl KZgh^dc8dcigda GZXdgYhGZiZci^dc 9dXjbZciHZXjg^in 8]ZX`>c$8]ZX`Dji 6XXZhh8dcigda :mXZaHZgk^XZh :GE 7> 7EB :ciZgeg^hZ 6eea^XVi^dch Figure 1: Architecture of Prodiance Spreadsheet Compliance solution Once you have discovered your spreadsheets these can be saved within the Prodiance environment as ‘inventory files’ and you have the option to automatically or manually update these subsequently, as required. However, moving spreadsheets into management is not simply a question of copying a file from one environment to another. In particular, there is the question of linked spreadsheets. Where you have spreadsheets that have links to one another it is important that these links remain intact as spreadsheets are brought under control. This is the function of the Prodiance Link Migration Manager, which automatically migrates all links as your spreadsheets are moved into the SharePoint (or other) repository. The actual way that Federated Search works is that you install a copy of the software onto one or more desktops and then this indexes all relevant data in the background, using spare CPU cycles, so that there is no impact on normal performance. As this software is running continuously it can notify you automatically if any changes are made to the spreadsheets under supervision. Finally, in so far as Federated Search is concerned, it generates a Workbook Inventory Report that pulls together metadata about the spreadsheet, collating file information, formulae and calculation statistics, and worksheet statistics. Figure 2: Screenshot of the Federated Search capability :mZXji^kZh>ciZgcVa6jY^idgh Link Migration Manager EgdY^VcXZHegZVYh]ZZi>F Prodiance Spreadsheet Compliance Product description page 65 Spreadsheet IQ In large organisations there will often be thousands of spreadsheets and it is unlikely that you will wish, at least initially, to manage all of these in any comprehensive way. You will almost certainly choose to focus your efforts on those spreadsheets that expose the company to the most risk. Assessing which spreadsheets fall into this category is a twofold process that requires a bit of (financial) expertise: first, it is to do with the complexity of the spreadsheet (on the basis that the more complex it is the more likely it is to contain errors) and, secondly, it is to do with the spreadsheet’s importance to the business: a sales reporting spreadsheet, for example, might not be regarded as being as important (or dangerous) as a statement of earnings spreadsheet (especially as an error in the latter may result in a jail sentence). Assessing the importance of a spreadsheet to the business is, necessarily, a business function that cannot be automated. However, discovering the complexity inherent in any particular spreadsheet certainly can be automated and this is, in part, what Prodiance Spreadsheet IQ does. Figure 3: Workbook Analysis Report As we have already noted, the Federated Search element of Spreadsheet IQ prepares a Workbook Inventory Report based on the spreadsheets it discovers. You can then go further, and use the software to analyse individual spreadsheets, with the software producing an appropriate Workbook Analysis Report as illustrated in Figure 3 (note that the Inventory report is similarly formatted). When generating this report you first go through a tick-box process in which you tell the software what details you want to see in the report, so that it can be as detailed or concise as you like. In this screenshot note the identification of ‘very hidden sheets’. These occur when worksheets are hidden programmatically. Their presence is often an indication of fraud. The software will also detect such things as cells that are printed in white on a white background (thus hiding the data) as well as data that is hidden behind graphics. Figure 4: Cell dependencies Other features of Spreadsheet IQ include the ability to determine precedents and dependents, not just at the spreadsheet level but right down to worksheet and cell levels. This is important in order to understand the impact of any changes that you might make, and for tracing the impact of formula errors. Figure 4 shows cell dependencies. One can easily see how difficult it would be to encapsulate this information without the aid of graphics such as this. The product also includes the ability to generate documentation, which is stored Figure 5: Cell painting tool Prodiance Spreadsheet Compliance Product description page 66 alongside the spreadsheet to which it refers. Multiple options are available to generate documentation at the inventory, spreadsheet, worksheet and cell levels. Finally, Spreadsheet IQ includes a cell painting tool so that you can apply colour coding to formulae, errors, input cells and so on. This is illustrated in Figure 5 and means, for example, that you can easily see where a formula has been copied across a row but when one cell contains a constant (say) instead of that formula. It also allows for the identification of inconsistent formulas and missing input data. For example, in Figure 5 visual inspection will determine that the COO had no salary in the first quarter and that the same individual has an inconsistent formula in his row for Q2 costs. There are no facilities to inspect formula logic. That said, this capability can be had from specialist vendors for a few hundred dollars. Figure 6: Auditing, tracking and change management for critical spreadsheets Spreadsheet Compliance Manager Spreadsheet Compliance Manager provides auditing, tracking and change management for critical spreadsheets. Once again, this can be down to cell level and you can track changes to cell data, formulae, macros, named ranges and so forth. Figure 6 shows an example. Note that changes are timestamped, not with the time that the spreadsheet was saved but at the actual time that the change was made (as required by Sarbanes-Oxley). Indeed, you could make a change to a cell and then change it back to its original state and this would still be recorded in the audit trail. In addition, audit trails are encrypted and cannot be altered by users. Note that reason codes may be required though it would also be useful if you could force a more detailed explanation be appending a note to the spreadsheet. In addition to auditing, Compliance Manager provides comparison capabilities, as illustrated in Figure 7. As can be seen there is a compare detail capability that allows you to easily see the differences that exist between spreadsheets (or, in this case, versions of the same spreadsheet). This is especially important when different versions of the same spreadsheet may have had additional rows or columns added to them, meaning that they do not easily line up for visual comparison. Version control with check in/out, archival capabilities and so forth is, of course, provided by Microsoft SharePoint or through Prodiance’s own ECM product or its integration with Documentum. Spreadsheet Compliance Manager also provides security, using a role-based approach centred around users, groups, roles and privileges. In addition, if the Prodiance BPM product is used then this supports the Figure 7: Comparing two spreadsheets in Compliance Manager inclusion of electronic signatures and routing of documents for approval. More particularly, this also brings workflow into the spreadsheet management environment. Workflow in the Prodiance environment is much more graphical (see Figure 8) than most other products in this sector, which we consider to be an advantage. You can use this for defining review/approval processes for individual or groups of spreadsheets, including the definitions of the relevant roles of authors, owners, (internal) auditors and so on, which is known formally as the segregation of roles. Further, Prodiance BPM can be used to define spreadsheet application processes so that, for example, you could use it to define the processes associated with reconciliations, budgeting or consolidation. This includes the generation of tasks and task lists, email notifications and so forth that can be sent to relevant parties. Prodiance Spreadsheet Compliance Product description page 67 This is an important point. Spreadsheets are used for many purposes. Some of them are for one-off purposes while others are used on a repeated basis. In the latter case, these are often described as being spreadsheet applications (as opposed to spreadsheets per se) because they have logic that often flows across multiple spreadsheets. However, most vendors of enterprise spreadsheet management solutions treat both of these environments as the same, or they only target one or the other. Because Prodiance has fullblown workflow capabilities it is able to handle both environments, which should be an advantage compared with many of its competitors. The Prodiance solution can also leverage the workflow and BPM capabilities built into SharePoint or Documentum systems. KPI Dashboard Figure 8: Workflow in the Prodiance environment Finally, the last part of Prodiance Spreadsheet Compliance is the KPI dashboard (illustrated in Figure 9), which uses conventional dashboard techniques, such as traffic lights, to monitor risk and performance indicators. Here, too, workflow and document approval status and task lists may be presented so, arguably, it would be more correct to call this a portal rather than a dashboard. As one would expect, the dashboards can be set up according to user needs so that you might typically have different executive versus reporting dashboards, as an example. Security Document-level security is provided through the various content management systems supported by Prodiance (as already discussed) but there are also a number of other security aspects of the product that are worth mentioning. These features include Digital Rights Management encryption so that sensitive spreadsheets can be encrypted for use only by authorised LDAP users and groups; the ability to lock down access to spreadsheet macros and queries, so that users cannot change calculations and the like after these have been tested and verified; SSL encryption that is used when spreadsheets are up or downloaded; and security facilities to ensure that, in the event of Excel crashing, then the recovered files remain secure. In this last case, Prodiance works by encrypting locked cells which are recognised by the application even when reading the recovered temp file. Figure 9: KPI Dashboard Prodiance Spreadsheet Compliance Product description page 68 New product release Summary Almost immediately prior to publication of this report (May 2007) Prodiance announced a new version of its product. The main features of this new release are: Prodiance offers a rich overall environment and the company is very well placed to take advantage of the rapid growth that we are currently seeing, and expect to see more of, in the enterprise spreadsheet management market. As previously noted, we anticipate that the company will establish itself as a leading vendor of spreadsheet management solutions. 1. It will support browser-based thin client access (based on AJAX) technology, which means that there is no client-side software installation required but that spreadsheet data can still be updated dynamically. Note that a thick client version of the user interface will remain available. 2. Centralised administration, management and reporting will be provided so that IT personnel can control the infrastructure used to manage your spreadsheets more easily. 3. There is a new ‘smart audit’ capability. This will be able to recognise, for example, that if you insert a new row into a spreadsheet then that is only a single change—all the rows below it have not, in any intrinsic sense, changed. There are also a number of other new auditing features as well as support for more data connectors. 4. Enhanced integration with SharePoint 2007, including new user interface menus, key performance indicators to support its dashboard, and integration with SharePoint workflow. 5. Auditing and compliance features for Microsoft Access databases. Qtier-Rapor Fast facts Qtier-Rapor is an enterprise spreadsheet management product that offers both control and compliance and an automation solution for the development and deployment of spreadsheet applications. By ‘spreadsheet application’ we mean those repeatable processes that are enabled via spreadsheet such as sales reporting, budgeting and planning, financial consolidation and so forth. Automation is the company’s lead focus and it is important to appreciate the significance of this. What it means is that Qtier is offering, in effect, an IDE (integrated development environment) for developing spreadsheet applications. Now, development environments, as a matter of course, include such things as version control, testing, debugging and so forth, and Rapor is no exception. This has important implications with respect to control and compliance and, for that matter, with auditing requirements (such as spreadsheet comparisons, error detection and so on) since many of the functions deemed necessary for these areas are actually embedded within the automation aspects of Rapor. In other words, and this applies to automation tools in general, the more you automate the development of spreadsheets, and treat spreadsheets as corporate assets, the lower the additional requirements you have for control and compliance and auditing tools. As we have mentioned, Qtier does offer control and compliance capabilities (but not auditing) in addition to automation but it is important to recognise that the features provided build onto those within the automation part of the product and they should not be thought of in isolation. page 69 Key findings In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: • Perhaps the biggest single advantage of Qtier-Rapor is that you only ever have a single master of any particular spreadsheet. If different users need amended copies of any particular automated spreadsheet then these are generated at run-time, based on user-specific criteria. This means that the management and auditing of spreadsheets should be much, much easier. • Qtier-Rapor does not help you to design the logic that is internal to any spreadsheet or related application. What it does help you to do is to make it simpler to populate your spreadsheets with data derived from external sources, to validate that data, to define dependencies (this process has to be completed before that process), to identify relationships across spreadsheets, to schedule the production of spreadsheets (those that are not to be generated in realtime) and so on. In other words, its automation functions help you to define how your application (and data) flows across multiple spreadsheets. • Qtier-Rapor uses a number of graphical techniques to help developers during the processes just outlined. These are functional rather than sexy. For example, Qtier’s workflow capabilities are based on relatively simple flow diagrams. • Qtier-Rapor includes facilities to ensure segregation of duties between authors (process owners), editors, (internal) auditors and end-users. • One feature of Qtier-Rapor that we have not seen elsewhere is the ability to print authentication codes on printed spreadsheets so that you know that you are dealing with authorised information. Qtier-Rapor Fast facts page 70 The bottom line Vendor information Spreadsheet applications are widely used and deployed across organisations and enterprises of all sizes and types. However, such applications are often developed in an ad hoc manner and without the disciplines that would be applied to applications developed within the IT department. As a result, such applications are prone to errors, often lack proper security controls, are difficult to audit, and may not comply with appropriate regulations. With the possible exception of the last of these points, all of the others can cost the business considerable sums of money: if you have errors in your spreadsheets then you are potentially making incorrect business decisions based on faulty data; if you lack security then you open yourself up to the possibility of fraud; and if applications are difficult to audit then your auditors will charge you more. All of this means that it would be preferable to treat spreadsheet applications as corporate resources that are managed just like any other applications used within the organisation. This is what Qtier-Rapor provides, and without the end user seeing any difference in the Excel environment with which he is familiar. Qtier is a UK-based specialist development company, founded in 1999. However, it was not until 2002 that the company introduced its product, with early adopters taking the product the following year. This actually makes the company one of the pioneers in the enterprise spreadsheet management market. As a small company, Qtier primarily focuses on research and development and support, while relying on third party distributorships for sales purposes. The company has such distributorships in the United States, Australia, Finland and Eire, with the last two of these