spreadsheet management

advertisement
spreadsheet management
No matter the popularity of
spreadsheets, they, when used
improperly or incorrectly, or
without sufficient control,
pose a greater threat to your
business than almost anything
you can imagine
Philip Howard
Contents
Chapter 1 – Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2 - Spreadsheet problems . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 3 - Thinking about Spreadsheet Management . . . . . . . . . . . . . . 9
Chapter 4 - Spreadsheet Management Approaches . . . . . . . . . . . . . . . 13
Chapter 5 – Product Evaluations . . . . . . . . . . . . . . . . . . . . . . . . . 17
Actuate e.Spreadsheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
CIMCON Spreadsheet Compliance Solutions . . . . . . . . . . . . . . . . . 26
ClusterSeven Enterprise Spreadsheet Management . . . . . . . . . . . . 32
Compassoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Lyquidity ComplyXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Mobius ABS for Spreadsheet Compliance . . . . . . . . . . . . . . . . . . 52
Operis Analysis Kit (OAK) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Prodiance Spreadsheet Compliance . . . . . . . . . . . . . . . . . . . . . . 62
Qtier-Rapor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Risk Integrated Enterprise Spreadsheet Platform . . . . . . . . . . . . . . 76
ROISoft ExSafe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Sheetware XLSpell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
SmartDB eXpresso . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Spreadsheet Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Spreadsheet Detective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Spreadsheet Professional . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Chapter 6 – Vendor and product comparisons . . . . . . . . . . . . . . . . . . 105
Auditor’s Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Control & Compliance Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Automation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Bloor Research overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
About the author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Copyright & disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
page i
Spreadsheet Management
Chapter 1 – Executive Summary
Introduction
Spreadsheets represent one of the most
popular applications on the planet. This is
because they are the reporting and analysis tool
of choice for many professionals and because
they support collaboration and information
sharing. Moreover, this is not going to change,
not just in terms of existing business people
but, as our children are being taught how to use
spreadsheets in school, this popularity is likely
to continue for many years to come:
spreadsheets are ubiquitous and will remain so.
However, no matter the popularity of
spreadsheets, they also, used improperly or
incorrectly, or without sufficient control, pose a
greater threat to your business than almost
anything you can imagine. They can give rise to
compliance issues because changes to data are
not audited. They can also be used to aid and
abet fraud, because security is not applied
(typically) to conventional spreadsheets and,
again, because there is no control over the
ability to change data values (and bearing in
mind that most fraud is carried out by
authorised personnel). Further, it is easy to
make mistakes in spreadsheets (for example,
by entering an incorrect formula) that can
mislead decision makers, the results of which
can be very expensive. HM Customs & Excise in
its “Methodology for the Audit of Spreadsheet
Models” says that “the complexity and
functionality of spreadsheets has reached levels of
sophistication that few could have imagined… the
consequent threat posed to businesses by such
powerful ‘end user’ applications, mainly in the
hands of untrained users, is immense”.
A major cause of these problems is that
spreadsheets are not treated as an enterprise
resource. For example, although there are
(limited) security and auditing facilities in
Microsoft Excel, these are not usually enforced.
Indeed, because many users are self-taught
they will not be aware that such facilities even
exist. In the main, this is because spreadsheets
are not perceived to be an IT resource but are
seen to lie within the business domain. As a
result, corporate security standards are not
implemented for spreadsheets. On the other
hand, the business is not aware of the potential
dangers that the uncontrolled use of
spreadsheets can cause. A major focus of this
report is therefore to make business users
aware of these dangers so that they can push
the task of managing spreadsheets into the
hands of the IT department. In particular, it
discusses the need for spreadsheet
management, precisely in order to prevent, or
at least minimise, the issues just mentioned.
Having established the need for spreadsheet
management solutions, this report goes on to
discuss the various types of solution that are
available, which range from complete control
(that is, you absolutely prevent people from
page 1
doing what you don’t want them to) to complete
monitoring with no control (that is, you monitor
all changes but do not actively prevent any of
them—rather like closed circuit TV). In addition,
there are tools that are specifically designed to
help you find errors within spreadsheets. We
will discuss the relative merits of these
different approaches and when each of these
might be most suitable (which will depend upon
how spreadsheets are used and for what
purpose).
Further, we will compare and evaluate the
various products that exist within each of these
sectors. When we first published our white
paper ‘Managing Spreadsheets’ in 2005 the
solutions available on the market were few and
far between and most of them were immature.
While new products continue to emerge there is
now a core set of well-established vendors with
significant user bases. This is why we now feel
that the time has come to look in detail at the
products serving the enterprise spreadsheet
management market. Moreover, Ventana
Research has conducted research within this
area and estimates that while the total market
for enterprise spreadsheet management tools
was $15m in 2006 it expects this to grow to
some $500m within five years. The time has
therefore arrived to look at the vendors in this
market in some detail.
In addition, it is worth bearing in mind that
spreadsheets take an inordinately long time to
produce. This is typically caused by the varying
skill sets of the spreadsheet users but even the
expert spreadsheet craftsman tends to spend
too much time in tedious and repetitive tasks
such as formula copying, formatting, workbook
assembly, and distribution. From a business
perspective, therefore, it would be useful if
spreadsheet management solutions were to be
able to provide automated facilities that could
alleviate this repetition—with all the
productivity gains that that implies. As it
happens, there are a couple of vendors that
offer automation for the development of
spreadsheet applications (such as
consolidation, sales reporting or budgeting and
planning) as well as tool vendors within the
conventional management category that
provide facilities to speed up the development
of spreadsheets. We will also consider the
capabilities provided by all of these suppliers.
Finally, one point that we must make is that
there is an inevitable congruity between the
concept of spreadsheets on the one hand and
Microsoft Excel on the other. Excel is, after all,
the epitome of a spreadsheet application, and it
is by far the most widely used. In general,
where Excel is referred to in this paper it can be
taken as a synonym for spreadsheet unless
specifically stated otherwise. We will, however,
discuss (briefly) the uses of spreadsheets from
other vendors.
Spreadsheet Management
Chapter 2 - Spreadsheet problems
There are five major problems with
spreadsheets: the potential for errors, lack
of security, the absence of an audit trail, the
misperception that spreadsheets are not an
enterprise resource, and productivity issues.
We will consider each of these in turn before
considering some other management issues
related to spreadsheets.
Error potential
The following paragraph is excerpted from
a PriceWaterhouseCoopers (PwC) report
published on the use of spreadsheets and the
Sarbanes-Oxley Act, in July 2004:
“An article in the May 24, 2004 issue of
Computer World indicated that, “Anecdotal
evidence suggests that 20% to 40% of
spreadsheets have errors, but recent
audits of 54 spreadsheets found that 49
(or 91%) had errors, according to research
by Raymond R. Panko, a professor at
the University of Hawaii.” The Journal
of Property Management on July 1, 2002
stated, “30 to 90 percent of all spreadsheets
suffer from at least one major user error.
The range in error rates depends on the
complexity of the spreadsheet being tested.
In addition, none of the tests included
spreadsheets with more than 200 line items
where the probability of error approaches
100 percent.” Perform an online search
for spreadsheet errors or spreadsheet audit,
and you will find a number of major failures
attributed to spreadsheet inaccuracies that
hit the press in the past year alone.”
This is not the first time that PwC has reported
on the errors inherent in spreadsheets. In
earlier work, the company reported that, in a
survey of large client spreadsheets, it found
that 90 per cent contained significant errors.
More recently, KPMG Consulting reported that
95% of the financial models that it reviews
contain material errors. Note in particular the
statement that: “in spreadsheets with more than
200 line items the probability of error approaches
100 per cent”.
Of course spreadsheet errors may be more or
less important, depending on the spreadsheet
in which they appear and the purpose for which
the spreadsheet has been created. However,
research has been carried out to establish the
impact of errors in spreadsheets on decision
making. According to a 1996 report, the cost of
these mistakes is within the range of $10,000 to
$100,000 per decision per month.
The European Spreadsheet Risks Interest
Group (EuSpRiG) runs a web site (www.eusprig.
org/stories.htm) on which it lists the results of
various spreadsheet errors. The following are
just four of these (though in the last case this
was not an error but fraud):
page 3
A. January 29, 2005: Mistakes happen during
budget planning: “Gov. John Lynch’s budget
team … has to find another $70 million to
make its budget balance. Figures that the
Health and Human Services Department
provided to budget writers in the fall
contained an error that double-counted
more than $17 million of Medicaid money
in each of the next two years. A detailed
spreadsheet that HHS gave Ways and
Means Tuesday morning showed that $35
million in a specific category of hospital
reimbursements would come in over
the next two years. A second sheet HHS
produced Tuesday afternoon showed no
money in the category, reflecting the fact the
funds can only be used one way—at the state
hospital.”
B. June 17, 2005: Natural gas consumers
sue Dominion Transmission over clerical
error—A Federal Energy Regulatory
Commission investigation found that the
subsidiary of Richmond, Va.-based Dominion
Resources Inc. submitted the wrong week’s
gas storage figures in November, leading to
an artificial inflation of natural gas prices.
The lawsuit estimates that consumer prices
were hiked by between $200 million and $1
billion. “The investigation concluded that
it was not deliberate, but when I hear the
words clerical error, I think of negligence,”
plaintiff’s attorney W. Coleman Allen Jr.,
of Richmond, Va., said Friday. “Consumers
were harmed the same as if it was
intentional.” One explanation for the error
was that the company had used the same
computer file name for each week’s storage
balance spreadsheet report, making it easy
for the wrong one to be sent.
C. September 12, 2003: ORLANDO Sentinel—
Assistant County Manager Cindy Hall, in
a memo to commissioners on Thursday,
wrote that the April 22 study by Henderson
Young & Co. duplicated the cost of building
a new elementary school. The extra $12
million cost was corrected on a spreadsheet
in the study, but it wasn’t later adjusted
on the total cost of school projects for
the next five years. Jim Drake, director of
finance for Lake County Public Schools,
said: “It was basically a simple spreadsheet
error. But obviously it’s going to have an
impact on building new facilities.” County
Commissioner Jennifer Hill said the
consultant was given the final numbers for
its study from the School Board only a few
months before the study’s completion, “It
was rush, rush, rush,” she said. Hill called
the mistake “a simple mathematical error”.
D. 2001: The role of spreadsheets in the AIB/
Allfirst currency trading fraud—Allfirst
“Would not pay the US$ 10,000 for a
direct data feed from Reuters to the risk
Spreadsheet Management
Chapter 2 - Spreadsheet problems
control section”. Instead, they got Rusnak
to download his Reuters feed into a
spreadsheet. He then substituted links to
his private manipulated spreadsheet. The
total losses hidden by the fraud were almost
US$700M. Rusnak exaggerated bonuses by
over half a million dollars.
There are four types of potential errors in
spreadsheets:
1. Errors in the data—these can occur through:
a. Incorrect data entry—keyboard entry of
data is to be avoided if at all possible.
There are well-established error rates
for keying errors, which are inevitable if
data is to be entered manually.
b. Incorrect specification—for example, you
want data in a particular cell to reflect
a database field called “cust1” but have
inadvertently entered “cust2”. Similarly,
if working with a front-end environment
that supports Excel, you might have
selected the wrong option from a dropdown list of relevant data sources. Of
course, this is similar to incorrect data
entry but it cannot be entirely eliminated.
c. Incorrect definition—similar to incorrect
specification. This occurs when you
specify the wrong format for a field. For
example, you define it as text when it
should be a currency field.
d. Incorrect placement—this differs from
incorrect specification in that the data
you have defined is correct, but you have
put it in the wrong place, as opposed to
the wrong data in the right place. Note
that incorrect placement is not limited
to single instances. You may reuse a
particular value in multiple places within
a spreadsheet or across spreadsheets,
and the data may be in the right place in
some instances and wrong in others.
e. Incorrect access—in spreadsheet
reporting applications (as opposed to
things like budgeting applications) it is
often the case that data is loaded into the
spreadsheet in some sort of automated
way, either via an import from a CSV
(comma separated value) file, or more
directly from a query environment. In
these cases there is the potential to
address the wrong data source, or to
perform an invalid transformation as the
data is loaded into the spreadsheet. This
problem can be exacerbated if timeliness
is a major consideration, with lack of
real-time access to data in spreadsheets
driving users to deploy ad hoc query tools
that exist outside of the spreadsheet
environment.
page 4
2. Formulaic errors—that is, where a formula
is incorrectly expressed. For example,
you might have “x” instead of “+”, with
appropriately disproportionate results, or
you might have added (or multiplied) the
wrong columns. In the case of formulae
there are basically three types of error:
formulae that have been incorrectly worked
out in the first place, formulae that are
inaccurate because of keying errors, and
problems with cloned formulae. In the last
case, for example, it is all too easy to clone
a formula designed to sum 10 cells and put
it at the bottom of a column with 15 cells.
Some, but by no means all, errors may
be detected by the spreadsheet software.
Microsoft Excel, for example, will display (if
appropriately set up) a small green triangle
with a pop-up comment if it suspects a
formulaic error. However, not only does
this miss some errors it may also think
that some correct formulae are incorrect.
Finally, note that formulae may suffer from
the same problems as data: for example,
right formula, wrong place.
3. Macro errors—many spreadsheet users do
not use macros, but for those that do this
represents another major potential source
of errors. Macros are, in effect, miniprograms and we all know how bug-ridden
and error prone programs can be. While
there is less scope for errors in macros, it
remains a possibility that must be catered
for.
4. Template errors—a template error relates
to the misapplication of a template. It is
common to use a template for recurring
uses of the same spreadsheet, for example:
uses that occur on a regular monthly basis.
In such instances it is common to reuse
the same base template and simply make
relevant amendments for the month in
question. However, this reuse is purely
manual and is therefore an inherent risk.
This is exactly what happened to Dominion
Resources (example C): when the company
applied the wrong month’s template,
which resulted in it under-representing
gas reserves, leading in turn to artificially
inflated consumer prices.
There are of course a variety of other mistakes
that you can make when using a spreadsheet.
You can position columns incorrectly, it
is possible to use inappropriate graphical
methods for particular data sets, and so on, but
these are mistakes rather than errors. What
is important about errors is that they give you
misleading information that can lead to poor
decision making, which in turn costs money:
often lots of it.
Spreadsheet Management
Chapter 2 - Spreadsheet problems
Security
There is not a lot to discuss about spreadsheet
security because there isn’t any. Actually, that
isn’t quite true: Microsoft Excel does, in fact,
have a password facility though it is honoured
more in the breach than the observance. This
is also true of the ability to lock cells: although
it is in the product it is seldom used or used
rigorously. In practice, in most cases, anyone
can open up a spreadsheet, change the data
to their heart’s content and amend formulae.
Anyone of malicious intent can deliberately
induce errors in spreadsheets either because
they have a grudge against the company or in
order to support any fraudulent activity that
they may be indulging in, or simply to gild the
lily with respect to their own performance.
To take a simple example, you cannot go into
your company’s General Ledger and gaily
change the figures therein: the software and its
security will not let you do that. However, you
can extract the data from the General Ledger
into Excel and then you can change that data as
much as you like. We cannot believe that such
a laissez faire attitude to corporate data makes
sense.
The other big problem with spreadsheet
security is that there is little or no user-level
access control (though this is improved in
Excel 2007). At present, even if you are one of
the rare few that use passwords, once data is
in a spreadsheet you can see all the data that
is in it: you cannot then limit who sees what
information within a given spreadsheet. This
would not be acceptable almost anywhere else
within your business. For example, you may
let a manager see details of his department’s
total salary expenditure but you wouldn’t let
him or her see the salary information for each
individual employee, but that is exactly what you
can do using spreadsheets. You can, of course,
hide data but then it is hidden from everybody
(an invitation to fraud if ever there was one)
but that doesn’t get you any further forward
since what you need to be able to do is to allow
visibility into what individuals are allowed to, or
need to see, but not what they are not permitted
to see. In other words, what is needed is full
role-based security so that people can only see
what they have the right to see.
Moreover, and to briefly return to the issue
of fraud, in many ways Excel actually helps
the potential fraudster. For example, you can
hide data by using a white font on a white
background and you can hide data by putting
it behind a graphic. You can also hide whole
spreadsheets programmatically (these are
known as ‘very hidden’ worksheets) as well as
conventionally through the product.
page 5
Crashes
A further security issue occurs when Excel
crashes. The software will automatically
attempt to recover any documents that you
are working on and it will create temp files for
this purpose. Unfortunately, all the security
procedures that apply to normal Excel files do
not apply to temp files, which can be read by
anybody. An additional security requirement,
therefore, is to provide a mechanism to make
this impossible.
Auditing
The third major issue with spreadsheets is with
respect to auditing. However, like security,
there is not much to discuss because again,
while there is some capability, it is rarely
used. In practice, you can log changes to a
spreadsheet into a separate worksheet but
this only applies on an individual spreadsheet
basis rather than across the whole spreadsheet
environment. More generally, in Excel 2007,
version control is applied through Microsoft
SharePoint but this only provides version
control and auditing at the document level: it
does not record changes to the spreadsheet at
the cell level.
In other words, in most instances, not only can
you not prevent someone from changing the
data in a spreadsheet, for whatever purpose,
but you also have no way of knowing who
changed the data, when he or she changed it,
or what the change consisted of. Further, you
cannot tell if anyone has attempted to make
unauthorised changes.
In a way, this is much more serious than a lack
of security (though the two go hand-in-hand in
encouraging fraud) because it undermines any
compliance or governance regulations that may
be in place. As a general statement it would be
fair to say that:
Any company that is subject to SarbanesOxley, IAS/IFRS or similar regulation, which
uses spreadsheets for any purpose beyond
very limited reporting, and does not use
spreadsheet management, will be unable to
comply with the strictures of those laws.
This is a pretty strong statement. But
Sarbanes-Oxley requires companies to be
able to justify what has happened to the data
it presents in its corporate accounts and
how it got there. If a spreadsheet is involved
at any point in that process then, unless
appropriate controls are in place (spreadsheet
management), you will have a breakdown in
the data chain where you cannot certify what
has happened to the data. Note that it is by
no means impossible to use spreadsheets
Spreadsheet Management
Chapter 2 - Spreadsheet problems
within a compliant environment—but it
requires management. Microsoft, for example,
makes extensive use of Excel spreadsheets
in its own internal compliance procedures.
However, the key point is that Microsoft does
use the management facilities in Excel and
they are surrounded by appropriate additional
procedures.
In fact, the issue is even worse than this.
Spreadsheets are often passed from one
user to another and the latter may well use
the information in the original spreadsheet
as a data source for spreadsheets of his or
her own. Again, there is no way to track that
this has happened. You can, in fact, prevent it
from happening (you can lock the spreadsheet
so that it cannot be forwarded, edited or
even printed) by using Information Rights
Management software, but this doesn’t help you
to monitor what happens subsequently if you
actually want to enable this sort of functionality.
Finally, Excel allows data to be consolidated
from a number of sources into a worksheet.
By default, it shows results but no formulae,
with the consolidation taking place in memory.
From an auditing and compliance perspective,
this default setting should never be used as the
data cannot be tracked and there is a high risk
of error.
Audit functionality
Auditors (whether internal or external) want to
do a lot more than simply look at an audit trail
or even check for errors; they also want to ask
questions such as “where does that number
come from?” and “what are the relationships
that exist between these spreadsheets?” As
we shall see later, auditors also want to see
best practices used in the development of
spreadsheets. Two of the most important of
these are:
• Spreadsheets should not include circular
references—that is, spreadsheet A should
not include a reference to spreadsheet B if
spreadsheet B already includes a reference
to spreadsheet A. Ideally, spreadsheets
should be organised into hierarchies: circular
references make this impossible. Tools to
discover circular references that may exist in
current spreadsheets will be useful here.
• Segregation of roles—in a managed
spreadsheet environment all spreadsheets
will be developed, tested and audited prior
to deployment but these functions involve
various different people whose capabilities
should be strictly delineated as is the case
with users (who can see or change what).
A workflow capability will be particularly
useful here, either provided directly within
the product or by means of a conventional
document management system or via
SharePoint 2007.
page 6
Note that if you can demonstrate that such
practices have been applied, then (external)
auditors will need to spend less time auditing
corporate spreadsheets, which will save you
money on your auditing fees.
Spreadsheets as an enterprise resource
It should be clear that spreadsheets, or at
least some of them, are vital to organisational
well-being. In particular, those spreadsheets
that are used to inform important decisionmaking processes, are used for financial
and other corporate reporting, or are to
be used in customer or other third-party
presentations, need to be treated just like any
other corporate asset. The same applies to any
particular spreadsheets that may be subject
to regulatory requirements, even if they do
not fit within one of these other categories. In
particular, just as you would not implement
a new application without testing that it did
what it was supposed to do, all corporate (if not
personal) spreadsheets should be tested prior
to deployment. That is, sets of figures should
be run through the spreadsheet to ensure that
there are no formulaic, macro, placement,
access or specification errors anywhere within
the spreadsheet.
In other words, if it is accepted that
spreadsheets represent a corporate resource,
then all spreadsheets that do anything
more than very simple reporting should be
subject to a quality control process to ensure
accuracy. If, on top of that quality control, you
can implement spreadsheet management
procedures (especially simplified data access)
then you will be going a long way towards
eliminating costly mistakes (and fraud) from
your spreadsheets.
The main reasons why spreadsheets are not
recognised as being a corporate resource are
varied. In the first instance, they are often
simply dismissed as not really being a critical
asset or as not being suitable for investment
(for user training or process assurance). In our
view this is clearly a mistake.
The second problem is that spreadsheets are
used in different ways and by different people.
For example, there are what we might term
‘data collection’ activities such as budgeting,
which is driven by the finance department
in this particular case, or by other relevant
The people who use spreadsheets are
typically line managers on the one hand
and business analysts on the other.
These are expensive personnel and it is
wasteful for them to have to do these
routine tasks when such processes could
be automated.
Spreadsheet Management
Chapter 2 - Spreadsheet problems
departments for different applications of this
sort. Secondly, we have ‘spreadsheet reporting’,
which is owned by operational groups. In effect,
spreadsheets are treated as siloed applications,
each of which is owned by its own clique, none
of which relate to the IT department. This leads
in turn to a third problem, which we might
characterise by saying that while there is a
technology gap in the sense that there is an
inadequate environment provided for managing
spreadsheets, there is also a cultural gap
which means that users do not even employ
the security and auditing capabilities that are
provided.
The bottom line is that there is a lack of
ownership of spreadsheets as a whole, with
no-one in the organisation being seen to be
responsible for their use within the corporate
structure. This needs to change if spreadsheets
are going to be properly managed.
Productivity issues
Another major issue is the time taken to
manage existing spreadsheets. Even today,
when these are not recognised as important
enterprise resources, individual users have a
considerable management effort involved in
managing their own spreadsheets: they may
need to discover the location of relevant source
data, they may need to extract information
from previous versions of a spreadsheet
and perform reconciliation procedures, they
may need to distribute their spreadsheets
to colleagues (which raises the possibility
of errors in distribution lists), and they will
(we hope) be taking back-ups on a regular
basis. All of these functions can and should be
automated in so far as they can be. However,
we are aware of organisations where people
have simply stopped using spreadsheets and
moved to statistical packages (for example)
because of the difficulty of managing complex
spreadsheets. While there may be other
benefits associated with such an approach this
would be a costly decision for many companies,
and a means whereby spreadsheets can be
properly and easily managed would be a
preferable approach in many instances.
Collaboration
A further point to bear in mind is that
spreadsheets are frequently used for
collaborative purposes not merely in
environments such as budgeting but also
for decision making. In most organisations,
when a spreadsheet needs to be distributed
to various parties involved in any decisionmaking process, the relevant documents are
distributed via email. This is inherently unsafe
(and is therefore a security issue) but there is
also no way in which collaborative working on
the same spreadsheet is managed or controlled
or, indeed, facilitated.
page 7
Enterprise management issues
While the issues discussed previously
represent the main reasons for implementing
a spreadsheet management application, there
are potentially a number of other management
issues surrounding the use of spreadsheets,
which it would be useful to be able to
handle. For example, it is often the case that
spreadsheets exist within hierarchies and it
would be useful if it was possible to easily view
and maintain those hierarchies.
Another issue that commonly arises is
that spreadsheets are used to extract data
automatically from a single source database,
but what you actually want is to combine data
from various data sources. Management issues
around this sort of scenario would be greatly
simplified if you could access multiple data
sources from a single spreadsheet design, and
assemble individualised workbooks that tailor
their content to user roles and permissions, as
you can with some vendors.
A further complication is that most large
organisations have probably thousands,
if not tens of thousands, of spreadsheets
distributed across the enterprise. Not only
are these uncontrolled, they are unknown
and not automated. A tool that can discover
existing spreadsheets and bring some or all
(according to user preference) of these into a
single management structure will be especially
useful for ongoing administration. Indeed, it
is arguable that a product that only supports
the management of new spreadsheets and has
no facilities for bringing old spreadsheets into
the new environment is only doing half the job,
if that. In particular, a managed spreadsheet
environment should be able to assimilate
existing contents, formulae and macros into a
new design and automation paradigm in order
to evolve the environment smoothly.
Moreover, it is inevitable that much of the
functionality embedded in these spreadsheets
is duplicated which, in itself, is wasteful. It
would be useful to have comparison capabilities
through which you could automatically compare
different spreadsheets to ascertain where
you have duplications or near duplications.
In the latter case, a visual comparison or
difference facility would be useful (similar to
those provided in application development and
change management environments) along with
a merge facility.
Finally, you would like to be able to consolidate
all of your different spreadsheets into a
centralised, IT-run environment. As a part of
this process it will make sense to rationalise
the spreadsheet environment. This would
typically be on hierarchical lines, using the
principle of inheritance (that is, lower level
Spreadsheet Management
Chapter 2 - Spreadsheet problems
page 8
spreadsheets inherit the characteristics of
higher level ones—ideally, based on versioning).
However, as spreadsheets are dynamic objects
it will not make sense to instantiate the
spreadsheets except as and when requested
to do so by an authorised user. Thus, what
is required is a system in which the relevant
metadata such as spreadsheet formatting,
formulae, macros, data locations (including
cached data) and so forth are stored as a part
of this process. By maintaining this master data
on the server, IT could maintain an auditable
master object and oversee distribution of
spreadsheets generated from this object.
• You can control access to selected objects
Off-line working
It is commonplace for managers and other
business users to want to be able to work on
spreadsheets off-line. This presents a number
of issues with respect to security, audit and
compliance, and manageability. First, it should
be clear that there should be control over who
can copy spreadsheets (which doesn’t just
apply to off-line working). Next, for compliance
purposes, at least with regards to SarbanesOxley, all changes to a spreadsheet have to be
time-stamped, not simply with the time that the
spreadsheet was saved but at the actual time
that the change was made. How do you do this
with respect to offline working? Since it would
be impractical to install a new application on
every user’s laptop the only solution must
be that the relevant software is embedded
alongside the spreadsheet at the point at which
you copy the spreadsheet. Finally, you will need
some sort of synchronisation capabilities when
the off-line spreadsheet comes back on online.
Other spreadsheets
Excel 2007
It is important to consider whether the recent
introduction of Excel 2007 has resolved any
or all of the issues discussed in the previous
sections. The answer is that it has resolved
some issues though these have typically been
addressed through the use of SharePoint 2007
and Excel Services rather than Excel per se.
The most notable additional features that these
provide are:
• Version control (but at the document rather
than cell level).
• You can use Excel Calculation Services to
provide centralised control of information so
that there is a single version of the truth for
Excel 2007 workbooks and you can control
who has access to particular workbook data
via user permissions.
• You can ensure that Excel workbooks are
only rendered within a web browser with
View Only permission and, in conjunction
with SharePoint, you can ensure that only
authenticated users can have access to those
workbooks.
within a workbook (for example, PivotTable
components and charts) when the workbook
is published to an application server running
Excel Calculation Services. Again, View Only
permissions may be applied.
Of course, the problem with this is that it
assumes that everybody has migrated to Excel
2007 and has also licensed the additional
capabilities described. Given the significant
number of users still using Excel 97 it seems
unlikely that such a mass migration to Excel
2007 will happen any time soon.
Finally, it is also worth considering whether
other spreadsheet products resolve any of the
issues identified. There are a number of such
options: StarOffice, OpenOffice (broadly the
same as StarOffice), Google Spreadsheets,
EditGrid and Lotus 1-2-3. The last of these we
will not discuss because it has an established
user community of its own and represents a
significant potential investment, whereas the
other products mentioned here do not require
such a cost.
Notable features of these other products
include support for encryption and, in the
case, of EditGrid encrypted traffic as well as
encrypted authentication. EditGrid also has
substantial shared read and write access
control, as does Google, but it also has
password protected read and write access,
which Google does not. Excel has the latter
but not the former. Notably, EditGrid also has
range and cell locking, it maintains a cell last
update record, provides spreadsheet usage
reports, supports templates and has a number
of other features not included in other products,
whether Excel or otherwise. While it is not the
purpose of this report to persuade companies
to stop using Excel, if they wanted to do so
by replacing it with another (inexpensive)
spreadsheet solution then we would
recommend taking a close look at EditGrid.
Spreadsheet Management
Chapter 3 - Thinking about Spreadsheet Management
Third party vendors relate to Microsoft Excel
in a variety of different ways. At the lowest
level, suppliers simply provide the facility to
export data into a spreadsheet or, a slightly
more advanced offering, the ability to print
a formatted, static spreadsheet, where data
values and formats are saved as an Excel file. In
either case, this is usually done for one of two
reasons: either to rectify some deficiency in the
vendor’s offering (such as a lack of graphical
capability) or simply because customers like to
be able to play around with the data in Excel.
In either case, while there is some sort of
guarantee that the data was accurate when it
was initially loaded into the spreadsheet, all
bets are off once the data has been exported
(including, potentially, the introduction of new
errors) and the users begin construction and
design.
A more sophisticated approach is adopted by
some vendors which offer an Excel plug-in. The
intention here is to provide direct access to the
data sourced from the business intelligence
environment and to (possibly) lock-down data
values, such that these are dynamically related
back to the source and cannot be changed.
However, this does not prevent specification or
placement errors, nor eliminate errors in either
formulae or macros. Moreover, because it does
not provide either security or auditing within
the spreadsheet environment there is a higher
likelihood of misplaced trust in the reuse of
these files and therefore increased opportunity
for template errors. Moreover, it is always
possible to copy the data from the spreadsheet
into another one (on a laptop, say), amend the
data and then create a new spreadsheet on the
main system. Similarly, you can also e-mail a
spreadsheet to a colleague and, again, there is
no control over what he or she can do with the
data. In other words, this sort of solution has
only limited value and does not prevent abuse.
An alternative adopted by some suppliers is
to encapsulate and embrace spreadsheet
capabilities into their own environment.
This may be based on the fact that they have
duplicated the Excel environment within their
own system, or they may have licensed Excel
and embedded it. In either case, the effect
is that the spreadsheet is plugged into the
vendor’s application as opposed to plugging
the application into Excel, as discussed above.
The advantage is that the whole environment
is as well controlled as any other facility
provided by that supplier. In addition, these
sorts of products often provide a facility
to automatically schedule, manufacture
and distribute pure Excel spreadsheets to
consumers, which should improve productivity
and reduce construction and distribution
errors. It also introduces the opportunity to
deliver personalised views of the data within
the spreadsheet. Further, in rare cases, these
spreadsheets can be generated from templates
or master spreadsheet designs (sometimes
referred to as a spreadsheet blueprint) that
manage data queries, workbook layout and
assembly, the abstraction of recurring formulae
and the inclusion of business macros. The net
effect of this sort of approach is that every
spreadsheet generated from a blueprint
contains only as many errors as the original
design, which of course increases the burden
for testing and the application of proper design
techniques. As we know, however, errors
eliminated during design are significantly less
costly than those identified later.
However, Excel is likely to be much more widely
used in any organisation than any business
intelligence product. After all, 150 million
licensed copies of Microsoft Office exist in
the world, and the estimation of unlicensed
use could be two or three times that. In other
words, the approaches just discussed only
address that tiny corner of the spreadsheet
problem that is included in the business
intelligence provider’s solution and it does not
cover anything else.
What is needed is a solution that spans
all corporate spreadsheet resources and
which is not limited to business intelligence
environments. There are a number of these,
which approach the problem of enterprise
spreadsheet management from a variety of
directions. However, before we discuss these
in detail (in the next section) it will be worth
considering the major elements of such a
solution.
page 9
Spreadsheet Management
Chapter 3 - Thinking about Spreadsheet Management
page 10
Requirements for a solution
The following table shows the major features that we would like to see vendors provide in
spreadsheet management solutions. We have divided these into “must-have” and “advanced”
facilities, where the former are essential and the latter would be nice to have.
Must have features
Role-based security from query to file to
spreadsheet elements, all the way down to the
cell level
Encryption
Locking: at the spreadsheet level, for data
down to the cell level, and for objects including
formulae and macros
Full audit trail for all changes, including
macros
Auto-discovery capability for existing
spreadsheets
Management and control of distribution and
scheduling
Spreadsheet hierarchy management
Support for IT-based testing of formulae and
procedures
Support for segregation of roles
Where-used capabilities so that you can
track the use of data and formulae across
spreadsheets
Template management
Advanced features
Federated availability for heterogeneous data
source access
Version control: comparison, difference and
merge capabilities
Smart, server-side spreadsheet objects
that contain layout definitions and query
results that are ready to be personally and
dynamically delivered at view time
Audit trail to include attempted, unauthorised
changes
The ability to enforce notes to be appended
explaining spreadsheet changes
Workflow to support the segregation of roles
The ability to generate alerts to be sent to
relevant parties when a particular change is
made
The ability to recognise that inserting a row,
say, is one change, not a change to every cell
in the spreadsheet
Integration with SharePoint 2007 or document
management systems providing version
control
Thin client capability so that nothing has to be
installed on the user’s desktop
Off-line and stand-alone working
While most of these requirements should
be self-explanatory, or have already been
discussed in some detail, it is worth briefly
discussing template management. What we
mean here is the ability to not merely manage
but also to automate the use of templates so
that if, for example, you use templates for
monthly spreadsheets then the details for
each month will be automatically generated
for you so that the potential for using the
wrong template is eliminated. The underlying
templates that are being reused in this way are
sometimes referred to as blueprints.
Dealing with errors
There are two approaches to errors: one
is to prevent them occurring in production
spreadsheets and the other is to detect and
correct them when they do occur. In the
latter case, there are a variety of applications
available for detecting and correcting errors
in single spreadsheets. Indeed, Microsoft also
provides a (limited) number of facilities within
Excel for helping to identify errors, such as the
ability to calculate nested formulae one step at
a time, to trace relationships between formulae
and cells, and to watch a formula and its
result in a cell. In other words, there are some
features to support the testing of spreadsheets
as they are being built, though one would not
say that these were equivalent to the sort of
testing that would be standard for applications
designed and developed by the IT department,
for example.
However, as with all software applications it
is much more efficient (and less expensive) to
prevent errors rather than to attempt to detect
them after the event. Indeed, HM Customs and
Excise states in its “Methodology for the Audit
of Spreadsheet Models” that “detailed testing
can be extremely laborious” even when using
the software that it supplies for this purpose
(SpACE, see www.lexisnexis.co.uk/space)—and
remember that you pay for this auditor’s time.
Spreadsheet Management
Chapter 3 - Thinking about Spreadsheet Management
Best Practices Guide for Building Spreadsheets and Preventing Errors
It is worth going into some detail with respect
to this HM Customs and Excise report. It
suggests that the auditor start by assessing the
risk that is associated with each spreadsheet
and to concentrate upon the spreadsheets that
have the greatest implications for the business.
This only makes sense. It then goes on to
recommend that the auditor assess the degree
of risk associated with each spreadsheet. It is
worth reporting what the methodology has to
say with respect to this:
• “If the developer does not fully understand the
business, there is a high risk of errors in the
logic and design of the spreadsheet.”
• “Are the areas for input of raw data segregated
from the computational areas?”
• “Is there a separate sheet containing a table of
contents and a description of the purpose of the
model?”
• “What evidence of testing and other
documentation exists?”
• “If testing was thorough, the risk of undetected
error is lower. If testing of the initial model and/
or subsequent amendments was sketchy or
non-existent, the risk of error is much higher.”
• “You must consider the adequacy as well as the
mere fact of testing as evidence that the model
or application presents a low risk of error.”
• “Has the developer documented the
spreadsheet, to make clear: what it’s for; what
it does; how it does it; what assumptions were
made in its design; what constants are used and
where they are held; who developed it; when;
when and how it has been changed since being
brought into use; the presence and purpose of
any macros?”
• “The better the documentation, the less scope
there is for error or misunderstanding between
the developer and the user.”
• “A good practice in design is to include the
documentation as part of the workbook on a
separate sheet.”
• “Again, consider the quality as well as the
existence of documentation.”
We make no apologies for quoting from this
at length as it effectively provides a high-level
best practice guide for building spreadsheets
and for preventing errors. Moreover, in our
view the sort of structured approach that
is recommended for developers should be
followed even if the developer and user is
one and the same person. The guide goes
on to suggest that if the spreadsheet passes
these criteria then it should need no more
than a routine audit rather than the detailed
(and extremely laborious) testing mentioned
above. In other words, this planned approach
substantially reduces the likelihood of error.
Consider, however, the impact of employing
these recommendations within an environment
in which spreadsheet design is abstracted,
as discussed previously, and not simply held
within each spreadsheet. In essence we
view the creation of a spreadsheet model or
blueprint as the ideal method of applying these
principles, due to the fact that every spreadsheet
generated from a design blueprint is guaranteed
to be as error-free as the original design. In
addition, design abstraction offers other unique
capabilities that are not possible when working
within Excel, such as multi-sheet workbook
definition, multi-dimensional summary table
aggregation, formula and macro reuse, and
dynamic control over multi-source query results.
Obviously, the notion of building and maintaining
a single design that serves thousands of
spreadsheet consumers is very appealing.
page 11
Spreadsheet Management
Chapter 3 - Thinking about Spreadsheet Management
What you should do
There are various types of software solution
for the resolution of the various issues we have
highlighted. However, before we discuss these
(in the next section) it is worth considering
what organisations should do, regardless of
any potential software supplier. The steps that
organisations need to follow include:
• Identify all the spreadsheets in your
organisation: who owns them, what they are
called and what they are for, how widely they
are distributed and used and by whom, what
associated documentation is available, and
how often they change and by how much,
and so on. If you can do this in an automated
fashion so much the better.
• Prioritise these according to their importance
to the enterprise both in terms of their impact
on corporate strategy and their scope for
aiding and abetting fraud. Note that, in part,
the risks associated with any particular
spreadsheet will depend on the size and
complexity of that spreadsheet: something that
tools can help you to calculate. Complexity can
be rated as low, medium or high depending on
input sources, the complexity of calculations,
dependencies between spreadsheets and
workbooks, the use of macros, financial
modelling and so forth.
According to PriceWaterhouseCoopers in
its “The Use of Spreadsheets:
Considerations for Section 404 of the
Sarbanes-Oxley Act” the uses of
spreadsheets can be put into three
categories, which reflect increasing levels
of significance and priority: operational,
analytical (or management information)
and financial.
• High priority spreadsheets should be
individually audited for design correctness,
tested, published and generally managed by
the IT department. Version control will be an
advantage and automated generation from
design templates will eliminate many classes
of errors (data, formulaic, macro, and
template) and provide a strong framework
for addressing the other management issues
highlighted herein.
• Medium (as well as higher) priority
spreadsheets should at least be serverbased so that there is some form of central
control.
• Where feasible, store Excel data in XML
format, so that you can validate fields
and enforce integrity through use of an
appropriate XML schema. This may not be
necessary if you are using a very tightly
managed and controlled approach or if your
solution not only stores designs but also
intelligent spreadsheet master objects on the
server.
• The password and auditing facilities supplied
within Excel should be used for all sorts of
spreadsheets. Control over the use of macros
(digital signatures and the use of trusted
publishers) should be encouraged. Default
settings that make calculations invisible
should be turned off. Hiding of data should be
discouraged.
• You may wish to treat older versions of
spreadsheets differently from current ones.
Clearly, there are fewer user obstacles
to be overcome when applying security to
the former. Versioning of spreadsheets
is also something that you may want to
explore as well as methods of evolving older
spreadsheets into newer, server-controlled
ones.
• Publish best practise guides for users (based
on the HM Customs & Excise model above)—
there are many features of spreadsheet
applications that users are simply not aware
of. No doubt there are many users that would
implement passwords if they knew about it.
• Publish spreadsheet designs including
formula definitions, query definitions,
worksheet formats and all assumptions that
make up the design.
• Consider the implementation of information
rights management software so that you can
limit the use of published spreadsheets.
This is by no means an exhaustive list (other
considerations, which are not specific to
spreadsheets, include the application of access
control and security, documentation, backups and archiving, analytics on the use of
spreadsheets, the development lifecycle and
change management) and the implementation
of these techniques will not take the place of
the management solutions discussed in the
next chapter or the need for error detection and
correction. However, implementing a policy for
managing spreadsheet management is the first
step that you need to take, and the points above
represent some of the basic things that you
need to consider.
page 12
Spreadsheet Management
Chapter 4 - Spreadsheet Management Approaches
In the section of this report dealing with
spreadsheet problems we highlighted five
major areas where there are issues with
spreadsheets: errors, security, auditing,
productivity and spreadsheets as an enterprise
resource. Arguably, there is also a sixth issue,
in that it would not hurt to have facilities
that speeded up the process of developing
spreadsheets. In this section we are going to
consider the various types of approaches that
vendors have taken to resolving the issues and
problems we have highlighted.
Auditor’s tools
Auditor’s tools are primarily focused on
discovering errors and in assisting both internal
and external auditors, though some tools also
provide some (limited) capabilities for helping
with the development of spreadsheets. In so
far as their error detection/auditor support
functions are concerned, common features of
these tools include:
• Spreadsheet comparisons—either between
two versions of the same spreadsheet or,
in some cases, different spreadsheets.
It is preferable to be able to see both
spreadsheets side-by-side: a tool that
automatically lines up the two spreadsheets
(that is, inserting blank rows where one
spreadsheet has more rows than the other)
will be an additional benefit.
• Formula mapping—the ability to see how
formulae have been copied (or not) across
cells: this can be used to visually identify
where incorrect or missing copies have
been made. In our view this is easier to
understand if the mapping is displayed on
the spreadsheet rather than as a separate
function.
• Precedent and dependent mapping—to
see relationships and references across
spreadsheets. Not all products support
both precedents and dependents. Good
visualisation will be useful here.
• Detection of formula and other errors such
as text in a data field, a sum that is adding up
non-numeric fields or range checking.
• Facilities to understand formulae more
easily, either by expansion and/or through
the use of AutoNames (that is, putting a
name in place of a cell reference).
• The ability to answer the question “where did
this number come from?”
• Circular reference detection, where
spreadsheet A refers to spreadsheet B which
in turn references spreadsheet A.