acting as regional bodies that cover Western Europe between them, managing local resellers. Qtier-Rapor’s user interface is available in German, French and Italian as well as English, and it is currently being translated into Finnish. Most vendors in the enterprise spreadsheet management market have focused on control and compliance and/or auditor’s tools that do not have facilities for automating the development process of spreadsheet applications. In our view, the sort of automated approach provided by Qtier is to be preferred. Not only does it make the development of spreadsheet applications faster and the results more reliable and secure, it also reduces the need for control and compliance (though that is provided by Qtier as well) and auditor’s tools, because of the inherent controls built into the Qtier-Rapor development environment. We believe that there is a growing appreciation within the market that automation is the best direction to move in for spreadsheet management and Qtier is very well placed to take a leadership position in this market, as it matures. Qtier-Rapor is currently in version 2.3 release 8 but version 2.4 is scheduled for release in April/May 2007. Qtier-Rapor is .NET based and supports versions of Excel that have a similar underpinning, so versions of Excel currently supported are Excel 2000 and Excel 2003. While perfectly understandable this is unfortunate for Qtier as many users continue to employ Excel ’97. Excel 2007 support, together with Microsoft Vista support, is scheduled for version 3.0, which should be available mid-2007. Qtier requires a database (for storing spreadsheet process versions and so forth) and it will run with SQL Server, Oracle, MySQL or Microsoft Access. For accessing other databases, Qtier-Rapor supports both OLE DB and ODBC. All users are supported on Windows NT and later (but not Vista yet, as noted) and end users may also run Windows 98. Web servers running ISS 4 or above are supported. Qtier’s various facilities are aimed at either developers or end-users (although typical sales targets are the owners of relevant business processes) and its has different licenses for each of these roles. Typical site license fees would be in the mid to high five figures (in dollars). The company has over 50 customer sites using the software across Europe. Qtier web address: www.qtier.com Qtier-Rapor Product information In practice, there are three elements with Qtier-Rapor. The first of these is the development environment, which the company refers to as Work-in-Progress (WIP), and this is actually broken down into two areas: access to data and development itself. Then there is the deployment environment, and it is important to understand the distinction because, for example, the version control applied to WIP spreadsheets is different from the version control employed when spreadsheets are live: the latter is, at least partly, about compliance while the former is more about development best practice. Finally, there are the additional control and compliance elements within the product. We will discuss the product under each of these headings. Figure 1: The Catalogue Designer within Qtier-Rapor page 71 Accessing data Accessing data in Qtier-Rapor is based on connections and catalogues. In the case of the former you simply tell the system which databases you are collecting data from, whether you are using OLE DB or ODBC for that purpose, and what security you want to apply to that connection. A catalogue, in Qtier terms, is a simplified view of the database tables you are accessing. Figure 1 shows the Catalogue Designer within Qtier-Rapor, which shows tables associated with the Forecast table together with (at the bottom) the relevant calculations for calculated fields. Now, that’s fine as far as it goes, but it is not very easy to work with. What the Catalogue Designer does, in effect, is to merge one or more related tables into a single table view, which can then be accessed from any spreadsheet process. The big advantage of constructing this catalogue is that it makes it much easier to understand from a developer’s perspective (you can apply selection and filtering criteria directly to a catalogue) and it is much easier to apply security controls with respect to which pieces of data that a particular user (or someone with his role) is allowed to see or amend. In so far as the delivery of data is concerned, Qtier supports (see later) the notion of realtime delivery of data to spreadsheets. However, this can be costly in its impact on front-office systems so Qtier Rapor supports caching for semi-static data. That is, for data that changes daily, say, rather than minute by minute, you can schedule data extraction routines overnight (for example) and then cache this information to be used alongside dynamic data. What this means is that only very rapidly changing data needs to be retrieved in real-time from front-office environments, thereby minimising the impact on those systems. Finally, all data that is created within the Qtier-Rapor environment, or maintained within it, can be stored in what the company refers to as the ‘user defined database’, thus eliminating the need for manual data manipulation and consolidation tasks. This runs on either SQL Server, Access, My SQL or Oracle and ensures a secure and formally organised environment. Qtier-Rapor Product information page 72 Development The fundamental point about Qtier-Rapor is that it applies the disciplines of conventional approaches to application development to the construction of spreadsheet applications, thereby ensuring that they are properly tested, documented and controlled in a way that is by no means always the case. As with conventional development environments, there are various stages in the development process. Qtier categories these into three main areas of automation, which it treats separately: steps, tasks and workflow. In so far as steps are concerned, there are two main elements to this, as follows: 1. Steps—these represent individual procedures that need to be handled, such as populating a spreadsheet with data, writing information for the spreadsheet back to a source database (where that is allowed), applying validation routines and so forth. So, to populate a spreadsheet with data, as an example, you would define a step that retrieves the relevant data, based on the catalogue that was discussed in the previous section. 2. Step sequence design—steps can be combined into sequences that can then be associated with particular events, such as opening or closing a spreadsheet. So, for example, when a user wants to open a spreadsheet, the first issue would be whether s/he has relevant security clearance and, if that is the case, then you would open the spreadsheet and populate it with data. Note that you can embed decision logic within a step sequence: if the user has relevant permissions s/he gets to see (at least) the spreadsheet, but otherwise will get an appropriate message that they are not allowed to see the spreadsheet. Similar logic could be used, for example, to force users to enter a note explaining any changes they make to the spreadsheet or to raise alerts. Tasks are a little more complicated in that they relate to application processes and are used to enable the consolidation, distribution and scheduling of spreadsheet processes. An example, which illustrates the Process Sequence Designer, being used to define the Figure 2: The Process Sequence Designer task that is needed to publish weekly forecast charts, is shown in Figure 2. Although this example involves multiple spreadsheets, tasks may also be applied to actions that pertain to a single spreadsheet. As with steps, logical criteria can be included in tasks, which may be based on run-time parameters or be integrated with the product’s workflow capability (in both cases: see later). Processes may also include links to external (related) documents and the running of macros, VBA procedures, plug-ins and so forth. Also note that if real-time data is not needed for this particular spreadsheet or application then tasks can be used to schedule the production of spreadsheets at appropriate times. One feature that is not built-in to the product that we would like to see, is the automated generation of alerts. For example, if you are using spreadsheets for budgeting then you will need input from various parties in order to complete the process. This needs to be a formally scheduled process and you would like to send reminders (via email or otherwise) to your colleagues that have not sent your figures on relevant dates. Now, you could build this using tasks and there are traffic lighting facilities in Qtier-Rapor to alert you to the fact that figures are due, so you could build this sort of functionality. However, since it is a rather common requirement it would be nice if there was a built-in feature to easily enable this. Qtier-Rapor Product information Workflow is used to define the order in which spreadsheet processes should run and to determine any necessary dependency checks (that is, in case any upstream processes need to be completed). For this purpose, Qtier uses a flow diagram rather than the icons that you might expect from a specialist workflow vendor but this is probably visual enough in this particular instance. In fact, Qtier also uses flow diagrams in a number of other areas. For example, Figure 3 shows the Step Sequence (see above) Designer, here being used for data validation. Relevant messages will be presented to the user if a validation rule fails. The same would apply if a dependency check associated with a workflow failed. Note that workflows can also be used to enforce segregation of duties. That is, during development, best practise is to have distinct roles for the author, editor and (internal) auditor of spreadsheets, who need to sign-off on the correctness of spreadsheets during the development process. The nature of the QtierRapor environment automatically enforces the separation of these roles from that of the enduser. Deployment Regardless of whether spreadsheets are produced live or are scheduled for production at particular times, they may be subject to run-time criteria. Thus each potential user, depending on his or her role, may have a different set of parameters that apply to the population of those spreadsheets, so that each user sees just what is needed, and has relevant capabilities to interact with the spreadsheets, as necessary. In practice, what this means is that you have a single master copy of a spreadsheet (held in a secured central repository) but many different versions of that spreadsheet ‘template’ may be populated at run-time. This has significant benefits in terms of the management and auditing of spreadsheets because you do not have lots of copied and amended versions of the same spreadsheet scattered around the organisation, which is typical of many organisations. Two additional capabilities that are provided are web-enabled spreadsheets and an ad hoc query capability. In the case of the former, all page 73 Figure 3: The Step Sequence Designer Qtier-Rapor processes and user menus are web-enabled as are functions such as the use of run-time criteria and the application of security. In other words, no web development skills are needed by spreadsheet designers, as this is managed automatically by the software. As far as ad hoc enquiries are concerned, the Qtier-Rapor end-user interface has a query and reporting tool built into it and users can employ this to create their own queries against the catalogues (and data therein) for which they have appropriate permissions. Finally, one particular noteworthy feature that fits within the area of deployment (and compliance) is that Qtier-Rapor can be set to automatically generate authentication codes that will be printed on any spreadsheet where a hard copy is required. A typical authentication code, which is unique for each instance, might look something like: ‘Ó¨Qtier Ra-pöÅ• LogID: 2652Ó¨”. There is also support for cell authentication stamps (using check digits), to certify the validity of data. These codes may include a corporate logo, if required. Qtier-Rapor Product information Control and compliance While we have already mentioned a number of aspects of control and compliance there are a number of elements in this area that we have not discussed. However, before doing so it is important to note that Qtier’s perspective is that spreadsheets need to not just be monitored (compliance) and an audit trail produced, but that relevant controls also need to be put in place so that only authorised people may do authorised things. On the control side then, the first thing to appreciate is that Qtier-Rapor allows you to define the environment that must apply to each spreadsheet. This involves ticking boxes as to which controls are to be applied to any particular spreadsheet where some of these controls are supplied out-of-the-box by Qtier but you can also define your own using the development facilities described earlier. Typical controls might be: that new processes must apply compliance rules; that auditors are not allowed to edit this spreadsheet; that comments are required whenever a change is made; whether the owner of the spreadsheet is allowed to audit it; whether process descriptions are required; that the root folder must be used for the workbook location; and so on. In addition, you can also define rules that apply to workbook settings such as the ability to insert default values, whether compliance values can override defaults, if ‘save as’ is permitted and so forth. page 74 The other side of the control equation is security, which is role-based (either by individual or group). The product provides synchronisation with Microsoft’s Active Directory. As you might expect, you can hide columns or rows, define cells as read-only, and so forth. There is also anti-tampering support that can be applied whenever a spreadsheet is opened, closed, saved or printed. As far as compliance is concerned, there is a distinction within the product depending on whether you are in the WIP environment or in the deployment environment. This makes sense: end users almost certainly will not be allowed to amend formulae or add macros or make any other structural changes to a spreadsheet, so you don’t need the same level of management control. So, for example, within the WIP environment this has built in version control with new versions being created automatically for you, whereas in the live environment there is simply the ability to take a snapshot of a particular spreadsheet. One feature that isn’t in the WIP environment is check-in/out: if you start work on a spreadsheet the software will tell you if someone else is already working on it but it won’t prevent you from doing so too. As you would expect, there is an extensive audit trail and there is the ability to open and compare spreadsheet versions within the Awaiting Audit WIP development cycle, though this does not include comparison of any associated macros. Qtier-Rapor Summary Qtier’s biggest competitors are not other vendors but a) a failure of awareness, in some companies, that the use of spreadsheets presents any sort of an issue; b) that if there is an issue then we should get rid of spreadsheets altogether; and c) that if there is an issue and we don’t think we can get rid of spreadsheets then I can fix it by using some control and compliance and maybe some auditor’s tools. The first of this has his head in the sand, the second is unrealistic and only the third starts to address the issue. However, as long as the development of spreadsheets, and particularly spreadsheet applications, is left in the hands of user departments who have often very little formal training in the use of spreadsheets, then there will continue to be ongoing problems. In our view, spreadsheets should be treated as a corporate resource and the development of spreadsheet applications should be managed just like any other development process. Qtier-Rapor enables this and, as more companies do so too (a process that seems to be happening faster in Europe than in the United States), then we expect Qtier to capitalise on this trend. page 75 Risk Integrated Enterprise Spreadsheet Platform Fast facts Key findings Risk Integrated is a consulting company that specialises in financial risk assessment and management, particularly in the banking and financial sectors. Because many organisations within this sector use spreadsheet models from such things as deal structuring or real estate modelling the company has developed software, known as the Enterprise Spreadsheet Platform (ESP), in order to assist its clients. In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: Risk Integrated, coming as it does from the perspective of risk management, takes a somewhat different approach from many other companies addressing the question of enterprise spreadsheet management. It takes the position that in the markets at which it is aimed, the developers of spreadsheet models are not only skilled in the use of Excel but that there are appropriate mechanisms in place to ensure that spreadsheets are adequately tested and checked prior to deployment. What ESP aims to do is to take the risk element out of the equation in so far as users of those spreadsheets are concerned, both in terms of data entry and deployment. Note that ESP is neither a compliance tool (providing detailed audit trails and change tracking and/or management) nor an auditor’s tool (for error detection, spreadsheet comparison and so forth). It is complementary to both of these types of products. ESP separates end users from the logic built into the spreadsheets that they are (unknowingly) using. This significantly reduces the risk of both errors and fraud. Through support for message queuing, Risk Integrated aims to automate the input of data into spreadsheets as much as possible. Where that it is not possible it generates web forms that users employ to enter data. All cells that require user data entry are given a descriptive name to make life simpler for users. The software understands these descriptions so that spreadsheet cells are always populated from the correct fields in the web form. ESP also separates output from spreadsheet logic. Rather than issue spreadsheets to users, ESP allows you to generate customised reports from its environment. This means that users never have access to formulae, calculations or data that you wish to keep private. Bottom line As far as we know, ESP is unique in the marketplace: it is the only vendor that comes at the problem of spreadsheet management specifically from a risk perspective. Certainly there are other products that include risk management capabilities but these tend to come at the issue from the perspective of the status quo: that is, “we have a risk issue so let’s manage it”, whereas Risk Integrated’s approach is more one of “we have a risk issue, let’s prevent it”. While the product is focused specifically at a particular niche market (primarily, but not exclusively, in financial services) this does not mean that this is a small market and we expect Risk Integrated’s proactive approach to risk management to prove attractive to a significant subset of that market. page 76 Risk Integrated Enterprise Spreadsheet Platform Vendor information Product description Risk Integrated was established in 2000 as a pure consulting company and started the development of the ESP product in 2002. It does not typically sell ESP as a stand-alone solution but usually tailors it for individual clients. Typical charges for an engagement specific to ESP would be in 6 figures. The way that ESP works is that super-users and experts with appropriate authorisation develop Excel spreadsheet models in the way that they always have and then load these into the ESP system. What happens is that these spreadsheets, or existing spreadsheets that have been loaded, together with all of their inputs, formulae, outputs and so forth, are encapsulated within a C++ wrapper. From this a web form is generated for manual input of data, while the software uses XML and support for message queuing software to obtain data that can be feed directly into the spreadsheet from external sources such as databases, stock feeds and so forth. In general, Risk Integrated would recommend (and so would we) that the more input data can be automated the better. The company is privately owned and funded and it has offices in both the UK and United States. As it uses an associate model we cannot be precise about the number of employees but it is between 10 and 20. Web address: www.riskintegrated.com As far as user input is concerned a web form that simply asked for ‘column 4, row 3’ would not be much use, so as a part of the process of generating the web form, each cell is a given a descriptive name. Note that the layout of the web form can be customised and it does not have to match that of the spreadsheet. As the software knows which name refers to which cell it will automatically insert the data from the correct field on the web form. Note that any rules applying to the relevant cell (such as a range check) will also apply to the form. On the deployment side ESP provides a similar separation between logic and output. Rather than send reports in spreadsheet format, ESP supports the ability for you to produce customised and date stamped reports that provide the user with the information that he needs to know but without the formulae, calculations and data that you wish to keep private. Summary ESP does not remove risk entirely: the developers of spreadsheets are still exposed to it and, despite the use of descriptive names for data entry fields, you can never ensure that there will never be data entered into the wrong field. However, ESP does significantly reduce risk by not exposing end users, either at the input or reporting level, to the spreadsheet per se. This means that you cannot get (via end users) transposition errors, you cannot get cut and paste or zeroing errors, you reduce, if not eliminate, the possibility of fraud, and so on. Given the potential costs (see www.eusprig.com) associated with spreadsheet errors this is a significant advantage. page 77 ROISoft ExSafe Fast facts There are three distinct types of product aimed at the spreadsheet management market: development automation tools, control and compliance tools, and auditor’s tools. The first of these are about automating the development process for spreadsheet applications but are limited to providing management capability for new spreadsheets only. On the other hand, both control and compliance, and auditor’s tools, are about managing existing as well as future spreadsheets. That said, auditor’s tools are focused almost exclusively on finding errors and don’t do anything for security or auditing and version control. That’s why they cost a few hundred dollars rather than the hundreds of thousands or more than you can spend on full control and compliance tools (which often include auditor’s tools as well). ExSafe from ROISoft is a control and compliance product. However, not all control and compliance products have the same perspective on the market. There are some that are focused on monitoring what the user does and there are others that emphasise compliance with specific regulations, particularly SarbanesOxley. ExSafe, on the other hand, comes from the point of view that the first thing that needs to be done with spreadsheets is to provide security and then you can build control and compliance on top of that, rather than the other way around. ExSafe, then, is a control and compliance tool with security at its heart. page 78 Key findings In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: • Security is implemented down to cell level with access permissions and rights defined at that level (or higher). In order to minimise the administration required, inheritance is implemented. • Spreadsheets are stored centrally in a SQL Server database and are encrypted. This removes the potential dangers of users emailing spreadsheets to non-authorised users or of temp files created by Excel after a crash, because the spreadsheets will not be readable by non-authorised users. • ExSafe provides a complete, time-stamped audit trail of all changes made to a spreadsheet including attempted (but failed) changes—we especially like this last feature. • Cell-level version control is included within the product. • ExSafe facilitates the segregation of roles (owners, editors, users and so on) and has specific features supporting ‘ownership’. • As a first release it is perhaps not surprising that some features of more mature products are not yet available within ExSafe. For example, there are no facilities to help you to compare spreadsheets or to investigate the relationships between spreadsheets. • There are built-in discovery features within ExSafe (which will also discover Word and PowerPoint files), as well as an open API. The bottom line ExSafe provides compliance through its audit trail, it controls the environment through which you can use spreadsheets and it provides exemplary security capabilities. Where it lacks features (not surprising in a first release) are in ancillary areas such as auditing (for example, comparing spreadsheets). As these requirements can be met through the use of third party tools that cost no more than a few hundred dollars, this is not a major issue and should not hold the company back. It is, of course, too early to form firm conclusions about ROISoft in a market that is becoming increasingly crowded but we do like the way that it has approached security in particular and its initial sales bode well for the future. ROISoft ExSafe Vendor information ROISoft is an Irish firm that also has offices in the United States. It was established in 2005 and is privately funded though with backing from Enterprise Ireland. The first version of ExSafe was launched at the beginning of December 2006 though the company has been in ‘stealth’ mode until just recently. Nevertheless, it has managed to acquire two major investment banks as customers already. Typical prices for a complete company-wide installation would be in 6 or 7 figures. ExSafe is Microsoft certified and leverages Windows Server 2003, SQL Server 2005 and Microsoft Active Directory for role-based security. It supports versions of Excel from 2000 onwards, including Excel 2007. An offline feature of the product is available that allows you to work in disconnected mode with automated synchronisation once a connection is re-established. ROISoft web address: www.roi-soft.com page 79 ROISoft ExSafe Product information page 80 As previously discussed, ROISoft has come at the issue of control and compliance from the standpoint of security in the first instance and we will therefore discuss these security capabilities first before proceeding to consider the product’s control and compliance features. Security Some of the security features you require in an Excel spreadsheet are obvious: for example, you want to be able to control who can see what, who has editing permissions and so on. Further, you want these facilities down to cell level and you want them by function. For example, a particular user might be allowed to update an input cell but not be permitted to edit a formula. Examples of how ExSafe implements these capabilities are illustrated in Figures 1 and 2. In addition, where users have read-only access to some fields but update capability with others, then you would like the different cells colour coded or with some other appropriate indication as to what this user can and can’t touch. In Figure 3, for example, the red cells can neither be read nor written while the green cells may be read but not updated. All of these sorts of features you would expect from any control and compliance tool and ExSafe is no exception in providing these. In particular, ROISoft applies what it calls Prescriptive Cell Security (PCS) whereby passwords and user-defined permissions are all applied at the cell level. Now, this might be thought to imply that there is a heavy administrative overhead in defining such a granular level of security (and security can also be implemented at the sheet and range levels). However, the security mechanisms in place are defined at the folder level and can then be inherited. This means that you only have to define the differences that pertain to any particular individual with all other permissions being held in common: thus the administrative overhead is significantly reduced. Figure 1: Workbook permissions Figure 2: Cell and Range permissions However, there are also more complex security issues involved in spreadsheet management. Two such are the issues of emailing spreadsheets to colleagues and what happens when Excel crashes. In the first instance, the practice of emailing spreadsheets to colleagues is potentially dangerous, and represents a potential security breach, if they can then open and use that spreadsheet willy-nilly. In the second case a similar problem potentially arises because Excel will attempt to recover your files if it crashes. In particular, it will create a temp file that anyone can read. Figure 3: Cell and Range colour coding ROISoft ExSafe Vendor information page 81 In order to avert both of these potential breaches of security, ExSafe automatically encrypts all spreadsheet data, even to the extent that those temp files will be encrypted. This means that unless you log on to ExSafe and unless you are an authorised user thereof, you will not be able to read any of the contents of any spreadsheet, whether recovered or original. In order to enable this, all spreadsheets are stored centrally in a SQL Server database, where the audit trail (see next section), as well as all security details, are also held. Control and compliance While the security features in ExSafe as are as advanced (and often more so) as any other vendor’s in the market it is perhaps not surprising, given that this is a first release, that it is perhaps not quite as advanced in terms of control and compliance features. Nevertheless, all of the basics are in place, notably full auditing, auto-discovery and version control. Auditing does what it says on the tin in that it provides full cell-level auditing of all changes (whether to data, formulae, macros or whatever), who made those changes, and with a timestamp for the time of the change as opposed to when the spreadsheet was saved, as illustrated in Figure 4. The spreadsheet ‘owner’ can also optionally enforce the entry of an associated note when the spreadsheet is being saved (for example, you have changed a figure in your budget—why?). One feature we particular like is that the software will also record attempted (but failed) changes. In the case of Discovery, this allows for automated discovery of all the spreadsheets that exist within a particular domain. In addition, you can apply rules during the discovery process that should enable the ranking of spreadsheets in terms of the risk they pose to the business, either because they Figure 4: Cell level auditing in ExSafe fall under regulatory control (such as a Statement of Earnings) or because they represent mission-critical applications. This is important because large corporations will have many spreadsheets that they need to bring under management and it is likely that they will wish to do this in an iterative manner, beginning with those spreadsheets that pose the greatest risk. However, the other half of this risk assessment relates to the complexity and size of the spreadsheet (the more of either and the greater the risk of errors) and, lacking auditing tools within ExSafe, this part of the risks assessment equation will be limited at best. Finally, in so far as version control is concerned, it is worth noting that Microsoft SharePoint 2007 now offers complete version control at the document level. However, it does not offer version control at any lower levels and certainly not at the cell level, which is what you need if you are to have proper management control of the environment: this is what ExSafe provides. ROISoft ExSafe Product information Summary ROISoft is a new entrant to the enterprise spreadsheet management market and there are a number of incumbent vendors with which it will directly compete that already have substantial user bases. In order to compete effectively it needs to offer something different over and above the facilities offered by this competition. This it has done by focusing on security. In addition, it is aided by the fact that these competitors are all US-based and have little or no European presence. However, neither of these factors is likely to give ROISoft an advantage for long, particularly if these rivals see ROISoft being successful with its security message (which would not be surprising given that the vast majority of frauds are perpetrated by authorised users). ROISoft therefore has a window of time in which to establish itself as a major contender and, as is often the case, this will depend as much on the company’s marketing efforts as the technical excellence of its product. The company has got off to a good start; we will watch its future development with interest. page 82 Sheetware XLSpell Fast facts The market for providing complementary products to Microsoft Excel comes from two directions: business intelligence vendors aiming to provide additional functionality, especially in the area of automation and development; and a second group of suppliers that address this market from the perspective of governance and compliance, providing the auditing, security and control that is lacking in Excel. In this latter category there are two broad categories of products: control and compliance tools and auditor’s tools. Sheetware’s XLSpell is a suite of tools that addresses the auditor’s market. Note that auditors in this context covers two distinct functions. In the first instance, best practice in the development of spreadsheets is for a segregation of roles between the author, editor and auditor of spreadsheets, where auditor in this context refers to a function that is internal to the