For obvious reasons the more mature products
in this area tend to have more of these
functions, as well as a variety of reporting
and other capabilities (for example, sensitivity
analysis is useful), than offerings that have
been more recently introduced. There is also
a wide variety in the degree of visualisation
offered, with some companies only offering
reports and other data in spreadsheet format
while other suppliers make use of more
advanced graphical techniques. It is also
noteworthy that while most products consist
of pure play suites of tools, two of the offerings
considered in this report, from Operis and Risk
Integrated (in the Automation Tools category),
are products that were originally developed
for in-house use and which have subsequently
been made available to clients on a stand-alone
basis. Both of these companies are consulting
houses with Operis specialising in complex
financial modelling and Risk Integrated, as its
name implies, focusing on risk management.
Products in this category are typically available
on a free 30 day trial basis with a typical per
user licence of between $200 and $600 (with
the bulk at the lower end): bulk discounts
for enterprise licences are usually available.
Support is via e-mail.
Note that some of the control and compliance
vendors (see next sub-section) also incorporate
Auditor’s Tools within their offerings.
Control and Compliance tools
Control and compliance tools come in a variety
of shapes and sizes. In principle, products
within this category would address security,
auditing and compliance first and foremost
and, as a consequence of the way that they do
these things, also provide enterprise resource
management and productivity gains. However,
there is by no means a common approach
across all of the vendors in this grouping.
However, before we discuss these differences
we should consider what we mean by ‘control’
and ‘compliance’.
The idea behind a controlled approach is
that you will fully control everything that is
done within the spreadsheet environment.
Using a role-based security system, you will
apply security at all levels, from the queries
against the original data sources, to the files
and directories accessed by users all the way
to locking down changes at the cell-level, so
that only authorised personnel can change
data, with similar strictures being applied
to formulae and other facilities within the
spreadsheet environment. The way that this
is typically accomplished is by means of a
centralised repository, as illustrated in Figure
1, which represents CIMCON’s architecture.
page 13
Spreadsheet Management
Chapter 4 - Spreadsheet Management Approaches
Figure 1: Architecture using a centralised repository (from CIMCON)
The point here is that the user continues
to work in Excel as he has always done but
that the environment is controlled from the
repository where version control, security and
so forth is running. Typically, the repository is
based around a document management system
but that is not always the case: SmartDB, for
example, uses an Oracle (or, in theory, any
other relational) database. In some cases,
notably the Automation Tools vendors (see
next section) user spreadsheets are populated
directly from the repository/server at runtime
in a dynamic fashion.
An important point here is that there is a
natural aversion to the centralisation of
spreadsheets: it therefore needs to be as
simple and painless as possible.
Needless to say, in order to be fully effective,
control tools need to have discovery
capabilities (not all products do) so that these
capabilities can be retrospectively fitted to
existing spreadsheets as well as applied to
new developments. Moreover, the way that
discovery is implemented is also important,
because you want to be able to discover and
import spreadsheets into your management
environment as efficiently as possible but
you also don’t want to interrupt or impose
any performance penalty on conventional
operations. The ability to assess the risk
associated with each spreadsheet is also
important.
The compliance approach is about monitoring
current activities, sometimes referred to
as “closed circuit TV” (CCTV) option. In this
approach, everything that you do is logged,
every change to a macro or a formula, every
change to the data, who did it and when.
Now, there are products that combine both
control and compliance but there is also one
product (from ClusterSeven) that provides
compliance only. In the latter case, no attempt
is made to prevent anybody from making a
change or, as a result, introducing the variety
of error types mentioned earlier. In other
words, this is auditing without control. This
has the advantage that you do not need to
centralise the whole environment but it will
only be appropriate for companies that already
have tight control over their spreadsheets.
That is, those organisations that have already
recognised that spreadsheets represent a
corporate resource.
However, the distinction between compliance
and control and compliance tools is not the
only differentiator within companies within this
grouping. In particular, while all companies in
this group provide security there is one vendor
(ROISoft) that specialises in security and has
then built control and compliance on top of
that, rather than the other way around—it
might make a good partner for ClusterSeven. A
further differentiator is that some control and
compliance products include auditor’s tools
while others do not. Finally, eXpresso (which is
the only vendor we know of to have a Software
as a Service—SaaS—offering in this area),
offers significant collaborative capabilities that
are absent from most competitive products.
Control and compliance solutions represent a
much larger investment that auditor’s tools,
with a typical enterprise-wide implementation
running to at least 6 figures and sometimes 7,
though the SaaS offering from eXpresso (which
is also available via a stand-alone licence)
and Lyquidity are exceptions to this rule, with
the latter offering enterprise licenses in just
4 figures. On the other hand this is less highly
featured than some of its rivals.
A number of the products in this area also have
the ability to discover other resources aside
from spreadsheets such as PowerPoint files,
Word documents, Access databases and so
forth.
page 14
Spreadsheet Management
Chapter 4 - Spreadsheet Management Approaches
Automation tools
The third class of tools in the enterprise
spreadsheet management space are
automation tools. That is, products that
have been specifically designed to aid in the
development of spreadsheet applications (that
is, where there are repeated processes rather
than one-off spreadsheets, such as for sales
reporting, financial consolidation and so forth).
These environments are typically templatebased and provide classical development
methodologies to ensure that applications are
properly tested prior to deployment. These
tools may also offer control and compliance
capabilities but only for the spreadsheets that
have been developed within this environment.
Neither of the products (we have discovered
only two) in this area have discovery
capabilities nor the ability to bring pre-existing
spreadsheets under their wing, so to speak.
We should comment that the development
capabilities provided by these products is much,
much stronger than those of products in any
other category and that the use of these tools
to prevent errors is a lot more powerful and
useful than merely being able to detect them
after the event.
Products in this category have typical
implementation licences in 5 figures, with
the exception of Risk Integrated, which only
provides a partial solution (see next chapter).
page 15
Spreadsheet Management
Chapter 5 – Product Evaluations
This chapter includes our evaluations of the various products reviewed in preparing this report.
They are presented in alphabetical order. Note that the evaluations of Auditor’s tools are
significantly shorter than those of the Control and Compliance and Automation Tools (with the
exception of Risk Integrated) included herein.
The following list of products have interactive links and clicking the vendor/product name in a PDF
file will take you to the relevant evaluation.
Auditor’s Tools
Operis OAK
Sheetware XDrill
Spreadsheet Advantage
Spreadsheet Detective
Spreadsheet Innovations Spreadsheet Professional
Others (no evaluation)
Codematic XLAnalyst
UTS MathLook for Excel & Galaxy Enterprise Knowledge Management System
Control & Compliance Tools
CIMCON Spreadsheet Compliance Solutions
ClusterSeven Enterprise Spreadsheet Management
Compassoft
Lyquidity ComplyXL
Mobius ABS for Spreadsheet Compliance
Prodiance Spreadsheet Compliance
ROISoft ExSafe
SmartDB eXpresso
Automation Tools
Actuate e.Spreadsheet
Qtier-Rapor
Risk Integrated Enterprise Spreadsheet Platform
page 17
Actuate e.Spreadsheet
Fast facts
Actuate provides Enterprise Reporting
solutions. By this it means that it can provide
all of the reporting, query and analytic
capability (with the exception of data mining)
that an enterprise might require, both at a
technical level and in terms of the types of
users it supports, from those who simply want
to see a particular report on their desktop
once in a while, to power users and business
analysts. As a part of this landscape the
company provides Actuate e.Spreadsheet as a
solution that is designed to provide centralised
control and management over the design and
use of spreadsheets.
Actuate e.Spreadsheet is an integral part of
the Actuate 9 Enterprise Reporting platform
(technically it is referred to as Actuate 9 e.
Spreadsheet) but this report focuses on e.
Spreadsheet rather than the other elements of
the Actuate product set, except where the
latter are relevant to the operation of e.
Spreadsheet.
page 19
• Once defined, spreadsheet blueprints are
stored on the Actuate server and user
spreadsheets are dynamically generated at
run-time depending on the user’s role and
permissions.
• Note that the Actuate platform offers
federated query capability so that this
dynamic generation of spreadsheets may be
based on data derived from multiple
(heterogeneous) data sources.
• A major advantage of the dynamic serverbased approach adopted by Actuate is that it
does not matter if data sizes change, since
this is automatically taken care of when the
user’s spreadsheet is generated at runtime.
• Actuate e.Spreadsheet offers significant
advantages when compared to traditional BI
approaches such as plug-ins and ‘save to
Excel’.
Key findings
The bottom line
In the opinion of Bloor Research the following
represent the key facts of which prospective
users should be aware:
Actuate e.Spreadsheet automates the
development and deployment of spreadsheets.
This doesn’t just speed up the development
process and make deployment more efficient:
in governance and compliance terms it also
reduces the risk of error, provides built-in
security and makes change tracking into a byproduct of the environment. In other words,
because use of e.Spreadsheet means that
spreadsheets are deployed as an enterprise
resource there is a reduced need for auditor’s
tools (and auditor’s fees) and change tracking.
Further, our view is that native, stand-alone
use of (unmanaged) Excel spreadsheets is a
potential hazard when it comes to corporate
governance and regulatory issues.
• Actuate e.Spreadsheet allows your users to
continue to use Microsoft Excel in exactly
the way that they are used to but, behind the
scenes, you use the Actuate platform to
develop, manage, secure, audit and control
the distribution of these spreadsheets.
• In particular, e.Spreadsheet is used to
manage the development of repetitive
spreadsheet applications such as sales
forecasts, account statements, budgeting and
planning, financial consolidations and so on.
• Complete, cell level version control is
maintained as a part of the development
environment provided by e.Spreadsheet so
that you can manage who is authorised to
make changes and so that any such
changes to editable cells can be logged and
audited.
• Actuate e.Spreadsheet does not include
formal support for the segregation of
roles—author, editor and (internal)
auditor—required by auditors; nor for the
sort of workflow that would support this
checking and approval process. Instead, the
product takes a more conventional
approach to development and security,
securing both the data that populates a
spreadsheet, and also the structure of the
workbook presenting it. (which might, of
course, be acceptable to auditors in its own
right). You could, of course, use an
appropriate third party change management
tool to support the segregation of consumer
roles.
As a result, a solution such as Actuate’s,
which allows proper control of the
spreadsheet environment, is much to be
preferred and should be considered seriously,
especially by any company that deploys
spreadsheet applications.
Actuate e.Spreadsheet
Vendor information
page 20
Background information
Product availability
Actuate was founded in 1993 and initially
focused on reporting solutions that were
deployable across the enterprise to all classes
of users. That is, it focused on users that
didn’t want to learn anything about the
reporting environment but simply wanted to
access information that would help them to do
their jobs. In other words, Actuate had a focus
on reporting per se, and reporting applications
in particular.
The current version of the Actuate product set
is 9.0 and the same is true for e.Spreadsheet.
At the platform level, Actuate’s general
approach is to run under Windows, AIX, Sun
Solaris, Linux and HP-UX with Windows-based
development tools, with the Actuate iServer
(which provides the infrastructure upon which
all Actuate products are based) providing full
cluster support. Mac OS, Solaris and OS/2 are
supported at the browser client level, using
either Internet Explorer or Mozilla Firefox.
Although there were a series of extensions
(for example, web-based reporting) to the
product set throughout the ‘90s, this position
remained essentially unchanged until 2003,
when the company introduced spreadsheet
reporting for business users and then analytic
reporting aimed at power users. Also in 2003,
Actuate acquired Nimble Technologies, a
vendor of data federation and enterprise
information integration (EII) solutions, whose
technology is integrated within the remainder
of the Actuate product set, including e.
Spreadsheet.
As far as e.Spreadsheet components are
concerned, e.Spreadsheet Designer runs on
Windows. How the product fits into the overall
architecture of the Actuate suite is illustrated
in Figure 1.
More recently (in early 2006) the company has
bought Performancesoft, a scorecard
application vendor specialising in the
performance management arena, and Actuate
is also the driving force behind BIRT (business
intelligence & reporting tools), which is a toplevel Eclipse project for developing open
source reporting tools. Actuate BIRT is
available, including chargeable support
provided by Actuate.
Actuate markets its products via both a direct
and indirect channel, with around a third of
corporate revenues coming from
partnerships, especially where the product
has been embedded into third party products
such as those of Chordiant and Siebel (Oracle).
Actuate web address: www.actuate.com
Figure 1: Architecture of the Actuate suite
Actuate presentation services are provided
through either iPortal (J2EE) or Active Portal
(.NET environments) and, in the case of the
former, supported platforms include Tomcat,
IBM WebSphere, BEA WebLogic and the Sun
Java System Application Server. For data
access, native drivers are provided to access
Oracle, DB2, SQL Server, Informix, Sybase and
Progress databases and both ODBC and JDBC
are supported for other environments. XML
and flat file access is also supported and there
are special pre-built facilities for extracting
information from SAP and PeopleSoft
environments. Business logic, in the form of
Java or COM objects can also be accessed as
data sources within the afore-mentioned J2EE
and .NET environments. A software developer
kit (SDK) is available for building comparable
facilities for, say, Oracle Financials. While this
information may not seem immediately
relevant, one of the features of e.Spreadsheet
is that it leverages Information Objects, the EII
technology acquired from Nimble, meaning
that you can build spreadsheets based on
information derived from multiple,
heterogeneous sources.
Actuate e.Spreadsheet
Vendor information
Note that Actuate describes the iServer as a
‘scalable platform’ in Figure 1. There are
various points to note about this. First, there
are the technical features such as multiproject support, server-specific service tuning,
multi-threading, page delivery on demand,
multi-tiered cluster and failover support;
secondly, there is the fact that Actuate has
existing customers with over 100,000 users
(for example, the Bank of America); and
thirdly, there are the independent benchmarks
that you can examine on Actuate’s web site,
favourably comparing the performance of
Actuate with Crystal Reports (now part of
Business Objects) and Cognos ReportNet.
Licensing fees for e.Spreadsheet are relatively
inexpensive compared to some products in
this market, with pricing starting at $495 for a
copy of e.Spreadsheet Designer and $500 per
user for the e.Spreadsheet Option within the
iServer.
page 21
Financial results
Actuate floated on NASDAQ in 1998 and in the
last financial year (2006) it reported revenues
of $128.6m (a record) compared to $106.4m in
2005. On a GAAP basis, net income for 2006
was $13.8m compared to a profit of $11.6m in
2005. In the most recent quarter (Q4, 2006)
revenues were $35.1m, as opposed to $29.2m
in the same period last year. Net income
similarly rose from $4.1 to $10.2m. The
company is cash rich and has no long-term
debt.
Actuate has over 500 employees at offices in
Canada, the United States, Australia, Hong
Kong, Japan, Singapore, France, the UK,
Switzerland and Germany. It also has
development facilities in China, though not
sales offices. Distributors are based in Brazil,
Mexico, South Africa, India, South Korea, New
Zealand, the Netherlands, Portugal, Russia,
Spain and Sweden. In addition to its direct
customers the company also has more than
300 OEM partnerships.
Actuate e.Spreadsheet
Product description
Introduction
Actuate e.Spreadsheet competes in two
markets: the ‘how to be more productive with
Excel’ market and the ‘how do I manage,
secure and comply with Excel’ market. In the
first of these Actuate competes with Excel on
its own, or with other business intelligence
vendors that offer either Excel plug-ins or
which have ‘save to Excel’ options. As we shall
see, Actuate offers a number of advantages
when compared to all three of these
alternatives. However, in the control and
compliance part of the market we cannot
make such sweeping statements, precisely
because of the complexity of the market.
There are a variety of compliance and
governance issues that arise from the
widespread adoption of Microsoft Excel, of
which the three most well-known are its
limited auditing and compliance capabilities,
its weak security and the prevalence of errors.
Failure to exert proper control over the first of
these can land you in jail, the second can lead
to fraud and the third can simply cost you
money. There are also additional issues, which
we will touch on during the course of this
report, but these are ‘the big three’.
As a result of there being multiple compliance
issues with Excel, there are three main types
of tools that address these:
page 22
corporate spreadsheets rather than individual
ones), which will mean that spreadsheets are
developed and tested prior to production, just
like any other software application. Whether
or not this control and management of
spreadsheet applications is within the domain
of IT or within the originating department is a
separate question.
Actuate e.Spreadsheet, which is template
based, will be most suitable for environments
where spreadsheet applications are used to
automate repetitive tasks such as financial
consolidations, sales forecasts, account
statements, budgets and planning, and so
forth.
Architecture
What e.Spreadsheet allows you to do is to use
Microsoft Excel within the Actuate
environment and supported by the Actuate
iServer. In technical terms, the product works
by sourcing data natively and then generating
an xls file for viewing. You can also import
existing Excel-based information so that it can
be managed through the iServer (and you can
also use an existing spreadsheet as a
template for future development). What this
means is that security (iServer supports LDAP
directories, Windows Active Directory and the
Sun Java System Identity Server), an audit
trail, and other management facilities are
provided for the spreadsheet environment.
1. Auditor’s tools, which are used to examine
formulae, discover errors and determine
data lineage after the fact.
2. Control and compliance tools that track
and audit changes to spreadsheets (and
associated macros, documentation, VBA
and so forth) reporting on anomalistic
events after they occur.
3. Automation tools that take a more
preventative approach whereby you try to
eliminate errors (and, therefore, the same
degree of need for auditor’s tools) and
prevent fraud by taking a pro-active role in
managing the spreadsheet development
and deployment environments. Since
development is an intrinsic part of this
environment, tools in this category typically
provide version management down to the
cell level (SharePoint only provides it at the
documents level) so that changing tracking
and auditing is built-in.
Whether a pro-active or a reactive approach
will suit your company will depend on your
situation: in our view, a pro-active
methodology, which is the approach that
Actuate has adopted, will be most suitable
where the organisation has recognised that
spreadsheets need to be treated as an
enterprise resource (we are talking about
Figure 2: e.Spreadsheet architecture in Actuate 9
In practice, e.Spreadsheet is not a single
product, as is illustrated in Figure 2. As can be
seen there are a number of components
within e.Spreadsheet: the Designer, the
generation option, the Smartsheet Security
option, the object catalogue and the use of
Information Objects. While the last of these
will be discussed separately later it is
probably more useful to discuss the first four
components in logical terms (that is, how you
would use the product) rather than purely in
terms of what each module does.
Actuate e.Spreadsheet
Product description
page 23
Building a spreadsheet application
Perhaps the main feature of e.Spreadsheet is
the way that spreadsheets are built and
delivered, which is achieved through the e.
Spreadsheet Designer. The definition of an e.
Spreadsheet design template or blueprint is,
effectively, a five step process:
1. The data sources from which a
spreadsheet is to be built are defined use
the Data Explorer (see Figure 3) along with
relevant parameters and fields. If this
involves multiple sources of data then this
will leverage an option to the Actuate
platform called the Data Integration (EII)
option. Since this requires some discussion
it is covered in its own section, which
follows later in this report. Inset in this
screenshot is the Data Range Editor, which
provides a drag-and-drop environment for
creating multi-dimensional workbooks,
functions and locks. In addition, there is
also a Pivot Range Editor for creating pivot
tables with filtering and drill-down. It is
worth noting that Actuate offers
considerably more data source flexibility
than Excel 2007, not least through its Data
Integration (EII) option but also thanks to
its understanding of metadata. There are
also mechanisms provided to overcome the
64k row limit on spreadsheets, either by
dynamically rolling data over into new
worksheets in the workbook, or by staging
data sets in the server catalogue.
2. The logic (formulae, macros and so forth)
to be used in any particular spreadsheet is
abstracted within the design blueprint,
which helps to remove design and formula
replication errors. Here you can make use
of the Designer’s reporting functions,
which define how the design blueprint
should manipulate, summarise or use data
within calculations. e.Spreadsheet
Designer provides built-in formula-like
capability that controls data expansion
within workbooks.
3. Formatting—formatting the spreadsheet is
integral to the design process, which not
only helps to make designs more visually
appealing (with bolded column headers
and sub totals, conditional highlights
outlining and so forth) but also includes the
ability to define security privileges all the
way down to cell-level access. Apart from
the e.Spreadsheet Designer itself and its
template-based approach, features
leveraged here that are not in Excel 2007
include user-based cell, section, range and
worksheet locking, which Actuate calls
‘SmartSheet Security’; and programmatic
interfaces in Java, VB, XSLT and C++.
Figure 3: The Data Explorer screen
4. Data-driven spreadsheet population—data
can be extracted in real-time to populate
spreadsheets so that they are always upto-date (including adding new hierarchy
members and worksheets) without ever
breaking or exceeding the limits of the
template, which is a common issue with
templates built within Excel directly or
when using Excel plug-ins. In addition,
worksheets in a workbook may be
parameterised based on data values.
Facilities that are not available in Excel
2007 (let alone other BI tools) include
support for side-by-side (sibling)
hierarchies that can be grouped across a
third hierarchy, some of the features of the
Editor (notably the ability to expand,
replicate and reproduce formulae and
references as data expands and contracts;
and the ability to define dynamic worksheet
bursting within a workbook) and the builtin parameter control that is provided.
5. Server-based distribution—when a user
wants to use a spreadsheet, it is generated
and delivered based on the template for
that spreadsheet, from the iServer, with
dynamic population of the data and
personalisation of formatting. Other
dynamic facilities provided include support
for live pivot tables; the use of live data
filters in, for example, exception reports;
and live 3-D charts that you might use, say,
in conjunction with ‘what-if?’ analysis. The
fact that spreadsheets are generated
dynamically at run-time means that full
security is maintained at all times as well
as an audit trail of who has requested
which spreadsheet. The software can also
present the data, showing which cells are
locked (but viewable by this user) and
Actuate e.Spreadsheet
Product description
which are unlocked but available for
update. The design template can define
and enable Excel’s built-in change tracking
facilities where user activity is logged
within a worksheet in the document. When
a spreadsheet is written back to the server
with updated information (for example, in a
budgeting application) then that entry, and
the workbook’s activity list, is logged for
auditing purposes. In terms of its
advantages over native Excel 2007, at this
level the most important is surely the
iServer’s scalability, as previously
discussed, as well as its ability to work
across Windows, Linux and UNIX
environments. Perhaps the most notable of
its other advantages is the power that it
puts into the hands of users through runtime parameterisation, for example to use
in selecting data to display or for selecting
layout preferences.