company. Needless to say, auditing is also an external function. In fact, XLSpell is suitable for use by both internal and external auditors. However, a further point to appreciate is that the more internal processes in place (such as the segregation of roles) to ensure the validity of your spreadsheets then the less work will be required by external auditors and the lower their resulting fees. In other words, implementing internal auditing processes will save money not just because you are basing your decisions on more accurate and reliable information but also through reduced annual fees. Specifically, the XLSpell suite includes tools for formulae checking, sheet comparisons, a sheet mapping tool that allows you to see the structure of your spreadsheet, a drill-down capability that allows you to see where data has come from, a number finder, and a tool for boosting the performance of spreadsheets. Each of these capabilities is available separately as well as within the suite. page 83 The bottom line From an enterprise perspective XLSpell should properly be considered as a suite of tools and utilities, primarily focused on detecting errors (though the performance module may also prove to be of interest) and auditor functions. Given the potential costs associated with spreadsheet errors, which can be very substantial (see www.eusprig.com), these relatively inexpensive tools should pay for themselves in short order. Vendor information Sheetware is a small, privately financed company based in the UK. It was founded in 2002 and released XLSpell in a beta version in 2004. The product suite is now in version 1.2 and it currently runs with Excel 97, 2000 and XP. As previously stated you can licence each of the individual modules of the suite separately. Indeed, the company’s biggest seller is the individual product, XDrill. Sheetware’s primary target is SMEs and departments of larger organisations. Primarily, the company sells through its web site, where the products are available for free 30-day download or, because the products are relatively inexpensive ($199 for a single business user for XLSpell, $309 for a small business version – 6 users – of XDrill) you can licence them directly from the web site. Free versions of the software are offered to registered charities. The company also has a UK-based distributor. Sheetware web address: www.sheetware.com Sheetware XLSpell Product description page 84 As previously noted, XLSpell consists of a number of modules and we will discuss each of these separately. However, as the products most likely to be of interest to enterprise users we will focus primarily on XDrill and XLMapper. XDrill Put simply, XDrill answers the answer, “where does that number come from?” You start by clicking on the cell you are interested in, or on a chart item, and the XDrill menu will come up, offering you options such as the ability to simply drill from this point, or drill directly to inputs or to trace errors. You can also define the depth to which you want to drill and what links you want to use, as illustrated in Figure 1. Once you actually activate the drill-down process the software will bring up the relevant details, with the calculation path (which will include details from different sheets or workbooks automatically, if that is necessary) for that cell highlighted in bold text, as illustrated in Figure 2. Inputs and errors are also indicated, using colour coding. Further, should you make any change in the original spreadsheet then this will be dynamically reflected within the drill-down window so that you can see the impact of changes. For example, if you changed the highlighted cell “Remaining life of opening asset” from 24 to 12 then the “Profit before Tax” entry in the drill-down window would change to 5,925. Another feature of the software is that you can opt to hide zeros, blanks and precedents that don’t contribute to results. You can also choose to show only those cells in lookups or large sums that actually contribute to the results. For example, if you have a LOOKUP function that looks at a list of 100 cells and picks one, XDrill can be set to only show you the one number that is picked, but you can display all 100 cells if you wish. Finally, in so far as the trace errors option is concerned, effectively the same sorts of facilities are provided except that there are also facilities to run ‘what-if’ and sensitivity analyses. Figure 1: Options for defining drill down parameters Figure 2: Drill down results for selected cell Sheetware XLSpell Product description page 85 XLMapper Whereas XDrill tells you about the antecedents of a particular cell, XLMapper is concerned with the structure of the spreadsheet as a whole. Similarly, where XDrill is primarily an auditor’s or accountant’s tool, XLMapper is more suited to the IT department or to a business analyst, particularly when it comes to discovering errors. For example, Figure 3 shows an illustration of XLMapper in use. Here, this is displaying a conventional spreadsheet but with the application of XLMapper. The cells shown in grey are those that are copies of their neighbours, while those highlighted in green are not. So, cell G12, for example, has a different formula to G11, and G13 is a change again. This perhaps suggests that G12 is in error (and G13 is correct). Note too, cells B10, 11 and 12. What happened to Cost 3? In other words, XLMapper highlights changes in formulae. Some of these will be expected but others will be unexpected and it is these latter that you are likely to be interested in. Note that you can customise the colour coding to your own liking. Alternatively, there is also a text option which will display various symbols (notably ‘F’ instead of green) in the various cells of the spreadsheet. You can make changes directly in your spreadsheet when using XLMapper or the software will create a copy for you to which you can make appropriate corrections. A useful feature would be the ability to tell the spreadsheet (subject to authorisation) that particular details are correct so that they do not continue to be highlighted by XLMapper. For example, suppose that it is correct that only Costs 1, 2, 4, 7 and 19 should be included in this spreadsheet, then it would be useful to be able to turn off highlighting. In the absence of this feature it would be good practice to append a note to these cells to the effect that these cells are correct, perhaps with an appropriate explanation. Other software XLSpell includes a number of other tools, as follows: • Spreadsheet “Spell Checker”—this is a further error checking tool, which is used to check whether formulae or charts refer to the correct cells. It assesses each formula and chart against a list of rules that are designed to catch common spreadsheet errors. Potential problems are reported in a similar way to spelling mistakes in Word, providing a familiar interface for users. Figure 3: XLMapper in use • Sheet comparison tool—this is another tool that will be of interest to enterprises, which does what its name suggests: allowing you to compare spreadsheets to detect any differences between them. • Performance tool—XLSpell has a facility to work out the best order in which spreadsheet calculations should be made in order to optimise performance and it can also automatically re-arrange sheets with the same aim in mind. There are also facilities to show you how long each sheet takes to calculate and you can also look at blocks of calculations in terms of performance. • Number finder—this tool allows you to search for any instance of a particular value, or a range of values, across a spreadsheet. You can also look for combinations of numbers that add up to a specific total, or approximately a specific total. For example, you can ask to see ‘all combinations of 3 numbers that add up to 60, plus or minus 1’. One common use is where a balance sheet does not balance; the number finder will check to see what is being missed. One further Excel product is offered by Sheetware that is not part of XLSpell, which is ExcelFIX. This restores damaged or corrupt Excel files that cannot be opened. This product works with any version of Excel from 95 onwards, except that 2007 is not yet supported. Sheetware XLSpell Summary Leaving aside business intelligence based extensions to Excel, there are two approaches to compliance and error checking for spreadsheets: you can licence a complete, integrated suite or you can use individual products for specific functions. The former tend to be expensive, typically running into at least five figures and often six or seven. An approach based on point solutions may therefore be more cost effective in this particular instance. Sheetware offers useful facilities that are inexpensive, and which are certainly worthy of consideration. page 86 eXpresso Fast facts The market for spreadsheet management solutions is broadly split into four areas: monitoring tools, which audit what anybody does to any spreadsheet at any time; control and compliance tools that extend monitoring to include security and management of who is allowed to do what; auditor’s tools that allow you to compare spreadsheets, detect errors in formulae, find out where data came from and so on; and automation tools that provide controlled development environments for creating new spreadsheet applications (but only new applications—no facilities are provided for existing spreadsheets). eXpresso falls into the monitoring, control and compliance categories though it also has the ability to compare spreadsheets. However, where it differs from other products in the spreadsheet management market is that it provides on-line, real-time collaborative capabilities for the use and management of spreadsheets. In addition, it is the first product in this sector (as far as we know) to be offered as a service. Key findings In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: • eXpresso controls all relevant spreadsheets through a secure, centralised database and the user interfaces with Excel through a web browser. • eXpresso does not provide facilities for discovering existing spreadsheets so you will need to tell the software which spreadsheets to upload. There are also no facilities provided for assessing the risks associated with any existing spreadsheets. • Full version control and an audit trail (including detailed cell history reports) are provided. • By default, all spreadsheets are locked for use against everybody except the ‘owner’. However, the owner can invite contacts to share a spreadsheet with the owner applying relevant locking criteria down to cell level. • Using eXpresso, shared users of a spreadsheet can exchange notes and there is also an on-line chat facility. There is also an alerting capability, which means that you can get the software to automatically send you a notification when a relevant event, such as a cell change, occurs. page 87 • There are no workflow capabilities in the product and nor are there any specific facilities for designing approval processes. However, we are pleased to hear that these capabilities are on the product roadmap for a future release. • There is an automated facility to convert spreadsheets from one format into another. This will be particularly useful when you exchange information with third parties via spreadsheets. We have not seen any other product with this capability. The bottom line While there are certainly facilities in other products that eXpresso lacks, this is perhaps not surprising in a first release. More to the point, there are significant capabilities in eXpresso that other offerings do not have. In particular, no other vendor (at least that we are aware of) has any collaborative capabilities for sharing spreadsheets and we are similarly unaware of any other product that can provide the automated conversion of spreadsheets that is provided within eXpresso. So, there are technical benefits, as well as drawbacks, to the eXpresso offering. That is almost beside the point. The big advantage that eXpresso offers is that it is available as a service à la Salesforce.com. Given that leading control and compliance tools typically cost six to seven figures for enterprise-wide implementation, the ability to implement eXpresso for a much lower monthly charge and on an incremental basis is potentially compelling. Moreover, it is the only vendor in this market to have such an offering at present. As a result, we believe that eXpresso has the potential to become a major player in this market within a very short period of time. eXpresso Vendor information page 88 Background information Product availability eXpresso is a new Software as a Service (SaaS) offering from SmartDB Corporation, which was founded in the mid nineties and is privately owned with venture capital backing. The company has historically specialised in data integration (particularly, in the early days, on ETL—extract, transform and load) for Oracle environments. Today, its leading product is SmartDB Workbench, which provides a variety of tools for developing, testing and deploying adapters that can be used to integrate Oracle with other environments, especially legacy mainframe environments. The company also markets a suite of pre-built ‘intelligent’ adapters and a special-purpose environment for companies wanting to migrate from PeopleSoft to Oracle environments. eXpresso is in its first release (June 2007) although the platform it has been built upon is actually three years old as it was originally designed for another project. eXpresso is available both as a service (SaaS) and via an enterprise license, though the company’s main focus is on the SaaS offering. The company is US-based and uses distributors in Europe. It has customers in 20 countries. SmartDB web addresses www.smartdbcorp.com The product works with versions of Microsoft Excel from Excel 2000 onwards and requires the use of an Oracle database for the enterprise version (it will be transparent to SaaS users). In theory the product should run on top of any relational database so the company will consider porting it to, say, SQL server or DB2 if there is sufficient demand at the enterprise licence level. The company plans to add comparable facilities for managing and sharing Word documents and PowerPoint presentations, at some point in the future. eXpresso Product information page 89 Product description eXpresso is a product that treats Excel spreadsheets as a corporate resource, bringing them under management control in order to provide the security that is lacking in Excel itself and adding control and compliance capabilities. In addition, and unlike all the other enterprise spreadsheet management products that we have seen, eXpresso adds collaborative capabilities for shared working with spreadsheets. As has been stated, the software as a service model is the one that eXpresso is targeting and this report will focus on the facilities provided when using this approach though the enterprise version of the product will not be significantly different: it simply means that you will be self-hosting the environment. Figure 1: Architecture of eXpresso Architecture The architecture of eXpresso is both similar to, and significantly different from, the other spreadsheet management control and compliance tools that are available on the market. This is because all of the other vendors centralise spreadsheets around a content or document management system of some sort, which may be proprietary or it may be Microsoft SharePoint 2007 or, in one case, Documentum. eXpresso, on the other hand, centralises on an Oracle database, as illustrated in Figure 1, which shows the architecture of the product. Whereas conventional approaches to spreadsheet management simply store Excel documents as Excel documents, eXpresso decomposes them and stores all the various elements of the spreadsheet (data, formulae, macros, formatting, cell references and so forth) within relational tables inside an Oracle database. In addition, spreadsheet images are stored as BLOBs (binary large objects) are also stored within the database. This means that all the security, management, auditing and so forth that is available within the database can be directly applied to spreadsheets and the elements within them. At run-time, spreadsheets are presented to users through the eXpresso interface via their web browser, with the various tabular data being re-transformed back into spreadsheets data. There is, of course, an overhead involved in this transformation process, which is performed by the Abstractor shown in Figure 1 (and for which various patents are pending), but this should not be noticeable to the end user as it will be small compared to any delays that may occur in the browser. Figure 2: ‘My Spreadsheets’ page Using eXpresso The first thing that you do when you want to use eXpresso is to log on (with conventional security applied so that only authorised users have access to eXpresso spreadsheets) and then you will be presented with the ‘My Spreadsheets’ page, as illustrated in Figure 2. This shows the user’s (secure) Excel spreadsheets together with the File Name, details of when it was initially uploaded and most recently updated and how, whether this spreadsheet is locked, who it is shared with, and the various collaboration tools that support alerts (which you can set as required; for example, whenever a change is made to a cell), chat, the exchange of notes and so forth. There are also shortcuts to cell tracking (for which you can produce history reports), comparison capabilities (to compare two spreadsheets or versions of the same spreadsheet—see later), tags (which can be used to filter the spreadsheets shown so that you can look at just those spreadsheets pertaining to a particular task), file sharing and upload and download facilities. The other notable point about this screen that needs to be discussed is the conversions tab. This is provided so that you can convert spreadsheets from one format into another. This is important when you want to use eXpresso Product information page 90 spreadsheets to integrate with third party organisations such as Salesforce.com or DHL. The problem, of course, is that these companies expect spreadsheet data in a particular format but that format may not be suitable for use inside your own organisation. What eXpresso can do, through the use of its Abstractor transformation technology, is to automate the conversion of your spreadsheet format to theirs. Once you open a spreadsheet, the eXpresso Edit Screen appears, as shown in Figure 3. As can be seen, this is precisely a Microsoft Excel interface, which has been implemented by means of Microsoft Web Components. Figure 3: The Edit screen in eXpresso Going beyond this, the major feature of eXpresso that distinguishes it from competitive products is its collaboration capabilities and Figure 4 shows a part of the functionality provided, illustrating how the spreadsheet ‘owner’ can share selected files with other users, define access control rights (see later) and attach messages. Note that this sharing obviates the need to email spreadsheets to collaborators, which is inherently dangerous and insecure. Instead, anyone you share a spreadsheet with must also be authorised by the eXpresso system. A secondary benefit is that this approach facilitates remote working since you can simply retrieve spreadsheets by connecting to the system via the Internet. For off-line working there is a check-out (download) capability that will provide automated synchronisation once you log back in and upload the spreadsheet you have been working on. Control and compliance As already indicated, security is applied directly by eXpresso and spreadsheet owners can apply relevant access controls to those that they share spreadsheets with. These controls can be set to read-only or to provide write access and individual controls can be applied to cells, ranges, columns, rows and so forth. On the compliance side, as mentioned, a complete cell level history is maintained so that you can track all changes to a spreadsheet: who made a change, when, from what values to those values, and so on. Figure 4: Setting Collaboration preferences However, what eXpresso does not have (and this is hardly surprising in a first release) is the ability to discover existing spreadsheets and automatically load them into the eXpresso environment. Further, it does not have any facilities for assessing the risk associated with any particular spreadsheet, either because of its potential impact on the business or because of the size and complexity of the spreadsheet. Such functionality is important as it enables a measurement of the most important spreadsheets to take under management control. However, this typically requires the use of Auditor’s tools and these can be had relatively inexpensively from third parties. eXpresso Product information page 91 That said, eXpresso does offer spreadsheet comparison capabilities, as shown in Figure 5, which allows you to compare two different spreadsheets or versions of the same spreadsheet. Note both the colour coding and the reference at the bottom that we are here comparing all cells. As alternatives you can compare ranges, rows, columns and formulae. Finally, one other significant aspect of control and compliance that eXpresso does not provide is workflow or some means of defining approval processes and the segregation of duties: that is, a formal process by which the owner, developer, tester and auditor of a spreadsheet have formalised roles prior to the spreadsheet going into production. However, this capability has been identified as a key new feature by the vendor and will be added in an upcoming release of eXpresso. Summary At present, eXpresso is the only SaaS vendor in this marketplace and we believe that software as a service makes sense for spreadsheet management. However, it is likely that other suppliers will move to compete with eXpresso, particularly if it is as successful as we expect. Assuming that to be the case then SmartDB needs to make the most of the time window (whatever that may be) that it has before other SaaS offerings appear. This is both a technical consideration (it needs to add further functionality that it is currently lacking) and a marketing one, in the sense that it needs to rapidly build significant market momentum. If it can achieve these goals then the product’s future should be a bright one. Figure 5: Comparing spreadsheets in eXpresso Spreadsheet Advantage Fast facts The market for providing complementary products to Microsoft Excel comes from two directions: business intelligence vendors aiming to provide additional functionality, especially in the area of automation and development, and a second group of suppliers that address this market from the perspective of governance and compliance, providing the auditing, security and control that is lacking in Excel. In this latter category there are two broad categories of products: control and compliance tools and auditor’s tools. Spreadsheet Advantage’s suite of tools addresses the auditor’s market. Note that auditors in this context covers two distinct functions: in the first instance, best practice in the development of spreadsheets is for a segregation of roles between the author, editor, auditor and user of spreadsheets, where auditor in this context refers to a function that is internal to the company. Needless to say, auditing is also an external function. In fact, Spreadsheet Advantage is suitable for use by both internal and external auditors. However, a further point to appreciate is that the more that you have internal processes in place (such as the segregation of roles) to ensure the validity of your spreadsheets, then the less work will be required by external auditors and the lower their resulting fees. In other words, implementing internal auditing processes will save money not just because you are basing your decisions on more accurate and reliable information but also through reduced annual fees. Specifically, Spreadsheet Advantage includes tools for row and column alignments, sheet comparisons, spreadsheet analysis, circularity discovery, a sheet mapping tool that allows you to see the structure of your spreadsheets, and precedent and dependent analysis, amongst others. page 92 The bottom line From an enterprise perspective Spreadsheet Advantage should properly be considered as a suite of tools and utilities, primarily focused on detecting errors and auditor functions. Given the potential costs associated with spreadsheet errors, which can be very substantial (see www. eusprig.com), these relatively inexpensive tools should pay for themselves within a very short period. Vendor information Spreadsheet Advantage is an Australian company that was founded in 2005 by professionals experienced in auditing and consulting. The product was introduced in the same year. It already runs under Windows Vista and will support Excel 2007 by the time this report is published. The company is privately owned and sales are conducted directly from the company’s web site: you can download an evaluation copy of the software that you can use for no charge for 30 days. After that the license fee is US$299— discounts may be available for large numbers of users. Support is available vie e-mail. Spreadsheet Advantage web address www.spreadsheetadvantage.com Spreadsheet Advantage Product description page 93 As previously noted, Spreadsheet Advantage consists of a suite of tools, which we will discuss in turn. However, there are a number of additional features that do not conveniently fit under the headings that follow. These include a number of facilities that allow you to jump to the cells you are looking for (via bookmarks, dependent arrows or shortcut keys), a list names facility that lets you list all the range names in a spreadsheet, a nested IF display that allows you to visualise the structure of this nesting, and precedent/dependent capabilities for which you can use colour coding to highlight all the cells that are dependent on, or precedent to, a group of cells. These facilities are further leveraged by the software so that you can trace the ultimate source of any error values in a particular cell. Row and Column Aligner The Row and Column Aligner is a precursor to the Spreadsheet Comparison (see next). The point here is that when you want to compare two spreadsheets, whether they are different sheets or versions of the same spreadsheet, it is often the case that additional rows or columns will have been added or removed from one to the other, which makes any sort of visual or automated comparison very difficult. What Spreadsheet Advantage does here is to automatically insert new blank (actually filled out with cross-hatches) rows or columns so that the two spreadsheets match up with comparable rows in the same rows, and comparable columns in the same columns, thereby avoiding the task of having to do this manually. Spreadsheet Comparison Once the relevant spreadsheets have been aligned, the Spreadsheet Comparison tool allows you to compare two versions of the same spreadsheet or two different spreadsheets. It then generates a workbook with a single comparison report sheet for that pair of spreadsheets. As can be seen in Figure 1 the software groups adjacent cells that contain the same formula in this comparison report. Thus the formula in cells AC21 to AR21 have changed but these are grouped together in a single item rather than listing every cell in the range. Note that differences are highlighted using bold, coloured (red) text. Figure 1: Comparing spreadsheets It is worth noting that this tool has been applied to some very large spreadsheets, up to 30Mb in size and containing over 100 worksheets. In addition to Spreadsheet Comparison there is also a Bookmark Comparison capability that allows you to compare two different cell ranges, which can be useful for checking formulae consistency. Spreadsheet Analysis Spreadsheet analysis provides statistical analysis for your spreadsheets. For example, in Figure 2 the analysis shows the number of stored and used rows and columns, and the number of unique formulae used in each spreadsheet. Further, it also shows the formulae references to other spreadsheets so, here, OtherCosts has three formulae that refer to the Assumptions sheet. Note that the software attempts to order the spreadsheet analysis so that later spreadsheets refer back to earlier ones. Where this is not possible the references arte highlighted in a yellow box so OpCosts has one reference to Operations, for example. Figure 2: Analysing spreadsheets Spreadsheet Advantage Product description Spreadsheet analysis helps you to understand the structure and logic flow of your spreadsheets. Also, in conjunction with precedent/dependent analysis it can help you to determine your most complex spreadsheets. Bearing in mind that complexity directly correlates with the likelihood of errors, this can help you to assess which spreadsheets expose you to the greatest risk. Circularity Finder Circularities (that is, for instance, where A references B, B references C and C references A) are ill-advised: they can result in the whole system locking up and failing to calculate anything. Even if the circularity is valid, such an approach can result in very poor performance. It is therefore a very good reason to remove all such references: however, you have to find them first and this is what the Circularity Finder does. Note that some circularities may be conditional (that is, they only apply when an input is set to a particular value) but Spreadsheet Advantage can find these too. Map Figure 3: Mapping spreadsheets Figure 3 shows the result of Spreadsheet Advantage’s Map facility. Here, ‘F’ means that the cell contains a formula, ‘>’ that the formula is the same as the one to the left, ‘v’ that it is the same as the one above and ‘+’ for both. ‘T’ represents a text cell and ‘N’ a numeric one. What this enables you to do is to see where there are unexpected changes. For example, the red ‘F’ in the middle of row 4 looks suspicious, as it indicates a change of formula in the middle of the row. By selecting that cell and using the relevant short-cut key the software will take you directly to the actual cell in the spreadsheet so that you can examine it for any potential errors. page 94 Summary Compliance and Control products, which typically include the sort of auditing capabilities that are provided by Spreadsheet Advantage, usually run into at least five, commonly six and even, sometimes, seven figures. This will be too costly for most small and medium sized enterprises as well as for departments within larger organisations. For these people, auditors’ tools should be a must buy: the uncontrolled and untested use of spreadsheets is potentially dangerous to your bottom line and Spreadsheet Advantage can help to rectify the issues raised. Spreadsheet Detective Fast facts The market for providing complementary products to Microsoft Excel comes from two directions: business intelligence vendors aiming to provide additional functionality, especially in the area of automation and development, and a second group of suppliers that address this market from the perspective of governance and compliance, providing the auditing, security and control that is lacking in Excel. In this latter category there are two broad categories of products: control and compliance tools and auditor’s tools. Southern Cross Software’s Spreadsheet Detective is a suite of tools that addresses the auditor’s market. Note that auditors in this context cover two distinct functions. In the first instance, best practice in the development of spreadsheets is for a segregation of roles between the author, editor and auditor of spreadsheets, where auditor in this context refers to a function that is internal to the company. Needless to say, auditing is also an external function. However, a further point to appreciate is that the more that you have internal processes in place (such as the segregation of roles) to ensure the validity of your spreadsheets then the less work will be required by external auditors and the lower their resulting fees. In other words, implementing internal auditing processes will save money not just because you are basing your decisions on more accurate and reliable information but also through reduced annual fees. page 95 Key findings In the opinion of Bloor Research the following represent the key facts of which prospective users should be aware: • Spreadsheet Detective has the most extensive range of auditing tools that we have seen from any vendor in this class. • Spreadsheet Detective has a number of facilities, such as its sensitivity report, which we have not found (or rarely found) elsewhere. • Unlike many suppliers that have limited or no support for earlier versions of Excel, Spreadsheet Detective supports all versions of Excel (with the exception of 2007 which is shortly to be released) from Excel ’95 onwards. • Like most products in its class, Spreadsheet Detective uses spreadsheets to display its analyses. Given the wealth of detail that Spreadsheet Detective can present we would like to see the company implementing more intuitive (and simple) visualisation techniques, including colour coding. Bottom line Spreadsheet Detective is one of the longest established and most comprehensive suites of auditing tools that we have seen. This is not to say that other products may not have features that are not in Spreadsheet Detective or that, in some instances, we might prefer a competitor’s implementation of a particular feature but, overall, the product is clearly the market leader, and deservedly so. Spreadsheet Detective Vendor information page 96 Vendor background Product availability Spreadsheet Detective from Southern Cross Software was first introduced in 1997. While there are other products on the market that were available for in-house use only prior to this date, as far as we know this makes Spreadsheet Detective the first product in the spreadsheet management market to be have been made commercially available. Given its longevity as a product it is perhaps not surprising that