It is also worth noting the extensive use of
wizard-based facilities in the product, which
can be used for formatting cells and
worksheets, adjusting formulae and data
groupings, summarising data, inserting
graphs and using pivot tables, amongst
others.
Finally, it is worth illustrating the fact that e.
Spreadsheet does not simply deliver
spreadsheets but that these spreadsheets can
be embedded within a more comprehensive
portal, along with other Actuate generated
reports, as shown in Figure 4.
page 24
Figure 4: Embedding the spreadsheets into Actuate-generated reports
Actuate e.Spreadsheet
Product description
page 25
The Data Integration (EII) option
Information Objects is Actuate’s technology
for providing EII (enterprise information
integration). That is, it allows you to access
multiple, heterogeneous data sources, in realtime, to populate Actuate reports or, in this
case, e.Spreadsheets. The way that it works is
that you first create a mapping (in XML) from
the data source to the Actuate environment.
This is a developer task as it requires some
knowledge of the source system. However,
once these initial mappings are defined the
resulting Information Objects can then be
combined into consolidated views by end
users (using the Data Explorer). In other
words, once the base mappings are created,
users can use these to create whatever
reporting structures they like.
Figure 5: e.Spreadsheet and the EII Option
When a query based on one of these
structures is activated, the query is
decomposed and the relevant parts of the
query sent to the relevant data sources. The
EII Option has a built-in optimiser (like a
database optimiser) and it can leverage
source system facilities such as the DB2
optimiser in order to optimise performance at
each data source and from a distributed
perspective. Actuate also implements a cache
so that you can reuse data, when appropriate,
without overtaxing the source systems.
Figure 5 illustrates and describes how the EII
Option works in conjunction with e.
Spreadsheet.
Summary
Companies addressing the Excel marketplace come from two general directions: either they are fundamentally business
intelligence companies or they are control and compliance companies. In the former category there are BI ‘save as Excel’
vendors and there are BI Excel plug-in suppliers while in the latter category there are auditor’s tools and change tracking
tools. The latter do nothing for the company that wants to manage his spreadsheet development and the former: well, the
former don’t do much at all. Actuate, on the other hand, by focusing on the development and automation of spreadsheets,
adds considerably to both the BI and control and compliance environments. Moreover, there are hardly any other companies
providing comparable automation environments and no others that do so from the standpoint of a broader business
intelligence capability. Actuate e.Spreadsheet is therefore strongly recommended.
CIMCON Spreadsheet Compliance Solutions
Fast facts
CIMCON offers a suite of software products
that, while they nominally have a particular
emphasis on ensuring compliance with
Sarbanes-Oxley, actually have broader
application for spreadsheet management. The
suite includes discovery capabilities (via
XLRisk); auditors tools (XLAudit) for
spreadsheet comparison, error detection and
so forth; and change tracking and control
(SOX-XL). There is also a companion product
called SOX-XS that provides comparable
features to SOX-XL but for Access databases
rather than Excel.
While the ‘SOX’ prefix to two of these products
is understandable, there is a danger that it
limits the potential usage of these offerings in
user’s eyes. In practice, the SOX products
from CIMCON support best practice that may
well be applicable to companies that are not
subject to the Sarbanes-Oxley regulations.
Key findings
In the opinion of Bloor Research the following
represent the key facts of which prospective
users should be aware:
• XLRisk will automatically discover all of
your corporate spreadsheets, Access
databases and, indeed, other assets. This is
accomplished during an overnight batch run
and a data dictionary with all relevant
metadata is created within the CIMCON
environment. The other products in the
suite run against this dictionary so that a
non-intrusive approach is maintained
throughout.
• When SOX-XL is used (the products may be
licensed independently) the software
automatically pulls spreadsheets into its
server to create new versions, on a
scheduled basis, although there is also a
manual option for creating versions. For ongoing monitoring, CIMCON uses an agentbased architecture that automatically
detects and notifies the software of any
changes, though you can still use a
scheduled approach if you prefer.
• Once spreadsheets are discovered they can
be assessed for risk, both from the
perspective of the risks associated with a
spreadsheet per se (basically, how complex
it is) and the business risks associated with
the usage of this spreadsheet. This process
is largely automated and has been
significantly enhanced in the latest
release—it now represents a significant
strength of the product.
page 26
• Once a risk assessment is complete,
XLAudit is used to look in detail (with
formula rectification, error detection,
comparison capabilities and so on) at
selected spreadsheets, typically those with
the highest risk profiles. A dashboard is
provided showing details of your compliance
programme.
• SOX-XL can be used to maintain a strict
segregation of roles: authors, editors and
auditors.
• SOX-XL provides control as well as change
tracking. In the former case, there is rolebased control of Excel menus and the
available functions, you can enforce signoffs, employ digital signatures and so on.
• Change tracking is down to the cell level
and includes time-stamping for the time
that changes were made, not just when they
were saved. Note that all such changes are
recorded, not just the ones made at the
time of the file save.
The bottom line
CIMCON has a significant history in the
compliance market, having originally focused
its efforts on the pharmaceutical sector,
where there are Federal Drug Administration
regulations that need to be complied with.
Since moving into spreadsheet management
and compliance the company has established
itself as one of the leaders in this market, with
some 150 customers to-date. Moreover, its
solutions tend to be less expensive than those
of its major rivals (5 figures rather than 6) so
the company appears to be well placed given
that there is a growing concern across user
companies to ensure not just that their
spreadsheets are compliant but that they are
error-free and less subject to fraud.
CIMCON Spreadsheet Compliance Solutions
Vendor information
page 27
Background information
Product availability and support
CIMCON Software (which is not to be confused
with Cincom Systems) has been in business, in
one form or another, for some 19 years.
Originally the company’s name was an
acronym for computer information
management and control and it focused on
automation systems. However, some 10 years
ago the company re-invented itself as a
provider of compliance solutions, initially in
the pharmaceutical sector (where CIMCON
supports FDA CFR21 Part 11) and, more
recently, for financial services. Its solutions in
support of Sarbanes-Oxley were first
introduced 4 years ago. Note that as a
significant part of these compliance solutions
the company offers a number of spreadsheet
and associated software applications that
would, of course, be applicable widely across
industries and not just in the sectors in which
the company specialises.
The products provided by CIMCON are
currently in version number 5.4.3 and they
may be incrementally licensed and installed.
Needless to say, they all run on Windows
platforms, with support for all versions up to
Windows Server 2003. The versions of Excel
supported include Excel 97, 2000, XP, 2003
and 2007.
While the company is primarily US-based in so
far as sales is concerned, the global nature of
the company’s customer base means that it
needs to offer 24x7 support and it maintains
U.S. and overseas offices in order to do this.
Typical installations are measured in high five
figures (dollars).
In practice, CIMCON takes a lifecycle
management approach to spreadsheets, as
illustrated in Figure 1, which shows the three
spreadsheet management products that the
company provides: XLRisk, XLAudit and SOXXL, along with the major features of each of
these elements of the suite.
In addition to the products shown the company
also has a solution called SOX-XS, which is
designed to provide Sarbanes-Oxley
compliance for users of Access databases. As
these are commonly employed in conjunction
with spreadsheets, especially in financial
environments, we will briefly discuss the
facilities offered by this product even though
the focus of this report is on spreadsheet
management.
Financial information
CIMCON is privately owned and financed (that
is, no VC funding) and has approximately 150
staff. As noted, it has overseas offices for
research and development and to support its
global customer base. It has some distributor
agreements for indirect sales and is in the
process of expanding the number of these
distributors in response to market demand. It
has technical partnerships with both Microsoft
and Hyperion and also has a partnership (in
the UK) with Protiviti. Business Object’s
Crystal Reports is embedded within the
product for reporting purposes.
Web addresses
www.cimcon.com
www.sarbox-solutions.com
Figure 1: CIMCON’s lifecycle approach to managing spreadsheets
CIMCON Spreadsheet Compliance Solutions
Product information
page 28
XLRisk
XLRisk is a discovery and risk assessment
tool. In the first instance, XLRisk will
automatically discover all the spreadsheets on
your local area network or intranet, along with
all of your Access databases. It will also,
incidentally, detect instances of other
products such as Oracle databases, SAS
applications and so on. As this detection
process can be a fairly lengthy process it is
typically run as a batch job overnight.
As a result of the detection process XLRisk
builds an inventory of the assets
(spreadsheets in this case) it has detected,
stored in a data dictionary file that records the
name of the spreadsheet, its location, details
of embedded queries therein, databases,
database tables and database fields that are
referenced, plus details of any required fields.
In other words, it collects as much relevant
detail as it possibly can, initially via a
scheduled batch run but subsequently on an
incremental basis (though scheduling remains
an option).
Once this metadata is collected, the next
phase in the use of XLRisk is to conduct a risk
assessment. There are two elements within
this process, one of which is automatic and
the other is manual. The automated part is an
analysis of the potential risk within any
spreadsheet based on the number of external
links involved and the number of formulae and
other characteristics associated with the
spreadsheet. In effect, the software
determines how complex the spreadsheet is,
on the basis that the more complicated it is
the more likely it is to have errors within it, as
well as detecting any reported errors or
warnings.
A Risk Scorecard is automatically assigned to
each spreadsheet based on risk criteria that
can be configured based on client-specific
spreadsheet processes and risk indicators.
Provision is also there to include the
materiality (that is, how significant the
spreadsheet is within the overall financial
reporting process) of the spreadsheet for
financial reporting when assigning a risk
scorecard.
In addition, you need to be able to recognise
the importance of the spreadsheet to the
business: whether it represents a low,
medium or high-risk depending on its impact
on the company. To a large extent this is
automated in that XLRisk (in the latest
release) reuses facilities from XLAudit (see
next section) that collects statistics regarding
all of the spreadsheets you are scanning and
assigns risk criteria based on given risk
factors. For example, the software would
recognise that a Statement of Earnings would
represent a higher risk that a sales report
based on various factors such as the
maximum value in the spreadsheet and the
presence of keywords such as ‘balance’ and
‘millions’ rather than ‘thousands’. Also
relevant would be the presence or absence of
particular formulae, the amount of activity and
various technical measures such as the
number of links, errors, warnings and so
forth.
Thus, from a Sarbanes-Oxley perspective, if
you produce your Balance Sheet or Statement
of Earnings via spreadsheets, then these
would be high-risk whereas Cash Flow
statements might be classed as medium-risk
and sales reports might be low-risk. However,
it is important to appreciate that this should
not be looked at purely from a compliance
perspective; if you use spreadsheet
applications for mission-critical applications
then these too should be regarded as highrisk. So, ultimately you will have a defined risk
profile for each spreadsheet, based on its
importance to the business and the degree of
complexity inherent in the spreadsheet.
Finally, note that the dictionary XLRisk builds
forms the basis for doing impact analysis. That
is, to see what would be affected by any
change, whether that is database change
affecting a spreadsheet or a change in one
spreadsheet affecting another spreadsheet.
Moreover, such changes can often have ripple
affects that have impacts in multiple places
and CIMCON provides ad hoc query, search,
reporting capabilities within XLRisk (and
graphical tools are provided in the XLAudit
product) for this purpose.
CIMCON Spreadsheet Compliance Solutions
Product information
page 29
XLAudit
XLAudit is the tool provided for CIMCON to
identify problems within spreadsheets and to
aid in remediation. What XLAudit allows you to
do is to go into finer detail, for auditing and
verification purposes, for critical
spreadsheets.
The features that XLAudit provide are:
• Formula analysis, which will highlight all
the cells or ranges of cells that are affected
by a formula;
• A formula rectification wizard that helps you
to identify errors (including blank and text
cells within formulae) and correct them;
• A referencing facility that allows you to
identify any cells that contain references to
other spreadsheets, as well the ability to
lock these cells if the spreadsheet being
analysed is subsequently used off-line;
• Graphical analysis, as illustrated in Figure
2, for visually inspecting any nested
dependencies (and precedents) that may
exist for a cell. This same graphical
technique is also used for showing
relationships.
• Spreadsheet intelligence, which provides
additional querying capability against a
spreadsheet, including drill-down, filtering
and so forth. In other words, it provides
business intelligence capability with respect
to your spreadsheets. This facility is multithreaded in order to optimise performance.
Figure 2: Graphical analysis showing dependencies and precedents
• Lookout capabilities that offer the ability to
identify cell ranges and names, any
validation rules that may be in place, hidden
rows and columns, cells comments and
charts that span multiple worksheets, and
so on.
• Utilities that provide a variety of functions
including cell formatting templates, a text
case change function, configurable colour
palettes (which can be different for each
type of analysis done: the example in Figure
3 shows the results of a formula analysis)
so that it can be easier to spot errors,
reporting capabilities that will detail all of
the analyses that have been applied to a
spreadsheet, and so on.
Figure 3: Configurable colour palettes per type of analysis
CIMCON Spreadsheet Compliance Solutions
Product information
page 30
SOX-XL
SOX-XL, as its name implies, is all about
compliance with Sarbanes-Oxley and, in
particular, the ability to monitor and track
changes that are made to your spreadsheets.
However, unlike some products in the
marketplace, it is not limited to monitoring
changes but can also be used to implement an
element of control over who can do what and
when. In particular, in control terms, SOX-XL
can enforce a segregation of duties (which is
regarded as best practice) between authors,
editors and auditors of spreadsheets.
Specifically, it can control Excel menus (which
options, such as cut and paste, are available),
it can implement a sign-off process (using a
workflow-based approach) or it can enforce a
requirement to input a comment (reason)
whenever a change is made. Moreover, these
controls can be implemented at spreadsheet,
column, row or cell level, as required.
A notable point is that, in order to do all of
these things, not to mention the tracking
capabilities of the product that we have not yet
discussed, you can simply leave all
spreadsheets in situ and rely upon the
capabilities provided by SOX-XL for discovery
and compliance purposes. SOX-XL uses an
architecture, as shown in Figure 4, wherein a
centralised, secure, web-based repository of
all spreadsheets is used. The way that this
works is that the server automatically pulls
existing sheets into the server to create new
versions on a scheduled basis although there
is a manual option to save a version to the
server when necessary.
Users continue to work with their existing
spreadsheets on shared file servers and may
hardly notice the change to their existing
environment. In effect, in the background, the
SOX-XL repository acts as a content
management system, together with role-based
security, version control and so on. This
replaces the functions that, in Excel 2007,
would otherwise be provided by Microsoft
SharePoint Services. That said, however,
SharePoint is limited to document-level change
management whereas SOX-XL goes down to
cell level, as required by Sarbanes-Oxley.
Fundamentally, there are three types of
control that you can implement with respect to
any particular spreadsheet, in so far as SOXXL is concerned: you can implement security,
you can insist on a complete audit trail and
you can require electronic approvals (with
electronic signatures) prior to a spreadsheet
going into production. Regardless of whether
you want any one of these, or all three, the
process of setting it up is very simple, as all an
authorised user has to do is to log in and
request that the appropriate internal
control(s) be implemented, otherwise the
process is automatic.
Figure 4: Architecture of SOX-XL
In terms of these three control areas, the
major features of the product include:
• Auditing—SOX-XL provides change tracking
down to cell level, including macros, for all
amendments. Further, in compliance with
Sarbanes-Oxley, all changes are timestamped with the time that the changes
were made (not when the spreadsheet was
saved). As a corollary, all changes are
tracked that are made before the file is
saved. This is important because in cases of
fraud you might change a spreadsheet to
meet your own nefarious purposes and then
change it back again prior to saving.
• Accountability—as already noted, SOX-XL
implements segregation of duties, with
role-based (by user or group) access
control to relevant Excel features (by
spreadsheet) and this is backed up by the
ability to mandate electronic signatures.
Moreover, the audit trail provided by
CIMCON is colour coded (see Figure 5) so
that auditors and others can easily see the
use of electronic signatures against activity.
Figure 5: Colour-coded audit trail
• Security—while some security features
overlap with Accountability (who can do
what), SOX-XL provides additional
functionality so that you can: lock
workbooks, formulae or cell ranges; there
are session timeouts to protect against
unauthorised use at unattended
workstations; and you can block access
after failed password attempts. There is
support for both LDAP and Active Directory
authentication.
CIMCON Spreadsheet Compliance Solutions
Product information
Other features of the product include the
ability to archive the audit trail; support for
workflow, as already discussed; the ability to
create read-only copies of a spreadsheet;
support for multiple time zones, which is
important for time stamping amongst other
things; the ability to enforce the entry of the
reason for a change and, if you do this, then
you can either allow free-form entry or
selection from a drop-down list of valid
reasons; and there is support for workbook
templates, whose functions can be managed
in the same way as spreadsheets. Finally,
there are also reporting and query
capabilities. In terms of reports, Business
Objects’ Crystal Reports is embedded within
the product and there are a number of prebuilt reports that come with the products and
you can also customise these or design your
own. In addition, there is a Query Builder that
you can use to slice and dice the stored audit
trail to investigate what has happened on the
basis of date, time, person and so forth.
page 31
SOX-XS
As we have noted, CIMCON also has SOX-XS
for Access databases that is complementary
to its SOX-XL product. Its importance rests on
the fact that large numbers of users employ
Access databases in conjunction with Excel.
Briefly (as spreadsheet management is the
focus of this report rather than compliance in
broader terms), SOX-XS provides comparable
facilities for Access as SOX-XL does for Excel.
It offers version control, a record/field level
audit trail that can be maintained at a fine
level of detail, and VBA code control and
comparison capabilities.
Summary
Over the last two years the market has become increasingly aware of the dangers of simply
allowing the uncontrolled and unmanaged growth of spreadsheets. While this has been
brought to the fore by the need to comply with regulations such as Sarbanes-Oxley, there are
also sound business reasons why spreadsheets should be managed as a corporate resource.
Needless to say, this growing requirement has led to a significant number of companies
entering this market, particularly since 2005. CIMCON is one of the few that is not just wellestablished but which has focused on the compliance arena for considerably longer than this.
That is a major strength. However, that is not to say that it does not face threats from the
increasing levels of competition it faces. While we expect the company to continue to fare well
in its native market of the United States, we would like to see it take a more aggressive stance
in other markets (perhaps with a name change for its ‘SOX’ products), where there is the
potential for significant future growth.
ClusterSeven Enterprise Spreadsheet Management
Fast facts
Microsoft Excel is one of the most widely
deployed applications on the planet. However,
it is used in a variety of different ways. For
example, it may be used simply for reporting
or presentation purposes while, on the other
hand, it may be employed for important
business applications such as budgeting,
planning and financial consolidation. In some
environments, like investment banking, utility
trading and hedge funds the use of
spreadsheets represent not just mission
critical applications but key differentiators
that represent the company’s trading
advantage over its competitors.
Thus the use of spreadsheets can be divided
between personal deployment and what we
might call operational deployment, where
spreadsheets represent the encapsulation of a
business process. In effect, each spreadsheet
hierarchy represents a business application in
its own right.
For all sorts of spreadsheet users, Microsoft
Excel (and other spreadsheet products for that
matter) suffers from a number of drawbacks.
In particular, spreadsheets are prone to error,
susceptible to fraud, lack adequate security
and cannot be easily audited. While these
issues may be of little consequence when it
comes to the personal use of spreadsheets
they are of much greater significance when it
comes to their operational use: apart from the
costs that may derive from spreadsheet
errors, there are issues of compliance
(Sarbanes-Oxley, Basel II and so forth) and
data governance, and there may also be direct
costs involved in that external auditors may
charge additional fees for auditing
spreadsheet applications if appropriate
internal processes have not been put in place.
For all of these reasons, operational
spreadsheets are increasingly being perceived
to be a corporate resource where appropriate
testing and control of these assets needs to be
provided via an independent risk management
department (this may be another part of the
business or IT) rather than at the user level.
However, at the same time, such control
needs to be implemented in such a way that it
does not impede the user’s deployment and
utilisation of spreadsheet applications. It is
this function—non-invasive spreadsheet
management—which ClusterSeven provides
through its Enterprise Spreadsheet
Management application.
page 32
ClusterSeven Enterprise Spreadsheet Management
Fast facts
Key findings
In the opinion of Bloor Research the following represent the key facts of which prospective users
should be aware:
• Microsoft Excel 2007 offers expanded
auditing capabilities through integration with
Microsoft SharePoint 2007. However, this is
at the document level—that is, treating a
spreadsheet as a whole. ClusterSeven, on
the other hand, provides auditing and
tracking of spreadsheet changes down to the
cell level. It leverages SharePoint (and other
content management systems) for document
level versioning, management and access
control and security.
• ClusterSeven does not offer the ability to
stop erroneous or fraudulent changes to a
spreadsheet. What it does is to allow you to
monitor all changes to designated
spreadsheets so that you can check these
for yourself. Note that you can export a
spreadsheet to your personal computer and
change it, but ClusterSeven will discover
the changes when you log back in and
update the original.
• ClusterSeven offers significant time-based
capabilities. To begin with, it can record and
present the full history of any spreadsheet,
right down to the cell level. This, in turn,
can be used for trend analysis for
developing things such as yield curves as
well as detecting anomalies that might
suggest fraud.
• A major feature is that ClusterSeven not
only monitors events in a spreadsheet,
down to cell level, but it can also monitor
any macros that are built into the
spreadsheet, providing visual (highlighted)
comparisons between the old and new
version.
• ClusterSeven understands not just
individual spreadsheets but also the
relationships that exist between different
spreadsheets. Thus it understands
hierarchies, workbooks and so on, and can
use this understanding to provide facilities
such as root cause analysis.
• Although ClusterSeven is primarily aimed at
compliance officers, data stewards and so
on, it also has a number of features
targeted directly at business users.
• A significant number of standard reports
are provided by ClusterSeven, enabling
changes to be filtered against user-defined
integrity rules, which can be extended
through the use of Microsoft Reporting
Services. You can also feed data into
Microsoft Analysis Services and similar
tools.
The bottom line
It is only since the advent of Sarbanes-Oxley, Basel II and similar regulations, and today’s
increased focus on data governance that the market has begun to appreciate the
shortcomings of Excel. As a result, the market for products that fill the gaps in Microsoft
Excel is relatively new. With ClusterSeven being one of the earlier entrants into the market
the company has a pedigree and its product a maturity that not all vendors can match.
Of course, the market for Excel remediation is a broad one and ClusterSeven has opted to
focus on the high end. Typical implementations are priced in six figures or more, so
ClusterSeven is very definitely a large enterprise solution, with features and scalability to
match. If you are in that category (say, the Fortune 500) then ClusterSeven is well worth
consideration.
page 33
ClusterSeven Enterprise Spreadsheet Management
Vendor information
Background information
Product availability
ClusterSeven was formed in 2003 to provide
security, auditing and compliance
requirements for users of applications that
lack those capabilities and, specifically, for
Microsoft Office environments. The company
is especially focused on providing Enterprise
Spreadsheet Management to complement
Microsoft Office Excel.
The current release of ClusterSeven
Enterprise Spreadsheet Management, which
supports all versions of Microsoft Excel from
Excel 97 onwards, is version 3. Version 4 will
be released in April 2007. The product
requires Microsoft SQL Server (2000 or 2005)
to store data, runs under Windows XP or
Windows 2000 (Vista is scheduled), and it
leverages Microsoft Reporting Services for
reporting purposes, which means that it can
provide XBRL (eXtensible business reporting
language) based reports for compliance
purposes.
The company is privately owned, with venture
capital backing, and is based in London though
there is also a New York office. The company
employs some 33 people at present and uses
a direct sales model. It focuses on the Fortune
500, managing spreadsheet applications of all
sizes. Its largest managed spreadsheets
exceed 250 individual internal sheets and
150MB in size, properties which are especially
common within capital markets (investment
banks, hedge funds and so forth). Needless to
say, Microsoft is a major partner.
ClusterSeven web address: www.clusterseven.com
ClusterSeven includes a generic ECM
(enterprise content management) manager
that co-ordinates between ClusterSeven and
the ECM product, where the latter is providing
document level auditing and version control.
There are also specific plug-ins provided by
ClusterSeven for the Microsoft (SharePoint
2007) and Hummingbird (now OpenText) ECM
products.
page 34
ClusterSeven Enterprise Spreadsheet Management
Background
Introduction
ClusterSeven Enterprise Spreadsheet
Management provides advantages for both
end users (the people actually deploying the
spreadsheets) and for people (compliance
officers and so forth) that actually need to
manage that environment. While the former
are useful and will help ClusterSeven to
market its product, it is the compliance
features of the product that are most
important. Before we discuss the actual
capabilities of the product it is therefore
appropriate to outline the problem that
ClusterSeven is solving.
Put simply, Excel spreadsheets have poor
security, an inadequate audit trail and are not
reliable. If we take this last point first, the
following paragraph is excerpted from a
PriceWaterhouseCoopers report published on
the use of spreadsheets and the SarbanesOxley Act, in July 2004:
“An article in the May 24, 2004 issue of
Computer World indicated that, “Anecdotal
evidence suggests that 20% to 40% of
spreadsheets have errors, but recent audits of
54 spreadsheets found that 49 (or 91%) had
errors, according to research by Raymond R.
Panko, a professor at the University of
Hawaii.” The Journal of Property Management
on July 1, 2002 stated, “30 to 90 percent of all
spreadsheets suffer from at least one major
user error. The range in error rates depends
on the complexity of the spreadsheet being
tested. In addition, none of the tests included
spreadsheets with more than 200 line items
where the probability of error approaches 100
percent.” Perform an online search for
spreadsheet errors or spreadsheet audit, and
you will find a number of major failures
attributed to spreadsheet inaccuracies that hit
the press in the past year alone.”
Of course, spreadsheets are used for lots of
different purposes. You may simply want to
analyse sales data. If your analysis is faulty
because of an incorrectly entered equation
then that may not have any very significant
effect upon the organisation. However, if you
are using a similar spreadsheet to help you
make investment decisions, then any mistakes
could end up being very costly indeed.
Moreover, the problem is not simply that
errors may creep into the spreadsheets but
that, because of the lack of appropriate
controls, errors can be deliberately
perpetrated for the purposes of fraud.
That is not the whole problem. The SarbanesOxley Act, and other compliance regulations in
other jurisdictions, means that you have to be
able to understand how data has moved
around within your organisation. It is here that
the use of spreadsheets in the raw can
become extremely dangerous. To take a
simple example, you cannot easily go into your
company’s General Ledger and change the
data, but you can extract that data into a
spreadsheet and do whatever you like with it.
Moreover, many companies use spreadsheets
for much more important purposes. Many,
despite purpose-built software being
available, still use spreadsheets for corporate
consolidations and to prepare statutory
reporting documents, or for planning and
budgeting applications. Sarbanes-Oxley
means that this process will no longer be
acceptable unless you can prove to the
auditors exactly how your data was
manipulated during this process.
Actually, the problem goes beyond even
financial reporting. Spreadsheets are widely
used for mission-critical purposes within
financial markets and utility trading, for
example, where very sophisticated suites of
spreadsheets add substantial business value
to the enterprise. Indeed, they often
encapsulate the company’s key differentiators
over its competitors. However, there is no
facility to track whether anyone has changed a
calculation within a spreadsheet or, if they
have, what it is and who did it. It terms of risk
management this is a clear no-no.
It should be clear then, that it makes sense to
properly manage spreadsheets. Moreover,
this is because it makes business sense and
not just because it is necessary from an
auditing and compliance perspective.
page 35
ClusterSeven Enterprise Spreadsheet Management
Background
Excel 2007
At the time of writing Microsoft Office Excel
2007 is just about to be released and while
many users will no doubt continue to use
Excel 2003, not to mention earlier versions, it
is pertinent to outline the enhancements that
Microsoft has made to Excel in this release
with respect to errors, security and auditing.
• Errors—there are no significant
improvements in this release. The Help
system has some facilities in this area but
they are limited.
• Security—in this release Microsoft has
taken a different approach to the challenge
of managing spreadsheet access. Rather
than provide further functionality to protect
files or parts of files when they are
distributed, Microsoft is using SharePoint
as a centralised repository from which parts
of spreadsheets may be selectively
published to the web. Hence other users
(even if they are given access to parts of the
Figure 1: ClusterSeven working with Excel and SharePoint
file) have no access to the main file or
hidden parts. It is therefore far more
difficult for them to attempt to break the
security over the parts they cannot see.
• Auditing—again, if you use SharePoint then
versioning and auditing is now available at
the document level but this does not provide
any auditing of the information within a
spreadsheet. There are existing facilities
with Excel that allow you to capture
changes to a spreadsheet by writing a new
spreadsheet, however this is more of a
logging mechanism than an auditing one:
you cannot, for example, trigger alerts or
notifications from this facility and nor could
you track changes to macros.
How ClusterSeven works in conjunction with
the latest facilities provided in Excel and
SharePoint 2007 is illustrated in Figure 1,
which also shows the high-level capabilities of
the ClusterSeven product.
page 36
ClusterSeven Enterprise Spreadsheet Management
Product description
Architecture
The components of ClusterSeven Enterprise Spreadsheet Management are illustrated in Figure
2, along with its integration possibilities.
Figure 2: Architecture of the ClusterSeven solution
There are a number of elements within this diagram, as well as some that are not explicitly
mentioned, that merit further explanation. In particular, core elements of the product include:
1. Discovery against designated servers—
ClusterSeven includes a non-intrusive
scanning capability that allows you to
discover spreadsheets on designated
servers.
2. Non-intrusive watching—this is a key point
for ClusterSeven, particularly for trading
systems where it is important not to have
any impact on performance. The
component provides a passive server,
directory or file watching capability that
allows you to monitor files that have been
referenced, so that you can automatically
detect any changes made to those files
(down to cell level) or any new creations.
As with scanning, you can have multiple
watchers and they can be run on either a
real-time or scheduled basis, as required.
Note the importance of the fact that
ClusterSeven’s approach is non-invasive—
the other obvious way to continually
monitor spreadsheet changes would be to
use the Excel event model—but this can be
turned off by third party Excel add-in
products, which would mean that you could
not guarantee to capture all changes. In
version 4.0 (see the ‘Product futures’
section) this watching capability will be
extended to enterprise content
management repositories.
3. Engine—this performs difference analysis,
the population of reports, the servicing of
the client workflow and the creation of
alerts.
4. Storage—this is triggered when a watcher
detects a changed or new spreadsheet, and
it records the changes (or new entries) that
are made in the referenced file(s), and
stores them in a structured XML repository
within Microsoft SQL Server. Note that it is
only substantive changes (that is, changes
to data rather than formatting) that are
recorded, but these cover everything from
raw data changes to document link
changes, and changes to macros.
Embedded file references are
automatically traversed, bringing
contributing documents into the
management framework as well, so that
you can trace dependencies and establish
causality, where required. If you want or
need to capture formatting information as
well, then there is a snapshot facility, with
the results being stored in compressed
format.
ClusterSeven integrates with other products
(such as file security systems or Enterprise
Content Management providers) to deliver file
level security. ClusterSeven itself is designed
to monitor and audit what you are doing rather
than prevent your activities. As the company
puts it: “what we provide is like a CCTV that
watches activities and reports on them but the
software does not play any sort of preventive
role.”
page 37
ClusterSeven Enterprise Spreadsheet Management
Product description
Compliance reporting
On the compliance side, ClusterSeven is mainly focused on reporting and auditing, and Figure 3
shows one example of the built-in reporting capabilities, in this case demonstrating the series of
users who have worked on a spreadsheet using the product’s client utility.
Figure 3: Monitoring which users have worked on the file
For each user-designated period a dashboard report (Figure 4) is available. This allows you to
select integrity rules that have been previously defined and then view any changes that have
broken these rules, while ignoring any other spreadsheet changes though, you can, of course,
inspect these at any time.
Figure 4: Dashboard report
Drilling down from this dashboard takes you to the specific locations within the spreadsheet
where integrity rules have been broken, as shown in Figure 5.
page 38
ClusterSeven Enterprise Spreadsheet Management
Product description
Figure 5: Drilling down to discover where integrity rules have been broken
Here, the full cell history behind each cell is
also provided, enabling any change to be seen
in the context of past activity. Thus, in Figure
5, which shows the results of clicking on cell
P6, the lower panel displays how its values
have changed across a series of events. You
can see that Peter Murthwaite overwrote a
function in this cell with a hard coded data
value. As a corollary to the fact that
ClusterSeven understands spreadsheet
relationships, you can also do impact analysis:
see how other spreadsheets will be affected
by a change in this cell. Further, because all
changes to a cell are tracked over time, you
can see the history of a cell and you can look
at in trend terms as the product provides
time-based analysis capabilities. This can be
used for things like yield curves and, since this
is particularly useful for spotting anomalies,
for fraud detection and to ensure that traders
are compliant in their activities.
just emails but in the next release (see later)
you will be to embed alerts into third party
workflow products so that you can use these
to trigger required actions.
Another major feature is that you can define
rules that you can apply down to the cell level.
These might be as simple as a range rule that
says that the value in a particular cell must lie
within a particular range or they can be much
more complex than that. In either case, if the
rule is broken, then you can define an alert to
be raised. At present such alerts are typically
There are a variety of other facilities: for
example, you can look at changes not just by
cell, spreadsheet or workbook, but also by
user or by activity type. You can also track
remediation tasks, rollback changes to a point
in time, ask for comments from the originator
of a change and so on.
In addition to capturing change information
down to the cell level, ClusterSeven also
captures all changes to macros. This is
important because macros often comprise a
large part of sophisticated spreadsheet
applications: as much as 50 percent in some
instances. Moreover, all you get as standard
with Excel is a conventional editor. What
ClusterSeven allows you to do is to not just
track changes in macros but also to visually
compare previous and new versions of a
changed macro, with any changes being
highlighted in an appropriate colour. Similar
facilities exist for comparing different versions
of the same spreadsheet and for comparing
different spreadsheets.
page 39
ClusterSeven Enterprise Spreadsheet Management
Product description
User functions
ClusterSeven primarily markets its
spreadsheet management to operational risk
and compliance officers and IT departments.
However, it also provides facilities for
business users and the principle benefit that
ClusterSeven can offer these people derives
from the fact that it understands the
relationships that exist between spreadsheets,
especially when these are hierarchically
organised. In other words, the software makes
it very much easier to understand how the
spreadsheets work together.
Figure 6: Defining KPIs and KRIs
On top of this understanding the company has
built specific features to leverage this
knowledge. In particular, it means that you
can define KPIs and KRIs (see Figure 6) that
span multiple spreadsheets and which can be
tracked across cells, workbooks and so on.
These KPIs may then be presented in a portal
or imported into a third party dashboard or
scorecard for performance management and
monitoring purposes. In effect, you can define
metrics within a spreadsheet that you can
roll-up and monitor at a high level. Note that,
as illustrated in Figure 2, ClusterSeven can
also integrate with conventional reporting
environments.
page 40
ClusterSeven Enterprise Spreadsheet Management
Product description
Product futures
As stated previously, version 4 of Enterprise Spreadsheet Management is scheduled for release
in April 2007. Three notable new features will be:
1. Protected cell management—so that you
will be able to see when a cell’s status (as
opposed to its value) has been changed. In
other words, you will be able to see when a
cell is changed from locked to unlocked or the
other way around.
2. Extended alert support—currently you
can generate alerts and notifications when
particular changes are made. You can also
generate alerts if the software detects trend
anomalies (that is, a change that breaks a
trend) or if a rule is broken. In release 4, you
will be able to build these alerts into
workflows built using SharePoint so that you
could automatically generate a remediation
task, for example. For non-users of
SharePoint or for those using other workflow
tools there will be an API to support this
functionality within such third party
environments.
3. Easier to use comparison capabilities—
when you are doing comparisons between say,
different versions of the same spreadsheet or
between spreadsheets, currently you will have
both spreadsheets open in separate windows.
This means that one window is active at a time
and you have to actively move from one
window to another. In this release, you will be
able to move your cursor across the sheets
without regard to this constraint.
The other major new feature that is planned is
support for Windows Vista but this will be
introduced as a point release.
Summary
Excel spreadsheets are seriously dangerous: they lead to fraud, non-compliance, costly
business errors and more. The first thing that companies need to do is to treat operational
spreadsheets as corporate resources: there needs to be at least an element of IT control.
However, while putting appropriate procedures and processes in place (for example, for
spreadsheet testing prior to deployment) is necessary it is not sufficient to meet the data
governance and compliance requirements of today’s world: for that, an appropriate tool is
required. For complex, large scale spreadsheet environments ClusterSeven is just such a
tool.
page 41
Compassoft
Fast facts
The market for spreadsheet (and, indeed,
EUC) solutions is broadly split into four areas:
monitoring tools, which audit what anybody
does to any spreadsheet at any time; control
and compliance tools that extend monitoring
to include security and management of who is
allowed to do what; auditor’s tools that allow
you to compare spreadsheets, detect errors in
formulae, find out where data came from and
so on; and automation tools that provide
controlled development environments for
creating new spreadsheet applications (but
only new applications—no facilities are
provided for existing spreadsheets).
Compassoft offers monitoring, control and
compliance, and auditor’s tools for all
spreadsheets within the organisation. The
basic principle is that the company provides
mechanisms to automatically discover all of
your spreadsheets; helps you to assess what
level of control is required for each
spreadsheet, (which can be passive, active or
real-time depending on the importance of the
spreadsheet) and then the company provides
the relevant level of functionality to support
that control.
Key findings
In the opinion of Bloor Research the following
represent the key facts of which prospective
users should be aware:
• The first thing that you do with Compassoft
is to discover the spreadsheets (or other
relevant resources) that you have running.
This process not only discovers the
spreadsheets but also metadata about
those spreadsheets. Compassoft uses
advanced parsing technology that knows in
depth about the resources it is discovering
so that it can capture more detailed
information about them.
• As a part of the discovery process
Compassoft will uncover details of any
worksheets that have been hidden within
the spreadsheet, as well as such things as
invisible cells (where data is white on a
white background, say, or hidden behind a
graphic). Moreover, one of the notable
features of Compassoft is that the software
will also highlight any spreadsheets with
very hidden worksheets: these occur when
worksheets have been deliberately hidden
through programmatic means. As may be
appreciated, these features are very
important when it comes to detecting fraud.
page 42
• Once the initial discovery process is
complete, the information garnered needs
to be kept up-to-date. Compassoft allows
you to do this either in real-time or using
scheduled batch operations. This is a
significant advantage over some other
products that only offer scheduled
capability. Compassoft also maintains a
history of what it discovers for change
tracking purposes, and it also tracks
accesses from spreadsheets to external
data sources such as ERP systems.
• The validation and error checking
capabilities (auditor’s tools) provided by
Compassoft are extensive. We particularly
like some of the visualisation capabilities
provided.
• As noted previously, Compassoft supports
the concept of different levels of control
depending on the risk profile associated
with particular spreadsheets. It would be
useful to have a dashboard facility whereby
you could see the current and on-going
status of these so that you could monitor
your progress over time.
• Compassoft supports the segregation of
roles whereby authors, owners, editors and
(internal) auditors have specific functions
that they are allowed to apply to any given
spreadsheet, within a standardised approval
process.
The bottom line
Compassoft is the market leader for
enterprise spreadsheet management. It has
around 150 customers to date and, as far as
we can determine, this is more than any other
vendor. We are not surprised by this fact: the
company has a comprehensive offering that
covers all of the major requirements (other
than automation, which is really a
complementary function) for managing
spreadsheets at a corporate level. It’s true to
say that Compassoft does have competition
but we expect the company to retain a
leadership position within this market.
Compassoft
Vendor information
Background information
Compassoft was founded in 2002 as a
company specialising in the use of artificial
intelligence, especially as that pertains to
change management. However, the company
soon saw an opportunity in the compliance
arena for what the company describes as the
“discovery, validation and control of end-user
computing (EUC)”. This applies not just to
spreadsheets, for which the company first
introduced a product in 2005 but also for other
Microsoft Office applications such as Microsoft
Access and for the pharmaceutical industry
(FDA CRC21 Part 11).
The company uses a direct sales model in the
United States but leverages partnerships
elsewhere. It has over 150 customers.
Compassoft web address:
www.compassoft.com
page 43
Product availability & support
commitment
Compassoft markets three products:
Compassoft Enterprise, Compassoft
EXChecker and Compassoft DaCS (data
acquisition control system). The products are
formally in version 3.1 though this reflects the
longevity of the Enterprise product rather than
the others necessarily (EXChecker, for
example, was acquired towards the end of
2005). The products support versions of
Microsoft Excel from ’97 through 2003. You
can use them with Excel 2007 if you store
spreadsheets in a traditional manner but not if
you use the new XML storage capability in
Excel. Full support of Excel 2007 can be
expected during the course of 2007, as can
support for Windows Vista.
Compassoft Enterprise license costs typically
start in low 6 figures (dollars) and can range
into 7 figures. Compassoft EXChecker is
included as a component of Compassoft
Enterprise, or a less functional version can be
licensed for stand-alone use, for which the
price is around $1,000 per seat.
Compassoft offers round-the-clock support
through its overseas offices.
Financial results
Compassoft is a privately owned company that
is backed by venture capital. It has something
over 40 employees (and this number is
increasing) located in offices in the United
States, India and Australia, though these last
two represent support rather than sales
offices. The product is resold by ABB across
Europe. The company also has a number of
technology partnerships, most notably with
EMC (Documentum) but also with SAP and
Microsoft.
Compassoft
Product description
page 44
Introduction
The different elements of Compassoft’s
solution, and their major functions, are
illustrated in Figure 1. The Compassoft DaCS
product is a plug-in specifically for those
spreadsheets that are mission critical, or high
risk, that are going to be controlled in real-time.
In practice, Compassoft describes its solution
as being about discovery, validation and
control and we will use these headings to
discuss the product suite rather than by
product, since there are clearly overlaps
between the products in certain areas.
Discovery
One of the major problems with spreadsheets
(and other EUC assets) is that they are not
centrally managed. And, because they are not
managed in any co-ordinated way, they tend
not to be documented. Put simply, this means
that most enterprises will have spreadsheets
that they (as an organisation) know nothing
about. Needless to say, if you do not know of
the existence of some (or many) of your
spreadsheets then you will not be in a position
to manage, audit or control them. So, the first
thing that you need to do is to discover the
spreadsheets that are actually in use.
However, it is not as simple as discovering
spreadsheets per se. Many spreadsheets will
have links to other spreadsheets or will be
versions of one particular spreadsheet. In
order to take control of the spreadsheet
environment you need to understand all of
this. You also need to know details about
individual spreadsheets such as who the
owner is, whether there are associated
macros, if there are hidden sheets or very
hidden sheets (the latter being where a
programmer has hidden the sheet rather than
just using Excel’s features), if there are
invisible cells (white on white, say, or hidden
behind graphics), and so on.
Now, all of this would be a horrendous exercise
if you attempted it manually and it would
probably be impossible, but Compassoft
automates this process across servers (UNIX
or Windows), desktops, notebooks and so on.