Spreadsheet Detective supports Microsoft Excel from version ‘95 onwards. This is extremely rare: we know of no other supplier that still supports ‘95 and many do not support ’97. That said, the product does not currently support Excel 2007, though this is under test. The company uses Microsoft style version numbering and the current version of the product is Spreadsheet Detective 2006, with the 2007 version due for release shortly. Southern Cross, as its name implies, is an Australian company, which is privately owned. It is the leading supplier in both Australia and New Zealand and is also well established in the UK. On the other hand the company has rather neglected the North American market though it still has major customers there: for example a major automotive manufacturer that uses the product world-wide. There is also support for European languages though, again, the company has not focused on this area. Sales are by download, starting at (US) $180 for organisations and $48 for individuals though you can have an evaluation copy on a free download basis. Support is via email. Web address: www.spreadsheetdetective.com In addition to Spreadsheet Detective, Southern Cross has also developed a product called 123 Detective, which provides similar functionality for Lotus 123 environments that was developed at the behest of Lotus (IBM) and which is available only from that company. Spreadsheet Detective Product description Introduction Spreadsheet Detective consists of a number of different auditing tools and while these are all distinct (with a few exceptions) the various tools provided can be broadly categorised as belonging to four groups: formula investigation, precedent/dependent analysis, worksheet analysis, and other tools. We will consider the facilities provided under these headings. However, before doing that it is appropriate to describe the product’s ‘AutoName’ facility that is leveraged across the product. What this does is to provide a label (name) for all formulae and defined ranges, which means that in relevant tools you have a name (for example ‘FixedCost’) associated with the relevant entry rather than cryptic references to row numbers. Examples of Autonames feature in some of the figures that follow. There are also facilities to control and override AutoNames. Note too that Autonames in Spreadsheet Detective are based on heuristics that determine which cells contain useful text to make Autonames out of, rather than relying on a particular layout of the spreadsheet. Formula investigation page 97 can be confusing. However, the advantage of stripes is that they can be superimposed on any existing cell colouring without having to turn that off. If cells have been coloured in blue then Spreadsheet Detective will use pink stripes instead. 2. Audit formula report—this is a report of all the unique formulae (in other words each formula appears only once) and defined ranges within a spreadsheet, along with their label (autoname) initial value. Formulae themselves are colour coded to identify errors. 3. Full annotations—this is illustrated in Figure 2. Apart from the autonames shown, the important feature here is the use of lines, dots and circles, and so on, as follows: a.Red dots mean that the cell contains the same formula as the cell to the left while and empty dot means that there is no formula. b.Red boxes show new formulae. c. The various green figures (such as #) also have various meanings. Spreadsheet Detective provides three major formulae tools: 1. Audit formulae with shading—this is illustrated in Figure 1 where horizontal shading means that the formula is the same as in the cell to the left, vertical shading where it is the same above, crosshatching indicates that this is a new Figure 2: Annotation features Figure 1: Auditing formulae using cell shading formula and speckled (diagonal hatching) means that this formula is a copy of a non-adjacent cell. In other words this tool is designed to enable the visual identification of inconsistencies. Note also the native Excel green and red triangles: these are intended to highlight potential errors but are not a reliable guide, hence the need for more detailed inspection. Our only concern with this tool is that it might be preferable to use different colours rather than all of these blue lines, which While you can turn red dots off we are concerned that this diagram is overcomplicated though, to be fair, we have not seen any other product that provides this wealth of detail. Other formula-based capabilities include a formula map that represents each cell as a single character; the ability to identify and list formulae that reference other workbooks; the ability to flag cells that are, or are not, referenced by any unique formula; and a facility to visualise array formulae. Spreadsheet Detective Vendor information Precedent/dependent analysis There are two tools in this category: precedent/dependent dialog and precedent and dependent reports. The former is illustrated in Figure 3. Here, the active cell (H37) is described in the central box, with precedent cells (B2, I37 and H38) to the left and dependents (H36) to the right. You can click on any precedent or dependent and automatically make that the active cell. page 98 Secondly, there is a Worksheet Summary report that shows the number of formulae in any particular worksheet that refer to other worksheets. This is illustrated in Figure 4. You can drill down to these formulae by double clicking on the relevant cell. In particular, you can identify when two worksheets reference each other, which is not best practice when it comes to developing spreadsheets. The report also provides details of circular references. Figure 3: The precedent/dependent dialog While the dialog is primarily about moving backwards and forwards to/from precedents and dependents, the precedent report describes how the active cell was calculated, allowing you to drill down through successive levels within the precedent (or dependent) tree. Worksheet Analysis In this area there are two major capabilities. The first is a spreadsheet comparison tool that allows you to compare different versions of the same spreadsheet or different spreadsheets. Relevant symbols are inserted to indicate when a new formula has changed or where a row or column has been inserted, and so on. Once again, however, we would prefer the use of colour coding rather than symbols. In addition, the comparison is presented as a single spreadsheet rather than as two spreadsheets side-by-side: the latter has the advantage that you can insert blank rows or columns rather than, again, using symbols. Figure 4: Worksheet Summary report In addition to these tools there is also a facility to show how multiple workbooks are, or are not, related; a report that provides a summary of all worksheets in a book; and the ability to highlight formulae copied between worksheets in three dimensional models. Other tools Perhaps the most significant of the other tools provided in Spreadsheet Detective is the Sensitivity Report. This shows how sensitive a selected output value is to all relevant input values. While this may be valuable in its own right it can also be used to highlight anomalous results: such as a zero sensitivity that may suggest an error in the spreadsheet. Further tools provide facilities for manipulating name ranges and for chart documentation. Summary Spreadsheet Detective is, deservedly, a market leader for auditing tools, both in terms of sales and functionality. However, the product is starting to look its age with respect to the visualisation used. Other, newer entrants to the market may not offer as rich functionality as yet but they do so in a way that is clearer and easier for the auditor. In our view, Southern Cross needs to focus on this area in forthcoming releases if the company is to retain its leadership position. Spreadsheet Professional Fast facts page 99 Fast Facts Bottom line The market for providing complementary products to Microsoft Excel comes from two directions: business intelligence vendors aiming to provide additional functionality, especially in the area of automation and development, and a second group of suppliers that address this market from the perspective of governance and compliance, providing the auditing, security and control that is lacking in Excel. In this latter category there are two broad categories of products: control and compliance tools and auditor’s tools. Spreadsheet Professional from Spreadsheet Innovations is a suite of tools that addresses the auditor’s (both internal and external) market, though it also includes tools to help with the construction of spreadsheets. While we have placed Spreadsheet Professional in the category of auditor’s tool the product should not really be regarded (or at least not wholly) in this light. This is because it does not have some of the functionality (such as precedent and dependent analysis) that you would normally expect from a product in this category. On the other hand, it does have a number of features that are not commonly found in auditor’s tools, such as break-even and sensitivity analysis, and in some of the documentation and spreadsheet building capabilities provided. This makes any comparison with other products difficult. However, it is clearly a market leader as its large customer base can testify to, which suggests that users like the broad range of capabilities that is offered. Spreadsheet Professional Vendor information page 100 Vendor background Product availability Spreadsheet Innovations is a UK-based company that was founded in 1994, which makes it one of the first companies to recognise the potential importance of the spreadsheet management market. It also has the largest, or one of the largest, user bases, with around 6,000 companies licensing the product world-wide. The current version of Spreadsheet Professional was launched in 2001 and supports versions of Excel from Excel 97 onwards though not yet Excel 2007. An earlier version of the product (pre-2001) is still available that does support Excel 95. As with other products in the auditor’s tools subset of this market, the product is relatively inexpensive, with a base price of £295, though there are discounts available for multi-user licenses. A free trial version may be downloaded. The company has distributors in both South Africa and Australia. For companies specifically interested in SarbanesOxley compliance the company has partnered with Miricle Solutions to provide a combined package to address the issues posed by Sarbanes Oxley. This package, consisting of Spreadsheet Professional together with Miricle Solutions’ video training, which is closely linked to Spreadsheet Professional, describes in detail the errors associated with spreadsheets, how to avoid them and how to use Spreadsheet Professional to detect them and document your spreadsheets. Web address: www.spreadsheetinnovations.com Support is via email. Spreadsheet Professional Product information page 101 Introduction Spreadsheet Innovations describes Spreadsheet Professional as providing four different types of tools, which fall into the categories of ‘building’, ‘testing’, ‘documenting’ and ‘using’ tools respectively. We will discuss the various capabilities provided under these headings. Building tools By ‘building tools’, Spreadsheet Innovations means tools that help you create spreadsheets. However, we should distinguish between the sorts of tools that Spreadsheet Innovations provides and those of template-driven, automated development environments for spreadsheets, which represent a wholly different class of product. We should also comment that these are generalpurpose tools rather than specialist capabilities that some vendors offer for, say, building complex financial models. There are five building tools provided, as follows: 1. The first tool supports the setting up of spreadsheets in a standard format, in order to support best practices. 2. The Build Bar is intended to minimise the keystrokes used when creating a formula, formatting it and copying it across a spreadsheet, eliminating the need to drag and drop. There is also an automatic colour coding option with the software automatically applying a particular colour depending on whether the cell contains a formula or an input. 3. The Translation Bar shows the current formula in English rather than symbols. For example, “B3: Profits = Sales–Costs” 4. The Spreadsheet Painter provides similar functionality to the automated colour coding in the Build Bar, except that colours are customisable and apply to more cell types, such as headings and labels. 5. The Formula Tracer allows you to see how a formula has been derived, as shown in Figure 1. We would describe this as an ‘analysis’ tool rather than a ‘build’ tool but that is a quibble. Figure 1: Screenshot of the Formula Tracer tool Spreadsheet Professional Product information page 102 Testing tools Spreadsheet Professional can test for some 25 different potential error conditions, as illustrated in Figure 2. Note that although there is an option to evaluate Lotus rules this does not mean that the product will run with anything other than Excel. When the test is run, the software will generate an appropriate report that provides statistics on all the results. An example of this (for a small spreadsheet) is illustrated in Figure 3. Documenting tools Spreadsheet Professional includes eight documenting tools though, again, we would consider a number of these to be really more about analysis (that is, discovering what the spreadsheet is doing). Figure 2: Test options avaible in Spreadsheet Professional The tools provided are: 1. A Summary Report that provides details of when the spreadsheet was created, the sheets that are in it and so forth. 2. A Range Name Report that provides a list of range names and external references and what they refer to. 3. A Maps Report that uses symbols to support the visual inspection of spreadsheets so that you can see if the same formula has been copied across adjacent cells. In our view, a more graphical approach (for example, using colour coding) is more intuitive for this sort of mapping. 4. A Translation of Calculations Report that shows the English description of each formula, as displayed in the Translation Bar described previously. 5. A Blank Input Sheets Report that identifies required inputs and generates a relevant blank input sheet. 6. A Current Input Values Report that shows the value of each input. 7. & 8. Testing Reports that detail errors based on the testing options discussed in the previous section. Figure 3: Test report Spreadsheet Professional Product information page 103 Using tools Like most vendors, Spreadsheet Innovations provides a spreadsheet comparison tool though, in this case, it merely displays the differences between spreadsheets (which may be different spreadsheets, different versions of the same spreadsheet or even two separate runs of the same spreadsheet) either for inputs, formulae or results. By contrast, other suppliers typically present the spreadsheets themselves, with differences highlighted. In addition, the former also includes a tool that provides both sensitivity and break-even analyses. The former is rare in products of this type while we are not aware of any other vendor offering break-even analysis. Of the two functions, the sensitivity analysis allows you to select a range to vary any input cell by and then see the impact on any other cell within the spreadsheet. However, while we like the graphical reporting used (see Figure 4) it would also be useful if you can see sensitivity across all cells within a spreadsheet simultaneously. The break-even analysis, on the other hand, lets you see what value the input cell has to be so that the other cell has whatever target value you have set. This is particularly useful when you are trying to establish answers to questions such as “how far can revenues drop before we stop making a profit?” Figure 4: Use of graphics in a report Summary Spreadsheet Professional is best regarded as a general-purpose product rather than as specifically an auditor’s toolset, though it fulfils the latter purpose as well. Clearly, this has had significant appeal as an approach. The question, however, is whether this will continue to be the case as spreadsheet management becomes more prominent as a concern, not just for the business but for IT. There has to be the danger that organisations will start to ask for specialist products to support development and specialist products to support auditing, and so forth. However, for the present, Spreadsheet Professional offers something for everyone which is, no doubt, why it has been so successful. Spreadsheet Management Chapter 6 – Vendor and product comparisons In this section we will discuss the various vendors covered in this report under the headings used in Chapter 4. Note that we have attempted to be as comprehensive as possible in our coverage in this report but there are no doubt suppliers that we have failed to discover during our research and there is at least one vendor