As may be imagined it can be lengthy process
to search through a large company’s entire
network so Compassoft has a facility to throttle
Figure 1: Elements of Compassoft’s solution
its discovery software so that, in a typical
installation, you would run discovery at maybe
2 or 3% of capacity for the first month to
discover all of the spreadsheets, rather than
trying to do this all at once. However, initial
discovery on its own is not enough as you need
to keep on top of any changes that occur, so you
would now normally ramp up the Compassoft
software so that you recognise any changes
that may take place in real-time (at least, for
highest risk spreadsheets). Alternatively, there
is also a scheduled option whereby, perhaps,
you simply check for changes overnight.
Depending on the environment, either method
may be appropriate but this gives Compassoft a
significant advantage over some of its
competitors that can only offer a scheduled
option.
What the discovery process actually does is to
take a snapshot of each spreadsheet that it
discovers and then this is encrypted,
compressed and stored in a secured database
(either using one designated by the user or a
supplied internal Compassoft database).
Alongside this snapshot, metadata about the
spreadsheet is captured, as previously
discussed, including relationship information
such as what relates to what, where the data
originates, what data feeds other applications,
and so on.
Compassoft
Product description
page 45
Figure 2: Maintaining a historical record
Finally, note that as discovery is run on an
ongoing basis you will take snapshots of
spreadsheets as they change. This will enable
you to identify structural changes (new
columns or rows), reference changes (to data
locations and to other spreadsheets) and
property changes (ownership transfers,
change of location, formulae changes). Figure
2 shows the historical record maintained by
Compassoft with application location,
properties, summary analytics, review status,
dependencies and so on. Note the tabs
showing the different sorts of EUC supported.
It is also important to recognise some types of
reference changes in real-time: for example,
if a database schema changes then any
spreadsheet referencing that database may
run incorrectly. Compassoft can alert you to
conditions such as this, when they occur.
Validation
Validation is about ensuring the accuracy and
validity of your spreadsheets, and also helps in
the process of deciding which spreadsheets
should be put under what sort of control.
There are a variety of capabilities provided for
this purpose, as follows:
• Spreadsheet complexity analysis—the
simple fact is that the more complex a
spreadsheet is the more it is likely to have
errors in it. According to
PriceWaterhouseCoopers any spreadsheet
of more than 200 rows has a greater than
90% chance of errors. But that’s just size;
there are also considerations with respect
to the use of macros, the number and
complexity of formulae, the amount of
referencing to other spreadsheets and
dependencies on outside data sources,
amongst others. This function will help you
to determine the complexity of any
spreadsheet and, therefore, the risk
associated with it. This capability will
therefore help in deciding which
spreadsheets should be under what sort of
control.
Figure 3: Rules, template and policy enforcement
• Rules, template and policy enforcement—
this allows you to specify that a particular
spreadsheet must conform to certain rules
(for example, that a cell value must lie
within a particular range (see Figure 3) or
must be based on such-and-such a
template.
• Automated error discovery—while not all
errors can necessarily be discovered by any
tool, many can. Rules enforcement will
prevent some errors but there are also
errors that can be detected such as circular
references, formulae referring to nonnumeric data and so on.
• Graphical tracking—there are a variety of
visual means provided to discover various
facets of a spreadsheet. For example, you
can visually see when adjacent cells have
different formulae in them (which may, but
may not) represent an error. There is also a
Precedent Walker, as illustrated in Figure 4
which allows you to see where the data in
any cell has come from. Similarly, there is a
Dependency Walker so that you can see the
whole lifecycle of any piece of data and
there are visualisation capabilities to
support both formula flows and impact
analysis.
Compassoft
Product description
page 46
Figure 4: The Precedent Walker
In addition to validation per se, this part of
Compassoft’s suite, along with its other
components, will automatically generate
documentation about the spreadsheets under
inspection, and you can also append both
notes and bookmarks to spreadsheets, as
required. Within an approval process (see the
‘Control’ section) you can enforce a
requirement to add notes explaining changes,
if you want to. There are also facilities to raise
alerts, where required.
As previously noted, Compassoft provides the
ability for you to define approval processes
and this can be augmented by the product’s
support for electronic signatures (see Figure
5). The way that these can be deployed is
flexible: for example, you can implement
multi-stage signatures within an approval
process and it is also possible to require an
electronic signature for just a part of a
spreadsheet.
Control
While it is useful to have an inventory of all
corporate spreadsheet assets it would not be
reasonable, in a large organisation, to attempt
to take detailed control of every single one.
Normally this will be limited to spreadsheets
that are mission critical, those that have high
risks associated with them or those that are
specifically mandated for oversight thanks to
laws such as Sarbanes-Oxley or through the
requirements of regulatory bodies. As already
discussed, the product’s validation capabilities
can help you to assess which spreadsheets
are most at risk, but which ones to take under
active or, more particularly, real-time control,
is primarily a business decision.
For those spreadsheet (and other) assets that
you take under full control there are a number
of additional facilities provided through use of
the Compassoft DaCS plug-in. This provides
role-based security, version control down to
cell level, real-time logging with timestamps
(at the moment of change not when the
spreadsheet is saved) and check-in and
check-out. This last is important because it
allows multiple people to work on the same
spreadsheet in a controlled fashion. Many
other vendors providing version control do not
offer check-in/out.
Figure 5: Support for electronic signatures
Summary
The key point to note about Compassoft is
that it can do all of the major things required
to take control of existing spreadsheet
mayhem, and manage that on an on-going
basis going forward. As the market for
enterprise spreadsheet management
expands (and we expect it to do so rapidly in
the next few years) the company is wellplaced to capitalise on that growth.
Lyquidity ComplyXL
Fast facts
ComplyXL is a tool for gaining insight and
greater understanding of your spreadsheets.
However, this has a potentially greater benefit
than merely ensuring that you comply with
regulations such as Sarbanes-Oxley. For
example, HM Customs and Excise describes in
its “Methodology for the Audit of Spreadsheet
Models” cases when auditors need to do no
more than a routine audit of spreadsheets
and, conversely, when spreadsheets require
more detailed (and extremely laborious and
expensive) testing: thus the use of a tool such
as ComplyXL can directly impact on auditors’
fees to reduce costs. Further, because the
spreadsheet is better understood it is easier
to spot errors within a spreadsheet and
thereby eliminate or reduce the consequential
costs that occur when erroneous business
decisions are made based on the faulty
information provided by error-prone
spreadsheets.
At present, ComplyXL does not understand the
concept of hierarchies, which will make the
product unsuitable for environments where
you are using spreadsheets for consolidation,
for example. Typically, ComplyXL should be
seen as a product that is most suitable for
SMEs (small to medium sized enterprises) and
departmental implementations in larger
companies.
page 47
Key findings
In the opinion of Bloor Research the following
represent the key facts of which prospective
users should be aware:
• ComplyXL provides an auditing facility for
spreadsheets that allows you to track all
the changes that are made to a spreadsheet
(including changes to associated functions
such as macros). Lyquidity describes this
function as version control though it would
be more accurate to call it snapshot
management.
• ComplyXL has facilities to allow you to
visually compare any particular changes of
interest, whether these are for formulae,
macros, changes to locked cells or
whatever.
• You may also view the history of a
spreadsheet with both changes and
approvals.
• There are two versions of the product (but a
single licence fee): one for internal use and
one for external third parties such as
auditors.
• Apart from support for hierarchies the main
additional feature that we would like to see
Lyquidity add to its product is the ability to
discover existing spreadsheets so that they
can be taken under its embrace, so to
speak.
• In addition to its compliance functions,
ComplyXL also includes a Formula Viewer
that makes formulae easier to understand
so that errors can be more easily
investigated and identified.
The bottom line
It is important to put ComplyXL in context.
Enterprise spreadsheet compliance solutions,
with all of the functions that one might expect,
typically cost 2 to 3 orders of magnitude more
than ComplyXL: that is, they are hundreds to
thousands of times more expensive. In our
view, these products are not hundreds to
thousands times better than ComplyXL.
Moreover, while there is a significant gap
between ComplyXL and these higher-end
products, a large part of that differential is
due to the lack of understanding of
hierarchies; as we understand that this is an
issue that Lyquidity is already considering how
to address, we can expect that gap to narrow
significantly. This will mean that while
ComplyXL probably offers better value today
than some of its more well-known
competitors, in the right circumstances, that
is even more likely to be true tomorrow.
Lyquidity ComplyXL
Vendor information
page 48
Background information
Product availability
Lyquidity was originally established in 2001 to
provide contract programming to companies
such as Microsoft and AXA Insurance.
However, the company’s founders had
backgrounds in business intelligence and
financial applications and soon recognised the
need for an answer to the spreadsheet
management problem engendered by the
popularity of Microsoft Excel. As a result, they
started to develop what became ComplyXL,
which was launched in spring 2006.
ComplyXL is currently in version 1.5 and there
are two versions of the product, both of which
are provided for the licence fee. These
versions are the Standalone Version and the
Excel Add-in Version. The former is intended
for auditors and similar professionals who
need to be able to connect to and inspect third
party spreadsheets, whether for conventional
auditing purposes or to support such things as
compliance to Sarbanes-Oxley. The latter, on
the other hand, is for internal use in
conjunction with your own spreadsheet
environment. The main difference between the
two products is that the Excel add-in can
automatically save new versions of a
spreadsheet as they are amended while with
the Standalone product this can only be done
manually (after all, these may not be your
spreadsheets that you are inspecting).
Typically, the Standalone version is copied
onto a USB memory stick for use and it
integrates with Excel via Internet Explorer
without needing Excel installed on the user’s
system.
The company’s business model is “try before
you buy”, with free downloads available from
the company’s web site so that you can try the
product out for a limited period before
licensing it. Pricing is based on a user and
server basis but the whole is relatively
inexpensive with a licence for unlimited use
being currently $8,995.
In general, Lyquidity is closely tied to a
Microsoft environment (Windows 2000 Service
Pack 2 or later) with the product having been
developed in C# and .NET. That said, Linux
web servers (Tomcat) are supported by the
Standalone version.
In the current version of ComplyXL
spreadsheet versions are stored in Excel,
however the company is planning to introduce
an Enterprise Version of the product in the
near future that will use a relational database
(Oracle, MySQL or SQL Server) to store
versions in. Details of the pricing for this
license are not yet available.
Financial results
Lyquidity is private and self-funded. At present
it consists of only a handful of people, though
they are variously located in the UK (head
office), Germany and the United States.
Thanks to Sarbanes-Oxley the United States is
probably the company’s biggest market.
Lyquidity web address: www.lyquidity.com
Lyquidity ComplyXL
Product description
page 49
Introduction
Spreadsheet management
Lyquidity has two major elements: various
facilities for managing and comparing
worksheets, workbooks and versions, which
can loosely be defined as providing
spreadsheet management; and the Formula
Viewer which, as its name suggests, is
intended to provide insight into the formulaic
aspects of spreadsheets. We will discuss each
of these in turn. However, before we do so, we
should mention one limiting factor in
ComplyXL, which is that it does not
understand hierarchies, at least in the present
release. If you only make occasional use of
these then that may not be an issue but if you
use them extensively then ComplyXL will not
be suitable for your environment.
ComplyXL is intended, as its name suggests,
to support compliance with Sarbanes-Oxley
and other regulatory standards. To do this
Lyquidity provides version control. If you are
using the plug-in version of ComplyXL then
the process of saving a version may be
automated so that a new version is created
whenever a spreadsheet is saved but you may
also do this on a manual basis. This has to be
the approach if you are using the stand-alone
version of the product. In both cases the
version is not limited to the spreadsheet per
se but also includes associated elements such
as macros, so the versions can be used to
track changes in macros as well as changes to
the visible spreadsheet. When you save a
version (whether automatically or not) the
software will give you the option to append a
comment to the snapshot. By default the user
will subsequently work with this latest
version.
In the forthcoming Enterprise Version of the
product, when a user opens a workbook
document a check is made to see
if the document being opened
has been changed on the server. 
If there is a later version the user
is alerted and has the option to
retrieve the most recent version. 
Note that this behaviour is
consistent with Microsoft’s
SharePoint Services versioning.
The Enterprise version will also
offer the administrator the option
to control whether or not added
versions can be made at any
time, security permissions
permitting, or only if the user is
working with the latest version
as held in the repository.  
Figure 1: Managing versions in ComplyXL
As shown in Figure 1, there are
facilities to add a version, export
a version, review a version,
delete a version, revert to a
version, as well as saving a
version to your clipboard. Note
how the date, person and
comments are shown.
Lyquidity ComplyXL
Product description
In order to view changes, Lyquidity provides a
reporting tool that allows you to visualise
changes that have been implemented within a
spreadsheet and to review the history of a
spreadsheet, including changes and
approvals. In the case of viewing changes,
ComplyXL includes a worksheet comparison
capability, which includes a function excluder
so that routine changes are excluded as well
as a change filtering capability that can be
used to highlight differences in macros,
formulae, locked and unlocked cells, blank
cells and so on. This is illustrated in Figure 2.
Figure 2: Screenshot of the worksheet comparison facility
Note that this is an overview of the whole
worksheet.  On the right hand side is the scroll
bar.  The background to the scroll bar is a map
of the rows of the worksheets. Each row
containing one or more differences is
represented by an orange line in the scroll bar
background.  One of the most powerful
features of the graphical display is its ability to
alter the criteria that identify two cells as
different. Using this feature you can have the
graphical display highlight only those
differences that are of interest (see the bottom
of the screenshot). Also, as the mouse moves
over the graphical display a note providing
summary information about the cells under
the mouse cursor is displayed. While this may
be enough to help the user identify the main
cause of a difference, more detailed
information about the cell may be required. 
For this purpose the ComplyXL graphical
display includes a section that is able to
display all known information about the
differences between two cells represented in
the display.
page 50
Lyquidity ComplyXL
Product description
page 51
Formula Viewer
The Formula Viewer is designed to help you
understand the logic built into your
spreadsheets and, thereby, help you identify
and correct errors. Typically, in Excel,
formulae are not easy to understand, at least
in part because they are written in a single
line. For example, =IF(Sum(EU9:
EU10)<EU11,0,Sum(EU9:EU10, EV9:EV10)EU11) is not exactly transparent. The Formula
Viewer, on the other hand, presents this in a
nested, hierarchical fashion, with values
inserted (as shown in Figure 3) so that it is
much easier to understand what is happening.
The display is updated automatically as you
move from cell to cell and as formulas are
updated so that you can see the structure of
any formula. 
Moreover, you don’t just have to do this after
the fact, you can also have the Formula Viewer
open while you inputting or amending
formulae and changes and additions will be
automatically reflected within the Viewer.
Further, you can collapse parts of a formula
that you are satisfied with, allowing you to
focus more closely on any problem areas, and
different elements of a formula are presented
in different (customisable) colours.
Alternatively, rather than by starting with a
formula you can start with an error by clicking
on a cell within the spreadsheet that is
displaying an error, which will bring up the
relevant formula. Now, because the Viewer
shows values, finding errors can be relatively
trivial. For example, you might find a
component cell within the Viewer that is
returning a value of #NAME!, which
immediately lets you know that you should
drill down into that cell.
Within the Viewer you can drill into any cell
references that are included in a formula and,
Figure 3: The Formula Viewer
where relevant, the product will offer you
display options such as whether you want to
see an array of cell values or a list of cells that
make up a particular range. An exploration
history is visually maintained so that you can
easily navigate back to earlier stages in your
investigations either by directly clicking on the
relevant item or by using the back button
provided. Finally, you can take a copy of the
exploded view provided by the Viewer and
paste that into a separate document at any
time, perhaps for documentation purposes.
Summary
Lyquidity is a small company with some good technology. However, like most such vendors its
biggest problem in the longer term will be marketing. At the moment, the company is very
much focused on getting its technology right, and that is fair enough, but we are pleased that
Lyquidity seems to be aware that it will need to encompass a more balanced stance between
technology and marketing in the future. If the company can get that right then it should
achieve the success that its technology merits.
ABS for Spreadsheet Compliance
Fast facts
page 52
There are two major categories of spreadsheet management products: control and compliance
tools and auditor’s tools. The former provide version control, security, auditing and so forth while
the latter provide facilities for checking formulae, discovering errors, complexity assessment and
so on. Some products combine these two sets of capabilities while there are others that have a
narrower focus such as security only or monitoring only. There is also a third class of product,
known as automation tools, which are designed to provide a development environment for
building new spreadsheet applications.
Mobius ABS for Spreadsheet Compliance is a spreadsheet compliance and control solution. It is
designed for you to control who can do what to your spreadsheets, to monitor and audit what they
actually do, and to ensure that you maintain consistency across linked spreadsheets.
Key findings
The bottom line
In the opinion of Bloor Research the following
represent the key facts of which prospective
users should be aware:
Mobius faces competition from a number of
other direct competitors, several of which
have a longer history within the market and
which include facilities such as discovery
capabilities and auditor’s tools. However, on
the one hand Mobius will be introducing
automated discovery into ABS for Spreadsheet
Compliance within the next few months and,
on the other, auditor’s tools are widely
available for a few hundred dollars. For these
reasons we do not see the current lack of
these features in the Mobius product as a
problem. In particular, Mobius has a long
history in retention management and
compliance, and this is reflected in ABS for
Spreadsheet Compliance. Moreover, the
company has a large existing user base that it
can be expected to sell this solution into. Thus,
despite its relatively recent entrance into the
market, we expect to see Mobius gaining
marketing momentum over the coming
months and years.
• The first thing that you want to do when
taking control of your spreadsheets is to
find out what spreadsheets you have.
Mobius does not yet have an automated
discovery tool for this purpose but it expects
to be introducing such a product during the
course of 2007. Once discovered, you can
use auditor’s tools to decide which
spreadsheets need to be brought under
central control.
• Once you know which spreadsheets need to
be taken under management, Mobius
provides facilities for automating the
process of loading those into the ABS for
Spreadsheet Compliance environment. The
product is particularly strong in terms of its
retention management (the company’s
background), version control and allied
capabilities.
• ABS for Spreadsheet Management provides
complete auditing capabilities, including the
ability to add electronic signatures as part
of its supported sign-off mechanisms.
There is also a reporting tool that allows
you to make ad hoc enquiries against the
user log.
• The product includes workflow-style
capabilities to provide review and approval
processes that include support for a
segregation of roles (which is best practice)
across authors (owners), editors, (internal)
auditors and users.
• We particularly like the template
capabilities provided that allow frequently
used spreadsheets to be reused on the
basis of these templates rather than relying
on making copies and the dangerous
practice of ‘zeroing out’.
• Extensive security capabilities are provided,
including the User Manager through which
you define (on a tick-box basis) user
permissions. The User Manager integrates
with LDAP directories and with Microsoft
Active Directory.
ABS for Spreadsheet Compliance
Vendor information
page 53
Creation
Enterprise archiving & records management
Usage
9Zh`ide
6eea^XVi^dch
8VeijgZ
8jhidbZg
HZgk^XZ
>cYZm
H]VgZEd^ci
DeZgVi^dch
Hjeean8]V^c
6gX]^kZ
:bV^a
Z8dbbZgXZ
6jY^i
;Vm
HZVgX]
G^X]BZY^V
9^heaVn
>bV\^c\
IgVchVXi^dch
=daY
8dbejiZg
6eea^XVi^dch
9^hedhZ
E]nh^XVa
Di]Zg
GZedh^idg^Zh
BVg`Zi^c\
HVaZh
;^cVcX^Va
GZedgi^c\
GZXdgYhVcY
ZbV^aB\bci
A^i^\Vi^dc
Hjeedgi
Z9^hXdkZgn
8dbea^VcXZ
H]VgZEd^ci
BdW^jhHd[ilVgZHdaji^dc
Figure 1: Mobius Records Management
Background information
Mobius is 25 years old (it was founded in 1981) and its background is in document, records and
content management and, more broadly, in managing digital information in general. Figure 1
illustrates the breadth of Mobius’ capabilities.
As a significant part of the company’s activity it has developed relevant compliance solutions for
archival, record and email management and so forth and, in particular, in 2002 it introduced the
Mobius Audit and Balancing System (ABS) as a data quality control tool that automates crossplatform, cross-application report balancing with full audit capabilities. In 2006 a specific version
of the ABS product was introduced to provide enterprise spreadsheet management, known as
ABS for Spreadsheet Compliance.
The company uses a direct sales model and although it is early days for the ABS for Spreadsheet
Compliance product, the company has nearly 1,400 existing customers world-wide that it can
leverage. This is in sharp contrast to most other vendors of spreadsheet management solutions,
which tend to be much smaller, specialist suppliers that do not have an existing user base to
exploit.
The company reports that sales in the United States are primarily to financial departments where
there are concerns about Sarbanes-Oxley and other relevant regulations. Outside the United
States it has reported more widespread enterprise level interest in its solution.
Mobius web address: www.Mobius.com
ABS for Spreadsheet Compliance
Vendor information
page 54
Product availability
Financial results
The current version of ABS for Spreadsheet
Compliance is 4.2, although that represents
the longevity of the ABS solution as a whole
rather that the spreadsheet product itself. It is
sold either as a stand-alone application or in
conjunction with Mobius ViewDirect, which is
the company’s records management solution.
The advantage of the latter approach is that it
provides a richer archival capability so that,
for example, you can store notes along with
your spreadsheets within ViewDirect whereas
ABS for Spreadsheet Compliance has a more
limited capability.
Mobius is a public company traded on the
NASDAQ. In 2003/4 it made a profit (net
income) of $4.8m but this turned into a loss of
$2.7m in 2004/5. In its most recent year,
2005/6, the company turned this around to the
extent that net income was once again positive
at $2.1m on total income that increased to
$89.2 compared to the previous year’s
$77.7m. In the current financial year this
improving trend continued in the first quarter
but, in the second quarter, despite increased
revenues, the company recorded an operating
loss though net income was actually improved
compared to a year previously, thanks to an
advantageous tax position. According to the
company’s CEO this was, at least in part, due
to “the learning curve associated with new
direct sales staff added and delays in
executing on our new channel sales program”.
Hopefully, the latest results are merely a blip.
Moreover, recruitment of both direct and
indirect sales staff bodes well for the future.
The product does not yet support Excel 2007
although this is expected later during 2007
and at the same time we can expect to see
support for non-Mobius repositories
(particularly SharePoint—Mobius has a
partnership with Microsoft). Expected rather
sooner (mid-year) is an inventory utility that
will automatically discover existing
spreadsheets along with relevant metadata.
ABS for Spreadsheet Compliance is available
in a free trial version that includes both
installation and training. A typical price for a
complete installation would be in high five or
low six figures.
The company is headquartered in the United
States and has 450 employees. It has offices in
Australia, Canada, France, Germany, Italy,
Japan, the Netherlands, Sweden, Switzerland
and the UK, and it also has agents across
South and Central America, the Far East and
in South Africa and Portugal. However, these
partners specialise in Mobius’ document and
content management products rather than its
spreadsheet solution. For this product, Mobius
has a number of partners in the US (including
Deloitte and Grant Thornton, amongst others)
and Protiviti in the UK.
ABS for Spreadsheet Compliance
Product information
page 55
The first thing that you want to do when you
have decided to take control of your
spreadsheets is to discover what spreadsheet
assets you already have. At present Mobius
does not offer such an automated discovery
mechanism though this is planned for release
during the course of 2007, so this will be a
manual process for the moment.
Once you have discovered your spreadsheets
you need to determine which of them need to
be brought under central control. While you
might wish to do this for all such assets
eventually, the sheer number of spreadsheets
present in most organizations means that it is
likely that you will want to do this in an
incremental fashion, beginning with those
spreadsheets that are most mission-critical or
represent high risk to the business, as well as
those that you need to manage for compliance
reasons. In part this is simply a business
decision for which no software can provide
assistance but it may also be a function of the
complexity (references, formulae, macros and
so on) and size of the relevant spreadsheets. A
number of inexpensive auditor’s tools are
available on the market to help with this
analysis.
Figure 2: Complete audit trail of repository
system also means that you can enforce usage
of the most current version of a spreadsheet.
The repository also stores a complete audit
trail (see Figure 2) of all changes to a
spreadsheet along with who made what
change and when. If there are any formulae
that auditors have highlighted as problematic,
then any changes to these can identified
separately. Note that while you can sort the
results of this audit for presentation purposes
it is not possible to turn this auditing function
off. The audit trail is a part of the review and
approval process (see next section) in ABS.
Once you know which spreadsheets you want
to actively manage then Mobius provides the
ability to import either single spreadsheets or
entire folders into the ABS environment,
where the product’s central repository mirrors
the original folder structure so that users will
see no difference to their use of spreadsheets.
Repository
Unlike other vendors in the spreadsheet
management market Mobius is a specialist in
records retention management and it offers
facilities in its repository that go further in its
capabilities than most competitive products. In
particular, you can use the company’s
retention management features for managing
the archival of spreadsheets over whatever
period is necessary. We know of no other
vendor in this market that has such a
capability.
In addition, while most vendors of spreadsheet
management solutions offer some sort of
version control, this is rarely comprehensive:
often it relies, at least in part, on Microsoft
SharePoint. Mobius, on the other hand,
provides all the sorts of features you would
expect from a comprehensive version control
system without requiring you to use
SharePoint (though the company will support
SharePoint as an option later in 2007). In
particular, ABS includes full check-in/checkout capabilities, which most other vendors do
not. The advantage of this is that it means that
multiple authors, editors and auditors can
work on the same spreadsheet in a managed
fashion. The use of a full version control
Figure 3: The system audit log
Further, you can query the system audit log,
as shown in Figure 3, at any time. This allows
you to define your own reporting requirements
via the product’s Report Manager. So, for
example, you could run a report looking at all
activity by a particular individual or you could
look at all items that were rejected. This sort
of capability can be useful for fraud detection.
In addition to its audit trail, the repository also
records details of each time that each
spreadsheet was ‘run’. As previously noted,
while ABS has its own repository and can be
used as a stand-alone product, it can also be
implemented in conjunction with ViewDirect,
ABS for Spreadsheet Compliance
Product information
page 56
Figure 4: Review / approval screen
which will enable such things as notes,
approvals and so forth to be stored in the
repository alongside the spreadsheets to
which they refer.
Workflow
In the previous section we have referred to
both approvals and a variety of different types
of people that may interact with spreadsheets.
These are all enabled through ABS’ workflow
capabilities, which allow you to set up
approval processes and to ensure that roles
are segregated between authors (owners),
editors, (internal) auditors and users.
The workflow in ABS does not use a graphical
palette for defining your processes. Normally,
we would criticise this approach as we find a
graphical approach to be more intuitive.
However, bearing in mind that this is an Excel
environment, then it seems reasonable to use
Excel for this purpose, though Mobius has
needed to add some additional (non-Excel)
facilities such as the review/approval screen
illustrated in Figure 4.
Here you can see a typical approval process in
which there may be many people within the
workgroup that wish to review the
spreadsheet but only one person is authorized
to approve or reject it. In some cases, where
segregation of duties is formally applied, for
example, then there may be multiple stages in
the approval process.
Additional facilities include the ability for
reviewers or others to append comments to a
spreadsheet and a facility to add an electronic
signature to certify that this has been
approved (which is important for SarbanesOxley compliance). Further, you can use this
workflow to automate financial close activities
such as reconciliation.
Consistency
The third aspect of ABS for Spreadsheet
Compliance is consistency. In this respect,
ABS addresses the problems that arise when
spreadsheets are reused on a periodic basis.
What tends to happen when a spreadsheet is
used monthly (for example) is that the
previous spreadsheet is ‘zeroed out’ and then
reused. The danger is that when you do this
you may delete formulae or formatting details
by mistake. In order to prevent this, ABS
supports the use of templates. This allows you
to build a template, complete with all relevant
formatting, formulae and so forth, which can
be deployed as required. At the same time you
can lock all the cells (or worksheets) that
users should not touch leaving them simply to
input relevant data into allowed cells. The net
effect is that you reduce the likelihood of
errors.
In addition, there is the issue that
spreadsheets often include links to other
spreadsheets and you need to ensure that
when you update one spreadsheet that all
linked spreadsheets are similarly updated, as
appropriate. Further, what if one spreadsheet
has been taken under central control but
linked spreadsheets have not?
In order to resolve these issues Mobius
includes all details of external links within its
repository to ensure consistency of updating.
This facility will also highlight broken links
where the linked spreadsheet has not been
updated when it should have been.
ABS for Spreadsheet Compliance
Product information
page 57
Security
Finally, ABS for Spreadsheet Compliance
provides access control and security. We have
already considered some aspects of this, as in
the use of templates that allow developers to
lock cells and worksheets so that users can
only update those details that they are allowed
to access. However, as we have discussed,
there are multiple roles that interact with
spreadsheets and there are also a wide
number of actions that these various people
might want to perform. In order to provide
support for these, Mobius provides its User
Manager, illustrated in Figure 5, which allows
administrators to define relevant permissions
in an easy-to-use manner. Note that ABS
integrates with LDAP directories and Active
Directory so that you can reuse details (such
as passwords) therefrom.
Summary
Mobius is in an interesting position with
regard to the enterprise spreadsheet
management market: on the one hand it is a
relatively late entrant and it has relatively few
users; on the other, it is a well-established
public company with a large and prestigious
user base. However, it is only just recently that
the market has really started to take off and if
we take lessons from other markets in a
similar position we can see that early entrants
are frequently overtaken by established
players that come into the market later. In our
opinion, it is very likely that the same will
happen to Mobius. While there are other
companies in this sector that have some
longevity, none of them have the size or
international reach of Mobius. We therefore
expect Mobius to become a leading vendor in
this market within a relatively short space of
time.
Figure 5: The User Manager
Operis Analysis Kit (OAK)
Fast facts
The market for providing complementary
products to Microsoft Excel comes from two
directions: business intelligence vendors
aiming to provide additional functionality,
especially in the area of automation and
development, and a second group of suppliers
that address this market from the perspective
of governance and compliance, providing the
auditing, security and control that is lacking in
Excel. In this latter category there are two
broad categories of products: control and
compliance tools and auditor’s tools. The
Operis Analysis Kit (OAK) is a suite of tools
that addresses the auditor’s market.
That said, Operis’ background is in financial
modelling either at a corporate or at a project
level and OAK has been developed to assist in
that process both from an analysis and a
development perspective. This could mean
that OAK would represent overkill for some
types of auditing requirement where
spreadsheets are only used for relatively
simple purposes. In addition, OAK also
includes features that will make the
developer’s life easier as opposed to those for
pure auditing purposes.
page 58
Bottom line
Operis has a significant number of companies
using its product (around 500), which is
substantial given that OAK is not the
company’s primary focus. In particular, the
product has model-specific features (notably
the summary report, see later) that we have
not found in other tools in this class, which is
why OAK is evidently popular amongst
financial modellers. However, for more
general use, OAK is at the top end of the price
bracket for auditor’s tools and lacks some of
the functionality that other vendors can offer,
albeit that we prefer the visualisation offered
by Operis.
Operis Analysis Kit (OAK)
Vendor information
page 59
Vendor background
Product availability
Operis is a UK-based consulting firm that was
founded in 1990. It specialises in corporate
and project finance, working in a number of
vertical sectors, with services that include
financial modelling, model audit, training, and
tax and accounting services. As a part of these
services the company developed what is now
OAK for internal use in 1992. As far as we
know, this makes OAK the oldest established
spreadsheet management product on the
market, though it was not the first to be made
commercially available.
OAK was first formally released in 1998 with
version 3 being launched in 2004. The current
version of the product is 3.50, which has just
been released (Spring 2007). This is entirely
written in C# (a migration to which has been
ongoing for some time). The product supports
Excel ’97, 2000, 2002 and 2003/XP users.
Support for Excel 2007 will be introduced with
version 4.0 later this year.
Free trial downloads of OAK are available
through the company’s web site with prices
for a fully licensed version starting at £395,
with discounts for multiple licenses. However,
the details provided about the product on the
site are sparse and it is most likely that
customers will be introduced to the product
through Operis’ consulting services. One
notable customer, not least for its research
into the requirements of spreadsheet
management, is PriceWaterhouseCoopers,
which has a licence covering all of its staff in
Germany and the UK.
Operis web address: www.operis.com
The company’s policy is that free upgrades are
provided for each version of the product within
the same numbered series, these upgrades
being made available roughly every three to
four months. Thus, if you had licensed version
3.20 then upgrades to 3.30, 3.40 and 3.50
would have been free. However, there is
normally an upgrade charge to move from one
major version to another: currently £89 to
migrate from earlier versions to version 3. The
same can be expected for version 4.
Support is via email and there is also a web
link for feedback. Internationalisation is
supported.
Operis Analysis Kit (OAK)
Product description
page 60
Introduction
Operis describes OAK as a product that helps
in both the analysis and development of
spreadsheet models, though in the latter case
these are helpful utilities rather than the
automated development environments that
are provided by some (much more expensive)
products.
Analysis tools
There are a number of tools in this category,
of which the most significant are as follows:
• Model mapping—this is designed so that
you visually inspect a spreadsheet to see
where formulae have (or have not) been
copied across cells, to show text constants
and so forth. Unlike some other tools of this
type, OAK uses (customisable) colour
coding as well as symbols (as shown in
Figure 1) to show the relationships that
exist between cells (and errors), which we
find to much more intuitive than other
approaches.
• Formulae functions—there are a number of
these, including facilities to determine
where best practice rules have been broken
(for example, where two worksheets both
contain formulae that reference each
other), the ability to see precedents (but not
dependents), formulae ranking in order of
complexity, a formula optimiser that
removes redundant elements from a
formula, and a tool to locate formulae that
are the sources of error values.
Figure 1: Using colour coding and symbols showing relationships and errors
• Summary report—this details the
composition of any particular model with
details that include the number and names
of sheets, together with statistics such as
how many merge cells there are, how many
array tables and so on. An example is
illustrated in Figure 2.
In addition, there are a number of other tools,
including a Spreadsheet Comparison tool that
allows you to inspect the differences between
two versions of the same spreadsheet or two
different spreadsheets, a tool to identify all
cells that are not used in calculations, the
ability to identify and display hidden sheets
and cells, and various features that enable the
discovery of errors.
Figure 2: Workbook summary report
Operis Analysis Kit (OAK)
Product description
page 61
Development utilities
Summary
There are extensive features provided in
support of names including abilities to:
Operis is not primarily a software provider. It
is likely, therefore, that the product could be
used much more widely than it is. However, it
does have features that will not be useful for
all spreadsheet users. On the other hand, as
we have noted, there are features found in
other products that are not in OAK. If you a
financial modeller you should certainly
consider the use of OAK. If not, OAK may still
be suitable but you will need to ensure that
the product matches your requirements and
that it is not an issue that the product has
features that you may not need.
• Modify names to correct misspellings.
• Define local names.
• Apply (and de-apply) multiple range names.
• Delete multiple names.
• Replace range names with cell references
throughout a worksheet.
In addition there are facilities to reproduce
formulae and to insert or delete rows or
columns through arrays. In the latter case
there is an extended facility that automates
deletions based on having compared two
versions of the same spreadsheet.
Prodiance Spreadsheet Compliance
Fast facts
page 62
Prodiance Spreadsheet Compliance consists of a suite of products that forms a subset of the
Prodiance Enterprise Compliance Platform. The main two products within the Spreadsheet
Compliance suite are Prodiance Spreadsheet IQ, which provides spreadsheet discovery, inventory
and analysis capabilities, and Prodiance Spreadsheet Compliance Manager, which provides
control and compliance capabilities. These may be implemented independently or together. In
addition, these are complemented by Prodiance Link Migration Manager and Prodiance KPI
Dashboard.
You may also choose to use other components of the Prodiance Enterprise Compliance Platform
as a part of a spreadsheet management solution, most notably Prodiance BPM (business process
management), which provides workflow capabilities. You might also choose to use Prodiance’s
own content management software for version control and similar capabilities, though both
Microsoft SharePoint and EMC Documentum are also supported.
Key findings
In the opinion of Bloor Research the following
represent the key facts of which prospective
users should be aware:
• When taking control of your spreadsheets
the first thing to do is to discover where they
are and what they are. Prodiance offers
federated search and inventory reporting
capabilities built into Spreadsheet IQ (it is
actually licensable as a separate product as
well) that will do this.
• Once discovered, spreadsheets need to be
integrated into the content management
repository. This can be dangerous because
it is often the case that spreadsheets have
links to one or more other spreadsheets
and these links can easily be broken if
migration is a manual process. And, of
course, such a process is time consuming
and tedious. Prodiance provides its Link
Migration Manager to not only automate the
process of moving spreadsheets into the
repository but also to ensure that all links
are maintained correctly.
• Spreadsheet IQ provides analysis tools to
help you identify common errors and to
determine the risks associated with each
spreadsheet. These details can help you to
decide which spreadsheets you need to
concentrate on. Spreadsheet IQ also
provides graphical dependency mapping
between cells, worksheets and workbooks
so that you can investigate spreadsheet
links; as well as a colour-coded facility for
spreadsheet mapping.
• For those spreadsheets that you are
focusing on, Prodiance provides a KPI (key
performance indicator) dashboard that
allows you to monitor the state of those
spreadsheets and their associated risks.
• We particularly like the graphical
capabilities, reporting and documentation
offered by Prodiance.
• The Spreadsheet Compliance Manager,
particularly if used in conjunction with
Prodiance BPM, supports the segregation of
duties (that is, separate roles for authors,
editors, auditors and users), electronic
signatures and the definition of review
processes, as well as the ability to track and
audit changes. Version control is supported
as are spreadsheet comparisons and
differencing.
The bottom line
While Prodiance is by no means a market
leader in the enterprise spreadsheet
management marketplace in terms of the
number of its customers (mostly because it
has come to market later than some of its
rivals) we certainly regard it as a market
leader in terms of its capabilities. In
particular, the company offers a breadth of
capability that few, if any, of its competitors
can match. We also feel that its graphical
capabilities (not least for workflow) are
superior and more intuitive. As this market
continues to expand we expect Prodiance to
establish itself as a leading vendor regardless
of how you define that term.
Prodiance Spreadsheet Compliance
Vendor information
page 63
Background information
Prodiance is a spin-off from Scientific
Software, which was previously (since the
early 90s) a specialist compliance software
provider to the pharmaceutical market.
However, that company was acquired by
Agilent Technologies in 2005 and, at that time,
Prodiance was set up to develop and market
compliance solutions outside of the
pharmaceutical sector, where Agilent
continues to market its software. Prodiance
and Agilent have a joint development
agreement so that the two company’s
solutions continue to share common
technology but whereas Agilent is focused on
meeting FDA (Federal Drug Administration)
requirements, Prodiance is focused on
compliance more generally.
The company is focused particularly on
financial services, especially banking, and it
uses a direct sales model. Outside the United
States, Prodiance leverages partnerships for
this purpose. The company currently has two
resellers in the UK (Trintech and Quartus
Solutions), one in Israel and it has a
partnership with Atos Origin in the Far East.
Prodiance web address: www.prodiance.com
Product availability
The Prodiance Enterprise Compliance
Platform consists of a variety of products that
provide not just spreadsheet management
capabilities but also a number of other
functions, which include:
• Prodiance Database IQ, which provides
change management and analysis
capabilities for Microsoft Access databases.
• Prodiance Search, which provides federated
search capabilities across multiple content
sources. Some of this product’s capabilities
are leveraged by Spreadsheet IQ.
• Prodiance Business Process Manager,
which provides workflow and business
process management capabilities. While
this is a general-purpose tool its
functionality may be used within a
spreadsheet management environment to
support review processes and the
segregation of roles, so this product will be
discussed within that context in the body of
this review.
• Prodiance Enterprise Content Manager,
which is a stand-alone content management
solution. This can be used to support
spreadsheet management but Prodiance
also supports both Microsoft SharePoint
and EMC Documentum for this purpose.
This review discusses Prodiance
Spreadsheet Compliance in terms of its use
with SharePoint.
In terms of Prodiance Spreadsheet
Compliance the first product that the company
introduced (actually when the company was
still part of Scientific Software) was
Spreadsheet Compliance Manager, which is
currently in version 4.2. More recently it
released Spreadsheet IQ, which is currently in
version 2.1. Both products can be used
independently or in conjunction.
Prodiance supports versions of Excel from
Excel 2000 onwards, though it prefers Excel
XP or later because of the richer APIs that are
available within the later products. That said,
provided you have a copy of Excel 2000 or later
running, Prodiance can be used to manage
spreadsheets based on earlier version of
Excel. As far as platforms are concerned the
server needs to be Windows 2003 based
(support for Windows Vista is currently being
tested) while clients may be using Windows
2000 or above. Spreadsheet Compliance
Manager provides detailed audit trails for
spreadsheet changes down to the cell level (in
which case either Oracle or SQL Server is
required as a database) while files may be
managed through a variety of content
management repositories, including Microsoft
SharePoint, EMC Documentum, Windows
NTFS, or Prodiance ECM. This report is based
on how Prodiance works in conjunction with
Excel 2007 and SharePoint 2007 but
comparable facilities can be expected in other
environments.
Financial results
Prodiance is privately owned and is angel
funded as opposed to venture capital backed.
It has 15 employees at present.
Prodiance Spreadsheet Compliance
Product description
page 64
Architecture
EgdY^VcXZ@E>9Vh]WdVgY
The architecture of the Prodiance Spreadsheet
Compliance solution is illustrated in Figure 1
and we will discuss each of the major
elements (the Compliance Manager,
Spreadsheet IQ, the Link Migration Manager
and the Prodiance KPI Dashboard) in turn.
BVcV\ZbZciGZedgi^c\d[`Zng^h`VcYeZg[dgbVcXZ^cY^XVidgh
While this high-level architecture shows the
major elements within Prodiance it is worth
noting that there are also lower-level
components such as the Documentation
Manager and Federated Search.
EgdY^VcXZHegZVYh]ZZi8dbea^VcXZBVcV\Zg
The first thing you need to do when you are
going to take control of your spreadsheets is to
find out what they are and where they are,
because most companies don’t know. To do
this, Prodiance provides a Federated Search
capability embedded with Spreadsheet IQ that
will automatically discover all the spreadsheets
that exist on your corporate network. In fact, if
you use the stand-alone Federated Search
product (see screenshot, Figure 2) it will not
just discover spreadsheets but also PowerPoint
files, Access databases and other end-user
computing resources. Alternatively, you can
narrow down your discovery process by using
the product’s keyword search capabilities so
that you can look for specific spreadsheets or
other resources.
:cYJhZgh
G^h`"WVhZY6cVani^Xh!>ckZcidgn!9dXjbZciVi^dc!8Zaa$Ldg`Wdd`
9ZeZcYZcX^Zh!Bjai^"Ldg`Wdd`GZedgi^c\!BVcV\ZbZciGZedgih
8Zaa8dadgHX]ZbZh!:ggdg8]ZX`^c\
8]Vc\Z6jY^i^c\GZedgi^c\!8ZaaAdX`^c\!9^[[ZgZcX^c\
6aZgihVcYCdi^[^XVi^dch
B^Xgdhd[iD[[^XZ
:mXZa'%%,
EgdY^VcXZA^c`
B^\gVi^dcBVcV\Zg
HegZVYh]ZZiB^\gVi^dc
A^c`JeYVi^c\
6cVanh^hd[XdbeaZm
[^cVcX^VaYViV
B^Xgdhd[iD[[^XZH]VgZEd^ciHZgkZg'%%,EaVi[dgb
9dXjbZci8daaVWdgVi^dc
Ldg`[adl
KZgh^dc8dcigda
GZXdgYhGZiZci^dc
9dXjbZciHZXjg^in
8]ZX`>c$8]ZX`Dji
6XXZhh8dcigda
:mXZaHZgk^XZh
:GE
7>
7EB
:ciZgeg^hZ
6eea^XVi^dch
Figure 1: Architecture of Prodiance Spreadsheet Compliance solution
Once you have discovered your spreadsheets
these can be saved within the Prodiance
environment as ‘inventory files’ and you have
the option to automatically or manually update
these subsequently, as required. However,
moving spreadsheets into management is not
simply a question of copying a file from one
environment to another. In particular, there is
the question of linked spreadsheets. Where you
have spreadsheets that have links to one
another it is important that these links remain
intact as spreadsheets are brought under
control. This is the function of the Prodiance
Link Migration Manager, which automatically
migrates all links as your spreadsheets are
moved into the SharePoint (or other) repository.