that failed to reply to our repeated requests for information. Unless otherwise stated, a detailed evaluation of each vendor’s product is included within Chapter 5. page 105 Because of the limited number of companies in all of the sectors and sub-sectors of this market we have not included any Bullseye/ Landscape diagrams in this report as these would be misleading with such small numbers. Instead we have reverted to conventional scoring and bar charts to compare technologies only. Spreadsheet Management Chapter 6 – Vendor and product comparisons: Auditor’s Tools page 106 In many respects the vendors in this category are very similar. The vendors are based in a single country, products are available via download, typically with a 30 day free trial, support is via email and all the products have comparable prices with negotiable volume discounts for large-scale enterprise deployment. The only exception (to some extent) is Operis, which primarily markets its OAK product directly to its consulting clients. All of this being the case there is little to differentiate the vendors per se, as opposed to their product offerings. Thus the main differences between the suppliers are the breadth of their product offerings and their ease of use, which is typically represented by the visualisation techniques involved. Rather than simply awarding a score for each of these elements it will be more sensible to discus each of these facets of the products in turn and, in the case of breadth of product list the major capabilities provided by each product. These are illustrated in Table 1. Operis OAK Circular references Yes Formulae errors Yes Formula expansion No Sheetware Spreadsheet Spreadsheet Spreadsheet XDrill Advantage Detective Innovations No Yes Yes Yes No Yes Yes Yes No Yes No No Formulae with names Yes No Yes Yes Yes Spreadsheet mapping Yes Yes Yes Yes Yes Formula derivation No No No Yes Yes Logic checks Yes No No Yes Yes Dependents No No Yes Yes No Precedents Yes Yes Yes Yes No Comparisons No Yes Yes Yes Yes Sensitivity No No No Yes Yes Breakeven analysis No No No No Yes Model reporting Yes No No Yes No Spreadsheet analysis (stats) No No Yes Yes Yes Usage reporting No No No No No “Spell” check No Yes No No No Number derivation No Yes No No No Number/range finder No Yes No No No Development utilities Yes No No No Yes Table 1: Comparison of Auditor’s Tools This table gives an idea of the range of facilities provided by each vendor (for more detailed discussions and descriptions see the various product evaluations in Chapter 5). However, it is by no means an exhaustive list; nor does it differentiate between lesser and greater functionality within each feature. Nevertheless, it represents an accurate picture of the breadth of capability offered by each vendor. Spreadsheet Management Chapter 6 – Vendor and product comparisons: Auditor’s Tools Visualisation In addition to the particular functionality provided by the features highlighted in Table 1, another significant consideration is the visualisation provided by each supplier. This is important because better visualisation leads to easier use. As an example, Figures 2, 3 and 4 illustrate the Spreadsheet Mapping capabilities provided by Spreadsheet Advantage, Spreadsheet Detective and Sheetware respectively. Figures 2 & 3: Mapping facilities of Spreadsheet Advantage and Spreadsheet Detective These are very different. In Figure 2 you cannot see the details of the spreadsheet that the mapping refers to. In Figure 3 colour coding is applied over the top of the spreadsheet and it has the advantage that any cell colouring in the spreadsheet can be retained with the stripes and hashing being applied over the top of the existing colours (and if a cell is coloured blue then the stripes are in pink). However Figure 4, in our opinion, is much the easiest of these three to understand. Figures 5 and 6 show a different example, this time showing precedents/dependents, with the first example illustrating Spreadsheet Detective’s approach and the second showing Compassoft’s (see Control and Compliance tools) Precedence Walker (there is also a Dependency Walker). Figure 4: Mapping facilities of Sheetware Of course, Compassoft’s product costs orders of magnitude more than Spreadsheet Detective but the point should be clear that the more graphical the approach is, at least potentially, the easier it is to understand. Amongst the various tools under consideration, particularly praiseworthy visualisation elements include: • Spreadsheet Detective’s use of AutoNames and tooltips (see Figure 3). Also Operis’ naming capabilities. Figure 5: Precedents and Dependence facilities of Spreadsheet Detective • Spreadsheet Advantage’s spreadsheet analysis and circular referencing. • Sheetware’s spreadsheet mapping. • Spreadsheet Innovations’ Breakeven analysis capability. Figure 6: Compassoft’s Precedence Walker page 107 Spreadsheet Management Chapter 6 – Vendor and product comparisons: Auditor’s Tools Conclusion The vendors considered here are: To be more specific: • Operis: OAK (the product) is from a company Recommended as best-of-breed pure Auditor’s tool: specialising in complex financial modelling. At the top end of the price range in this sector of the market. Worth consideration specifically for financial modelling as it has specialised features in this area. • Sheetware: Offers a modularised suite of tools that can be licensed separately. By far the most popular tool is XDrill, which automates the answer to the question “where does that number come from?” This is worth considering in its own right even if another tool is used more generally. • Spreadsheet Advantage: Not as comprehensive as its fellow Australian: Spreadsheet Detective. • Spreadsheet Detective: One of the two leading vendors in the market with the widest set of auditor’s tools from any vendor in the space (including control and compliance tools—see next section). We would like to see some more use of modern visualisation techniques (though this comment also applies to other vendors) but Spreadsheet Detective is highly recommended for its breadth of capability. • Spreadsheet Innovations: The other leading vendor. Spreadsheet Professional (the product) has a broader set of capabilities in that it incorporates tools to help make the task of spreadsheet development easier (but not automated—see later) but is more restricted than Spreadsheet Detective in that it does not offer as wide a range of purely auditing capabilities. Unless you have special interests (when Operis’ OAK, for example, might be appropriate) then the choice clearly lies between Spreadsheet Detective and Spreadsheet Innovations as the two most extensive product sets within this market. Which choice you make will largely depend on your requirements: the former if you are solely concerned with auditing but the latter if you also want help with development, though it should be borne in mind that these are only really utilities that are provided and, even there, there is some overlap with Spreadsheet Detective. Note that your choice may be different if you are using one of the control and compliance products that offers auditor’s tools as here you will be looking to fill in gaps rather than necessarily requiring a complete tool in its own right. XDrill could be a useful addition regardless of which other product you adopt. Spreadsheet Detective Recommended as best Auditor/ Developer tool: Spreadsheet Innovations Recommended for complex financial modelling: Operis Recommended as add-on to discover where a number came from: Sheetware XDrill. Other vendors Two other vendors, whose products are not included in Chapter 5, are worth mention, as follows: Codematic: This is a UK-based consulting company specialising in spreadsheet management that developed XLAnalyst as an in-house tool for checking things such as circular references, numbers formatted as text, conditional logic, complex modelling logic and so forth. However, XLAnalyst is purely an error checking tool rather than an Auditor’s tool. As such it is not evaluated in detail in this report. Codematic is planning to offer commercial products for enterprise spreadsheet management but, according to its web site, is currently too busy on consulting engagements to suggest any potential release dates. UTS: Does not provide a full range of auditor’s tools and it is not included in Chapter 5. However, it does have two tools that may be of interest. The first is MathLook for Excel and the second is the Galaxy Enterprise Knowledge Management System. The former is used to present formulae using names rather than symbols (a feature that is in a number of the other tools) and the latter allows an enterprise to apply a common approach to developing and deploying engineering models so that the same, secure user interface can be used to access spreadsheet models as well as information derived from other environments such as Fortran, MathCad or the company’s own TK Solver. page 108 Spreadsheet Management Chapter 6 – Vendor and product comparisons: Control & Compliance Tools page 109 Control and Compliance tools While the vendors in the Auditor’s Tools category were fairly homogeneous this is by no means true for Control and Compliance tools. Here we have three companies (CIMCON, Compassoft and Prodiance), all of which have an established background in building compliance solutions; three companies (ClusterSeven, Lyquidity and ROISoft) that have built new (and only) products specifically targeted at spreadsheet management; and two companies (Mobius and SmartDB) that have a history in other markets that have identified spreadsheet management as an opportunity. Moreover, the maturity of the various solutions varies widely, from products with a substantial history and in excess of 100 users to the latest entrant, SmartDB, whose product only becomes available in June 2007. Furthermore, SmartDB’s eXpresso is the first product to be available via Software as a Service. All in all, therefore, the market is remarkable heterogeneous given that there are only eight suppliers. In particular, note that ClusterSeven and Lyquidity do not address the same markets as the other vendors. ClusterSeven has been designed for environments where spreadsheets are already treated as a corporate resource and the only requirement is the best possible monitoring of that resource. In other words, the product is focused on compliance but not control. Lyquidity, on the other hand, is more aimed at departmental solutions and the SME market where a minimal solution is required at a low cost. It does not have anything like the functionality of the other products but then an enterprise license for the product is just $8,995 whereas the other vendors are typically talking about 6 or 7 figure sums. Returning to the issue of heterogeneity, the same is also true with respect to the categories of capability provided by each vendor. This is illustrated in Table 2. Discovery Compliance Risk Assessment Control Auditor’s tools Security Collaboration CIMCON Yes Yes Yes Yes Yes Yes No Cluster7 Yes Yes No No Comparison Yes No Compassoft Yes Yes Yes Yes Yes Yes No Lyquidity No Yes No Yes Comparison, Formula expansion No No Planned Yes No Yes Consistency checks Yes No Yes Yes Yes Yes Yes Yes No Yes Yes No Yes No Yes No Future Yes No Yes Comparison Yes Yes Mobius Prodiance ROISoft SmartDB Table 2: Comparison of Control & Compliance Tools As should be obvious these are only very broad brush categorisations and the details of each product are necessarily more complex than this. Note that with respect to Auditor’s tools none of these vendors have the breadth of capability offered by the leading Auditor’s Tools such as Spreadsheet Detective or Spreadsheet Innovations. However, where they do have equivalent functionality the products in this category tend to make use of more advanced visualisation capabilities than the pure play Auditor’s products. Spreadsheet Management Chapter 6 – Vendor and product comparisons: Control & Compliance Tools Visualisation However, that is not to say that there are not significant differences between the various vendors even in this category when it comes to visualisation. Compare, for example, Figures 7 and 8, which show the approach to workflow provided by Mobius (approvals process) and Prodiance (change control) respectively. Needless to say we find the more graphical approach of Prodiance to be more appealing and intuitive. Indeed, this is a particular strength of the Prodiance product. Note that in the scoring section that follows we have not scored visualisation as a separate entity but taken this into account across the various scores. The vendors Vendors in this category include: • CIMCON: One of only two vendors in this category with over 100 customers, CIMCON is clearly one of the market leaders with a long history of compliance solutions. • ClusterSeven: A compliance only solution that has established a presence within financial services, where it is focused. The company has only a handful of users though these are very large implementations. • Compassoft: Has the largest share of any company in the market, with more than 150 customers. It is thus the market leader. As with CIMCON, the company has a significant history of providing compliance solutions, not just for spreadsheets. • Lyquidity: A relatively new and very lowpriced (comparatively) solution. This makes it attractive but the product does not have an understanding of spreadsheet hierarchies (amongst other things) at present, which means that it will have limited application within markets such as financial services and may well be most suitable (because of its very attractive pricing) to SMEs. • Mobius: The largest and most wellestablished company in this group and the only public one amongst them, with 450 employees and a world-wide presence (revenues last year of just under $90m) it has a significant customer base for its more traditional products (records management and so forth) that it can leverage with its control and compliance solution. This gives it an opportunity that its rivals do not have, though the product is not currently as feature rich (it was released later) as some of its rivals. • Prodiance: This was a spin-off from Agilent after that company acquired Scientific Software. As such the company has a solid background in compliance though this is not reflected in the size of its customer base, since it has only been in existence since 2005. • ROISoft: Another new entrant to the market, having only launched its product ExSafe at the end of 2006. Unlike other companies in this market it has started by specialising in security and has then built control and compliance on top of that, rather than the other way around. • SmartDB: The most exciting of the new entrants to the market (at the time of writing it has not actually been released though the platform the product is built upon is three years old: availability is scheduled for June 2007) with its eXpresso product. This is the first (as far as we are aware) product in this space to offer spreadsheet management through a Software as a Service (SaaS) model similar to Salesforce.com, though the software is also available in stand-alone mode if required. We believe that this gives the company significant potential within the market, depending on how long it has this advantage over its competitors. It is notable also that eXpresso has significant collaborative capabilities that are largely missing from competitive offerings. Like Mobius, SmartDB is an existing (privately owned, 12 year old) organisation that is branching out (from tools supporting Oracle environments) into this market and it will therefore have an established client base (in 20 countries currently) to leverage. page 110 Spreadsheet Management Chapter 6 – Vendor and product comparisons: Control & Compliance Tools Scoring In this section we provide comparative scores for the technologies provided by the different vendors, according to Table 2. However, as SmartDB is the only vendor to have introduced collaborative capabilities (for example, the ability to share rather than email spreadsheets and to control that sharing) over and above those of conventional document management systems, we have not bothered to score this particular category. Of the remainder, the sorts of facilities we are looking for include: Discovery: The way in which this is implemented: is it non-intrusive, what impact will it have on performance, how much implementation effort will be required and how quickly can you get started? Further, how effective this will be on an on-going basis, whether this is automatic and iterative or whether it is optional and you have the choice to use scheduled updates, if necessary. Also, includes the ability of the product to recognise the links that exist between spreadsheets and between spreadsheets and data sources, and to handle those links automatically both initially and when changes are made. Compliance: The capabilities of the audit trail (which should be down to cell level, have actual times for changes not saves, the ability to record failed changes, support for multiple time zones, whether the audit trail can be encrypted, and colour coding), whether there is support for electronic signatures, if you can mandate the attachment of notes when changes are made, if there are ad hoc reporting or compliance dashboards built-in, whether you can examine cell histories, if there is trend analysis available, if there are archival policies that you can apply and whether there are facilities for automatically generating alerts when changes are made. Risk Assessment: This is the process of assessing the risks involved with any particular spreadsheet so that you can determine which ones need to be taken under management most urgently. Risks assessment is typically associated with Discovery and relies, at least in part, on appropriate Auditor’s tools. Facilities needed include the sorts of risk and complexity analysis provided, including whether there is a risk scorecard or dashboard. Control: Support for version control (down to cell level and including check-in and checkout and, if this is via a document management system, what range of options is available), the segregation of duties and workflow. With respect to workflow: is it graphical, can it be connected to business process management systems and can it be used for building spreadsheet applications as well as things such as approval processes?. Auditor’s tools: Apart from the various facilities discussed in the section on this topic there are a number of additional capabilities provided by one or more suppliers in this grouping, notably consistency checks (applied when the same spreadsheet is reused on a regular basis but with different data), the ability to apply colour coding, the ability to query spreadsheets and policy enforcement (for example, that this spreadsheet complies with this template). Security: Support for digital rights management, LDAP and Active Directories, encryption of data and audit trails, support for off-line working; and locking down to cell level based on roles, with passwords and user permissions that can be applied down to the cell level (which will need inheritance to be implemented to avoid too heavy an administrative overhead), along with the ability to lock down macros and queries. page 111 Spreadsheet Management Chapter 6 – Vendor and product comparisons: Control & Compliance Tools page 112 Ri sk sk sk y rit cu ls y rit ls Se cu To o Se cu rit y s To ol Figure 14: Lyquidity scores Se cu rit y s To ol r’s ito Co nt ro l Ri sk Di sc ov er y rit cu Se To ol r’s es s ito Au d m nc e ia As s Ri Figure 13: ROISoft scores Au d 0 m 1 0 es s 2 1 nc e 3 2 ia 4 3 As s 5 4 Co m pl 6 5 y 7 6 s 8 7 Co nt ro l 9 8 en t 10 9 en t Figure 12: Prodiance scores 10 sk r’s Ri Ri Figure 11: Mobius scores Co m pl ito r’s pl Co m Di Au d sk ia y sc ov er r it Se cu r’s es s As s ito m nc e ia pl Co m sc ov er Co nt ro l 0 Au d 1 0 m 2 1 es s 3 2 nc e 4 3 As s 5 4 y 6 5 To ol s 7 6 Co nt ro l 8 7 en t 9 8 y 10 9 en t Figure 10: Lyquidity scores 10 Di ito pl Co m Di Se ia y sc ov er rit To o r’s cu l Ri Ri sk Au d ito es As s Co nt ro sm nc e ia pl Co m sc ov er Di Figure 9: Compassoft scores y l 0 Co nt ro 1 0 Au d 2 1 sm 3 2 es 4 3 nc e 5 4 As s 6 5 y 7 6 ls 8 7 en t 9 8 y 10 9 en t Figure 8: ClusterSeven scores 10 Di sc ov er Se nc e y pl ia Se Au d Ri sk Co m Di sc ov er r it To o cu l r’s ito es Co nt ro nc e As s sc ov er Co m pl ia Di Figure 7: CIMCON scores l 0 ’s T oo 1 0 ito r 2 1 Co nt ro 3 2 Au d 4 3 sm 5 4 es 6 5 As s 7 6 y 8 7 ls 9 8 sm en t 10 9 y 10 en t The following bar charts represent the score (out of 10) we have awarded the vendors based on the criteria outlined on page 7 Spreadsheet Management Chapter 6 – Vendor and product comparisons: Control & Compliance Tools Conclusion While we do not normally advocate the simple addition of our technical scores in this case it is not an unreasonable exercise though potential buyers should apply their own weightings to these figures according to their requirements. That said, on a straightforward mathematical basis, taken across the board, we regard Prodiance as the technology leader in this category, closely followed by CIMCON and Compassoft. However, it is only a relatively narrow lead that is held by Prodiance. Making specific recommendations is difficult because it will depend on requirements: you may have more of a bias towards control or security, for example, or the emphasis may be more on compliance (including discovery, risk assessment and auditor’s tools). Anyway, to be specific: Recommended for best overall capability and best control: Prodiance Recommended for best security: ROISoft All three of these suppliers come from a background (at least in part) of providing compliance solutions within the pharmaceutical sector and they have the broadest range of capabilities. However, Prodiance differs from the other two companies in that it was originally a part of Scientific Software, which was acquired by Agilent in 2005, which specialises in that market. Prodiance was spun out of that company to focus on compliance more generally, and specifically for the enterprise spreadsheet management market. As a result, it has significantly fewer customers than either CIMCON or Compassoft (which is the market leader in terms of its customer base, with over 160 customers). Nevertheless, we consider Prodiance to be a market leader along with these vendors, because of the strength of its technology which, at present at least, we believe to be superior to those of its rivals. Of the other vendors, we expect Mobius to continue to leverage its large installed base and the fact that it is a well-established public company. However, it does not at present look like a potential threat to the market leaders though its ability to support archival within a records management system is attractive. Similarly, neither ClusterSeven nor ROISoft are going to be general-purpose product leaders any time soon (though for specialised purposes they will have their adherents). On the other hand, Lyquidity may make inroads at the SME level thanks to its lower cost of ownership, though its (current) lack of features means that it is unlikely to be of interest to large enterprises. Most interesting, however, is the advent of SmartDB’s eXpresso with its Software as a Service model (and its collaborative features) for spreadsheet management, which could prove very appealing to a wide range of users. While it is early days for this product (at the time of writing it has not yet been released), if the company can replicate the success of Salesforce.com then the incumbent vendors had better look to their laurels. Recommended for best discovery and compliance: Compassoft Recommended for best compliance only: ClusterSeven Recommended for best risk assessment: CIMCON Recommended for SaaS and collaboration: SmartDB As can be seen from these results the vendors are very close together in a number of respects: this is why you can slice and dice our results in a variety of ways and get different winners. We expect this position to clarify in due course but both the advent of new vendors into the market and the fact that all of the established suppliers have features in their products that are not in other products, suggests that this is a market that is still maturing. page 113 Spreadsheet Management Chapter 6 – Vendor and product comparisons: Automation Tools There are only two genuine products in this category that we are aware of: Actuate e.Spreadsheet and Qtier-Rapor. Both of these provide a complete development environment for creating spreadsheet applications. The former company is a US-based public company (with revenues last year of $128.6m) and has offices around the world while the latter is based in UK but has partners in the United States, Europe and elsewhere. The big difference between these two products is that Actuate provides a spreadsheet development automation tool while Qtier also provides explicit control and compliance capabilities. That said, some of these sorts of facilities (version control, for example) directly result from the automation/development process, so Actuate provides these too. On the other hand, bear in mind that these are only control and compliance capabilities provided for spreadsheets built within these environments. Neither product has any ability to manage pre-existing spreadsheets let alone the ability to discover them. Nevertheless, there is clearly a substantial market for this sort of solution: Qtier (a relatively small and unknown company) has managed to acquire some 50 customers in a relatively short period of time. In practice, we expect both of these companies to do well. We are inclined to prefer Qtier’s solution at this point in time but Actuate has a large existing user base that it can leverage. Table 3 gives an overview of the capabilities provided by both vendors: Actuate Qtier Cell-level version control Yes Yes Security Yes Yes Template-based Yes Yes Wizard-based Yes No Formatting separate from logic Yes Yes Federated data access Yes Yes Dynamic serving Yes Yes Audit trail Yes Yes Workflow No Yes Printed authentication No Yes Scheduling No Yes Alert generation No No Table 3: Comparison of Automation Tools Given the emphasis we have placed on visualisation in the previous two sections we do not believe that we need to belabour that point here. Recommended automation solution: Qtier-Rapor Risk Integrated Risk Integrated, as its name implies, is focused on taking the risk out of spreadsheets. To this end it treats spreadsheets as three separate logical components: the data sources used to populate the spreadsheets, spreadsheet logic and output. Spreadsheets are populated either via automation or the generation of web forms so that users never enter data directly into a spreadsheet. Equally, reports are generated by the software and are presented to the user so that the user never gets to see the spreadsheet logic either. Risk Integrated is a UK-based consulting company that primarily markets its product to its clients. As its lower level of functionality would indicate (it is around the same price as Auditor’s tools), it is significantly less expensive than full automation products. page 114 Spreadsheet Management Chapter 6 – Vendor and product comparisons: Conclusion In an ideal world one might design a new spreadsheet paradigm, based on appropriate industry standards, where all facilities were encapsulated into either query, reporting or planning environments, and provided the necessary security and auditing capabilities. Unfortunately, we do not live in such an idyllic setting: spreadsheets as they currently exist will continue to be used in their millions and any attempt to move users to another environment is doomed to failure. The challenge is therefore to provide as close to this type of functionality as possible, while at the same time offering comprehensive management capability yet without removing the obvious benefits to end users. If we accept the arguments outlined in this report for spreadsheet management (and we believe these to be overwhelming) then control, security and auditing must be imposed externally, without impacting on the user’s ability to use Excel (or whatever) as he or she sees fit. As we have discussed, this can either be done through the provision of auditing on its own (where security is not considered an issue) or by a combination of control and compliance. There has been a growth in plug-in approaches to spreadsheets. We regard these as inadequate: on the one hand they offer auditing and security but are not as rich in their capabilities as complete control solutions, while on the other hand they are limited to siloed environments such as business intelligence or planning and budgeting but do not span the entire enterprise—which is precisely what you don’t want. Moreover, these are bound to installations within particular, vendorsupported versions of Microsoft Office and therefore have limited deployment possibilities. The emphasis for any product selection policy should be to ensure cross-functional and cross-application capability. While it is impossible to remove entirely the possibility of errors occurring in spreadsheets, it is possible to greatly reduce their likelihood. This can be accomplished in two ways: first, by treating spreadsheets as enterprise resources that need to be properly tested and checked prior to deployment and, secondly, by using tools that simplify the spreadsheet environment both with respect to heterogeneous data access and the use of automation (for example, in generating spreadsheets from design templates)—reduction in complexity paired with design-driven automation should lead directly to a reduction in error rates. To conclude: while evolving, this is still an emerging market and there are vendors that are taking different approaches. However, we would argue against plugins and clearly favour either or both of the compliance only or control and compliance approaches, where appropriate, with these being supplemented by automation and/or auditing tools. Which combination will best suit your company’s requirements will depend on your circumstances but what is certain is that you should be considering spreadsheet management as a matter of urgency. More information Bloor has set up a page on its website dedicated to this report, where you can find further information regarding this subject. Please click here to access this page. page 115 Bloor Research overview About the author Bloor Research has spent the last decade developing what is recognised as Europe’s leading independent IT research organisation. With its core research activities underpinning a range of services, from research and consulting to events and publishing, Bloor Research is committed to turning knowledge into client value across all of its products and engagements. Our objectives are: Philip Howard Research Director - Data • Save clients’ time by providing comparison and analysis that is clear and succinct. • Update clients’ expertise, enabling them to have a clear understanding of IT issues and facts and validate existing technology strategies. • Bring an independent perspective, minimising the inherent risks of product selection and decision-making. • Communicate our visionary perspective of the future of IT. Founded in 1989, Bloor Research is one of the world’s leading IT research, analysis and consultancy organisations—distributing research and analysis to IT user and vendor organisations throughout the world via online subscriptions, tailored research services and consultancy projects. Philip started in the computer industry way back in 1973 and has variously worked as a systems analyst, programmer and salesperson, as well as in marketing and product management, for a variety of companies including GEC Marconi, GPT, Philips Data Systems, Raytheon and NCR. After a quarter of a century of not being his own boss Philip set up what is now P3ST (Wordsmiths) Ltd in 1992 and his first client was Bloor Research (then ButlerBloor), with Philip working for the company as an associate analyst. His relationship with Bloor Research has continued since that time and he is now Research Director. His practice area encompasses anything to do with data and content and he has five further analysts working with him in this area. While maintaining an overview of the whole space Philip himself specialises in databases, data management, data integration, data quality, data federation, master data management, data governance and data warehousing. He also has an interest in event stream/complex event processing. In addition to the numerous reports Philip has written on behalf of Bloor Research, Philip also contributes regularly to www. IT-Director.com and www.IT-Analysis. com and was previously the editor of both “Application Development News” and “Operating System News” on behalf of Cambridge Market Intelligence (CMI). He has also contributed to various magazines and published a number of reports published by companies such as CMI and The Financial Times. Away from work, Philip’s primary leisure activities are canal boats, skiing, playing Bridge (at which he is a Life Master) and walking the dog. Copyright & disclaimer This document is subject to copyright. No part of this publication may be reproduced by any method whatsoever without the prior consent of Bloor Research. Due to the nature of this material, numerous hardware and software products have been mentioned by name. In the majority, if not all, of the cases, these product names are claimed as trademarks by the companies that manufacture the products. It is not Bloor Research’s intent to claim these names or trademarks as our own. Whilst every care has been taken in the preparation of this document to ensure that the information is correct, the publishers cannot accept responsibility for any errors or omissions. Suite 4, Town Hall, 86 Watling Street East TOWCESTER, Northamptonshire, NN12 6BS, United Kingdom Tel: +44 (0)870 345 9911 Fax: +44 (0)870 345 9922 Web: www.bloor-research.com email: info@bloor-research.com