The actual way that Federated Search works is
that you install a copy of the software onto one
or more desktops and then this indexes all
relevant data in the background, using spare
CPU cycles, so that there is no impact on
normal performance. As this software is
running continuously it can notify you
automatically if any changes are made to the
spreadsheets under supervision. Finally, in so
far as Federated Search is concerned, it
generates a Workbook Inventory Report that
pulls together metadata about the
spreadsheet, collating file information,
formulae and calculation statistics, and
worksheet statistics.
Figure 2: Screenshot of the Federated Search capability
:mZXji^kZh>ciZgcVa6jY^idgh
Link Migration Manager
EgdY^VcXZHegZVYh]ZZi>F
Prodiance Spreadsheet Compliance
Product description
page 65
Spreadsheet IQ
In large organisations there will often be
thousands of spreadsheets and it is unlikely
that you will wish, at least initially, to manage
all of these in any comprehensive way. You will
almost certainly choose to focus your efforts
on those spreadsheets that expose the
company to the most risk. Assessing which
spreadsheets fall into this category is a twofold process that requires a bit of (financial)
expertise: first, it is to do with the complexity
of the spreadsheet (on the basis that the more
complex it is the more likely it is to contain
errors) and, secondly, it is to do with the
spreadsheet’s importance to the business: a
sales reporting spreadsheet, for example,
might not be regarded as being as important
(or dangerous) as a statement of earnings
spreadsheet (especially as an error in the
latter may result in a jail sentence). Assessing
the importance of a spreadsheet to the
business is, necessarily, a business function
that cannot be automated. However,
discovering the complexity inherent in any
particular spreadsheet certainly can be
automated and this is, in part, what Prodiance
Spreadsheet IQ does.
Figure 3: Workbook Analysis Report
As we have already noted, the Federated
Search element of Spreadsheet IQ prepares a
Workbook Inventory Report based on the
spreadsheets it discovers. You can then go
further, and use the software to analyse
individual spreadsheets, with the software
producing an appropriate Workbook Analysis
Report as illustrated in Figure 3 (note that the
Inventory report is similarly formatted). When
generating this report you first go through a
tick-box process in which you tell the software
what details you want to see in the report, so
that it can be as detailed or concise as you
like.
In this screenshot note the identification of
‘very hidden sheets’. These occur when
worksheets are hidden programmatically.
Their presence is often an indication of fraud.
The software will also detect such things as
cells that are printed in white on a white
background (thus hiding the data) as well as
data that is hidden behind graphics.
Figure 4: Cell dependencies
Other features of Spreadsheet IQ include the
ability to determine precedents and
dependents, not just at the spreadsheet level
but right down to worksheet and cell levels.
This is important in order to understand the
impact of any changes that you might make,
and for tracing the impact of formula errors.
Figure 4 shows cell dependencies. One can
easily see how difficult it would be to
encapsulate this information without the aid of
graphics such as this.
The product also includes the ability to
generate documentation, which is stored
Figure 5: Cell painting tool
Prodiance Spreadsheet Compliance
Product description
page 66
alongside the spreadsheet to which it refers.
Multiple options are available to generate
documentation at the inventory, spreadsheet,
worksheet and cell levels. Finally,
Spreadsheet IQ includes a cell painting tool so
that you can apply colour coding to formulae,
errors, input cells and so on. This is illustrated
in Figure 5 and means, for example, that you
can easily see where a formula has been
copied across a row but when one cell
contains a constant (say) instead of that
formula. It also allows for the identification of
inconsistent formulas and missing input data.
For example, in Figure 5 visual inspection will
determine that the COO had no salary in the
first quarter and that the same individual has
an inconsistent formula in his row for Q2
costs.
There are no facilities to inspect formula logic.
That said, this capability can be had from
specialist vendors for a few hundred dollars.
Figure 6: Auditing, tracking and change management for critical spreadsheets
Spreadsheet Compliance Manager
Spreadsheet Compliance Manager provides
auditing, tracking and change management
for critical spreadsheets. Once again, this can
be down to cell level and you can track
changes to cell data, formulae, macros,
named ranges and so forth. Figure 6 shows an
example. Note that changes are timestamped, not with the time that the
spreadsheet was saved but at the actual time
that the change was made (as required by
Sarbanes-Oxley). Indeed, you could make a
change to a cell and then change it back to its
original state and this would still be recorded
in the audit trail. In addition, audit trails are
encrypted and cannot be altered by users.
Note that reason codes may be required
though it would also be useful if you could
force a more detailed explanation be
appending a note to the spreadsheet.
In addition to auditing, Compliance Manager
provides comparison capabilities, as
illustrated in Figure 7. As can be seen there is
a compare detail capability that allows you to
easily see the differences that exist between
spreadsheets (or, in this case, versions of the
same spreadsheet). This is especially
important when different versions of the same
spreadsheet may have had additional rows or
columns added to them, meaning that they do
not easily line up for visual comparison.
Version control with check in/out, archival
capabilities and so forth is, of course, provided
by Microsoft SharePoint or through
Prodiance’s own ECM product or its
integration with Documentum.
Spreadsheet Compliance Manager also
provides security, using a role-based
approach centred around users, groups, roles
and privileges. In addition, if the Prodiance
BPM product is used then this supports the
Figure 7: Comparing two spreadsheets in Compliance Manager
inclusion of electronic signatures and routing
of documents for approval. More particularly,
this also brings workflow into the spreadsheet
management environment.
Workflow in the Prodiance environment is
much more graphical (see Figure 8) than most
other products in this sector, which we
consider to be an advantage. You can use this
for defining review/approval processes for
individual or groups of spreadsheets,
including the definitions of the relevant roles
of authors, owners, (internal) auditors and so
on, which is known formally as the
segregation of roles. Further, Prodiance BPM
can be used to define spreadsheet application
processes so that, for example, you could use
it to define the processes associated with
reconciliations, budgeting or consolidation.
This includes the generation of tasks and task
lists, email notifications and so forth that can
be sent to relevant parties.
Prodiance Spreadsheet Compliance
Product description
page 67
This is an important point. Spreadsheets are
used for many purposes. Some of them are for
one-off purposes while others are used on a
repeated basis. In the latter case, these are
often described as being spreadsheet
applications (as opposed to spreadsheets per
se) because they have logic that often flows
across multiple spreadsheets. However, most
vendors of enterprise spreadsheet
management solutions treat both of these
environments as the same, or they only target
one or the other. Because Prodiance has fullblown workflow capabilities it is able to handle
both environments, which should be an
advantage compared with many of its
competitors. The Prodiance solution can also
leverage the workflow and BPM capabilities
built into SharePoint or Documentum
systems.
KPI Dashboard
Figure 8: Workflow in the Prodiance environment
Finally, the last part of Prodiance Spreadsheet
Compliance is the KPI dashboard (illustrated
in Figure 9), which uses conventional
dashboard techniques, such as traffic lights,
to monitor risk and performance indicators.
Here, too, workflow and document approval
status and task lists may be presented so,
arguably, it would be more correct to call this
a portal rather than a dashboard. As one
would expect, the dashboards can be set up
according to user needs so that you might
typically have different executive versus
reporting dashboards, as an example.
Security
Document-level security is provided through
the various content management systems
supported by Prodiance (as already discussed)
but there are also a number of other security
aspects of the product that are worth
mentioning. These features include Digital
Rights Management encryption so that
sensitive spreadsheets can be encrypted for
use only by authorised LDAP users and
groups; the ability to lock down access to
spreadsheet macros and queries, so that
users cannot change calculations and the like
after these have been tested and verified; SSL
encryption that is used when spreadsheets are
up or downloaded; and security facilities to
ensure that, in the event of Excel crashing,
then the recovered files remain secure. In this
last case, Prodiance works by encrypting
locked cells which are recognised by the
application even when reading the recovered
temp file.
Figure 9: KPI Dashboard
Prodiance Spreadsheet Compliance
Product description
page 68
New product release
Summary
Almost immediately prior to publication of this
report (May 2007) Prodiance announced a new
version of its product. The main features of
this new release are:
Prodiance offers a rich overall environment
and the company is very well placed to take
advantage of the rapid growth that we are
currently seeing, and expect to see more of, in
the enterprise spreadsheet management
market. As previously noted, we anticipate
that the company will establish itself as a
leading vendor of spreadsheet management
solutions.
1. It will support browser-based thin client
access (based on AJAX) technology, which
means that there is no client-side software
installation required but that spreadsheet
data can still be updated dynamically. Note
that a thick client version of the user
interface will remain available.
2. Centralised administration, management
and reporting will be provided so that IT
personnel can control the infrastructure
used to manage your spreadsheets more
easily.
3. There is a new ‘smart audit’ capability. This
will be able to recognise, for example, that
if you insert a new row into a spreadsheet
then that is only a single change—all the
rows below it have not, in any intrinsic
sense, changed. There are also a number
of other new auditing features as well as
support for more data connectors.
4. Enhanced integration with SharePoint
2007, including new user interface menus,
key performance indicators to support its
dashboard, and integration with SharePoint
workflow.
5. Auditing and compliance features for
Microsoft Access databases.
Qtier-Rapor
Fast facts
Qtier-Rapor is an enterprise spreadsheet
management product that offers both control
and compliance and an automation solution
for the development and deployment of
spreadsheet applications. By ‘spreadsheet
application’ we mean those repeatable
processes that are enabled via spreadsheet
such as sales reporting, budgeting and
planning, financial consolidation and so forth.
Automation is the company’s lead focus and it
is important to appreciate the significance of
this. What it means is that Qtier is offering, in
effect, an IDE (integrated development
environment) for developing spreadsheet
applications. Now, development environments,
as a matter of course, include such things as
version control, testing, debugging and so
forth, and Rapor is no exception. This has
important implications with respect to control
and compliance and, for that matter, with
auditing requirements (such as spreadsheet
comparisons, error detection and so on) since
many of the functions deemed necessary for
these areas are actually embedded within the
automation aspects of Rapor. In other words,
and this applies to automation tools in
general, the more you automate the
development of spreadsheets, and treat
spreadsheets as corporate assets, the lower
the additional requirements you have for
control and compliance and auditing tools. As
we have mentioned, Qtier does offer control
and compliance capabilities (but not auditing)
in addition to automation but it is important to
recognise that the features provided build
onto those within the automation part of the
product and they should not be thought of in
isolation.
page 69
Key findings
In the opinion of Bloor Research the following
represent the key facts of which prospective
users should be aware:
• Perhaps the biggest single advantage of
Qtier-Rapor is that you only ever have a
single master of any particular spreadsheet.
If different users need amended copies of
any particular automated spreadsheet then
these are generated at run-time, based on
user-specific criteria. This means that the
management and auditing of spreadsheets
should be much, much easier.
• Qtier-Rapor does not help you to design the
logic that is internal to any spreadsheet or
related application. What it does help you to
do is to make it simpler to populate your
spreadsheets with data derived from
external sources, to validate that data, to
define dependencies (this process has to be
completed before that process), to identify
relationships across spreadsheets, to
schedule the production of spreadsheets
(those that are not to be generated in realtime) and so on. In other words, its
automation functions help you to define how
your application (and data) flows across
multiple spreadsheets.
• Qtier-Rapor uses a number of graphical
techniques to help developers during the
processes just outlined. These are
functional rather than sexy. For example,
Qtier’s workflow capabilities are based on
relatively simple flow diagrams.
• Qtier-Rapor includes facilities to ensure
segregation of duties between authors
(process owners), editors, (internal)
auditors and end-users.
• One feature of Qtier-Rapor that we have not
seen elsewhere is the ability to print
authentication codes on printed
spreadsheets so that you know that you are
dealing with authorised information.
Qtier-Rapor
Fast facts
page 70
The bottom line
Vendor information
Spreadsheet applications are widely used and
deployed across organisations and enterprises
of all sizes and types. However, such
applications are often developed in an ad hoc
manner and without the disciplines that would
be applied to applications developed within the
IT department. As a result, such applications
are prone to errors, often lack proper security
controls, are difficult to audit, and may not
comply with appropriate regulations. With the
possible exception of the last of these points,
all of the others can cost the business
considerable sums of money: if you have
errors in your spreadsheets then you are
potentially making incorrect business
decisions based on faulty data; if you lack
security then you open yourself up to the
possibility of fraud; and if applications are
difficult to audit then your auditors will charge
you more. All of this means that it would be
preferable to treat spreadsheet applications
as corporate resources that are managed just
like any other applications used within the
organisation. This is what Qtier-Rapor
provides, and without the end user seeing any
difference in the Excel environment with which
he is familiar.
Qtier is a UK-based specialist development
company, founded in 1999. However, it was not
until 2002 that the company introduced its
product, with early adopters taking the
product the following year. This actually
makes the company one of the pioneers in the
enterprise spreadsheet management market.
As a small company, Qtier primarily focuses
on research and development and support,
while relying on third party distributorships
for sales purposes. The company has such
distributorships in the United States,
Australia, Finland and Eire, with the last two
of these acting as regional bodies that cover
Western Europe between them, managing
local resellers. Qtier-Rapor’s user interface is
available in German, French and Italian as
well as English, and it is currently being
translated into Finnish.
Most vendors in the enterprise spreadsheet
management market have focused on control
and compliance and/or auditor’s tools that do
not have facilities for automating the
development process of spreadsheet
applications. In our view, the sort of
automated approach provided by Qtier is to be
preferred. Not only does it make the
development of spreadsheet applications
faster and the results more reliable and
secure, it also reduces the need for control
and compliance (though that is provided by
Qtier as well) and auditor’s tools, because of
the inherent controls built into the Qtier-Rapor
development environment. We believe that
there is a growing appreciation within the
market that automation is the best direction to
move in for spreadsheet management and
Qtier is very well placed to take a leadership
position in this market, as it matures.
Qtier-Rapor is currently in version 2.3 release
8 but version 2.4 is scheduled for release in
April/May 2007. Qtier-Rapor is .NET based and
supports versions of Excel that have a similar
underpinning, so versions of Excel currently
supported are Excel 2000 and Excel 2003.
While perfectly understandable this is
unfortunate for Qtier as many users continue
to employ Excel ’97. Excel 2007 support,
together with Microsoft Vista support, is
scheduled for version 3.0, which should be
available mid-2007.
Qtier requires a database (for storing
spreadsheet process versions and so forth)
and it will run with SQL Server, Oracle, MySQL
or Microsoft Access. For accessing other
databases, Qtier-Rapor supports both OLE DB
and ODBC. All users are supported on
Windows NT and later (but not Vista yet, as
noted) and end users may also run Windows
98. Web servers running ISS 4 or above are
supported.
Qtier’s various facilities are aimed at either
developers or end-users (although typical
sales targets are the owners of relevant
business processes) and its has different
licenses for each of these roles. Typical site
license fees would be in the mid to high five
figures (in dollars). The company has over 50
customer sites using the software across
Europe.
Qtier web address: www.qtier.com
Qtier-Rapor
Product information
In practice, there are three elements with
Qtier-Rapor. The first of these is the
development environment, which the company
refers to as Work-in-Progress (WIP), and this
is actually broken down into two areas: access
to data and development itself. Then there is
the deployment environment, and it is
important to understand the distinction
because, for example, the version control
applied to WIP spreadsheets is different from
the version control employed when
spreadsheets are live: the latter is, at least
partly, about compliance while the former is
more about development best practice.
Finally, there are the additional control and
compliance elements within the product.
We will discuss the product under each of
these headings.
Figure 1: The Catalogue Designer within Qtier-Rapor
page 71
Accessing data
Accessing data in Qtier-Rapor is based on
connections and catalogues. In the case of the
former you simply tell the system which
databases you are collecting data from,
whether you are using OLE DB or ODBC for
that purpose, and what security you want to
apply to that connection.
A catalogue, in Qtier terms, is a simplified
view of the database tables you are accessing.
Figure 1 shows the Catalogue Designer within
Qtier-Rapor, which shows tables associated
with the Forecast table together with (at the
bottom) the relevant calculations for
calculated fields. Now, that’s fine as far as it
goes, but it is not very easy to work with. What
the Catalogue Designer does, in effect, is to
merge one or more
related tables into a
single table view, which
can then be accessed
from any spreadsheet
process. The big
advantage of
constructing this
catalogue is that it
makes it much easier
to understand from a
developer’s perspective
(you can apply
selection and filtering
criteria directly to a
catalogue) and it is
much easier to apply
security controls with
respect to which pieces
of data that a particular
user (or someone with
his role) is allowed to see or amend.
In so far as the delivery of data is concerned,
Qtier supports (see later) the notion of realtime delivery of data to spreadsheets.
However, this can be costly in its impact on
front-office systems so Qtier Rapor supports
caching for semi-static data. That is, for data
that changes daily, say, rather than minute by
minute, you can schedule data extraction
routines overnight (for example) and then
cache this information to be used alongside
dynamic data. What this means is that only
very rapidly changing data needs to be
retrieved in real-time from front-office
environments, thereby minimising the impact
on those systems.
Finally, all data that is created within the
Qtier-Rapor environment, or maintained within
it, can be stored in what the company refers to
as the ‘user defined database’, thus
eliminating the need for manual data
manipulation and consolidation tasks. This
runs on either SQL Server, Access, My SQL or
Oracle and ensures a secure and formally
organised environment.
Qtier-Rapor
Product information
page 72
Development
The fundamental point about Qtier-Rapor is
that it applies the disciplines of conventional
approaches to application development to the
construction of spreadsheet applications,
thereby ensuring that they are properly tested,
documented and controlled in a way that is by
no means always the case. As with
conventional development environments,
there are various stages in the development
process. Qtier categories these into three
main areas of automation, which it treats
separately: steps, tasks and workflow.
In so far as steps are concerned, there are two
main elements to this, as follows:
1. Steps—these represent individual
procedures that need to be handled, such
as populating a spreadsheet with data,
writing information for the spreadsheet
back to a source database (where that is
allowed), applying validation routines and
so forth. So, to populate a spreadsheet with
data, as an example, you would define a
step that retrieves the relevant data, based
on the catalogue that was discussed in the
previous section.
2. Step sequence design—steps can be
combined into sequences that can then be
associated with particular events, such as
opening or closing a spreadsheet. So, for
example, when a user wants to open a
spreadsheet, the first issue would be
whether s/he has relevant security
clearance and, if that is the case, then you
would open the spreadsheet and populate
it with data. Note that you can embed
decision logic within a step sequence: if the
user has relevant permissions s/he gets to
see (at least) the spreadsheet, but
otherwise will get an appropriate message
that they are not allowed to see the
spreadsheet. Similar logic could be used,
for example, to force users to enter a note
explaining any changes they make to the
spreadsheet or to raise alerts.
Tasks are a little more complicated in that
they relate to application processes and are
used to enable the consolidation, distribution
and scheduling of spreadsheet processes. An
example, which illustrates the Process
Sequence Designer, being used to define the
Figure 2: The Process Sequence Designer
task that is needed to publish weekly forecast
charts, is shown in Figure 2. Although this
example involves multiple spreadsheets,
tasks may also be applied to actions that
pertain to a single spreadsheet. As with steps,
logical criteria can be included in tasks, which
may be based on run-time parameters or be
integrated with the product’s workflow
capability (in both cases: see later). Processes
may also include links to external (related)
documents and the running of macros, VBA
procedures, plug-ins and so forth. Also note
that if real-time data is not needed for this
particular spreadsheet or application then
tasks can be used to schedule the production
of spreadsheets at appropriate times.
One feature that is not built-in to the product
that we would like to see, is the automated
generation of alerts. For example, if you are
using spreadsheets for budgeting then you
will need input from various parties in order to
complete the process. This needs to be a
formally scheduled process and you would
like to send reminders (via email or otherwise)
to your colleagues that have not sent your
figures on relevant dates. Now, you could
build this using tasks and there are traffic
lighting facilities in Qtier-Rapor to alert you to
the fact that figures are due, so you could
build this sort of functionality. However, since
it is a rather common requirement it would be
nice if there was a built-in feature to easily
enable this.
Qtier-Rapor
Product information
Workflow is used to define the order in which
spreadsheet processes should run and to
determine any necessary dependency checks
(that is, in case any upstream processes need
to be completed). For this purpose, Qtier uses
a flow diagram rather than the icons that you
might expect from a specialist workflow
vendor but this is probably visual enough in
this particular instance. In fact, Qtier also uses
flow diagrams in a number of other areas. For
example, Figure 3 shows the Step Sequence
(see above) Designer, here being used for data
validation. Relevant messages will be
presented to the user if a validation rule fails.
The same would apply if a dependency check
associated with a workflow failed. Note that
workflows can also be used to enforce
segregation of duties. That is, during
development, best practise is to have distinct
roles for the author, editor and (internal)
auditor of spreadsheets, who need to sign-off
on the correctness of spreadsheets during the
development process. The nature of the QtierRapor environment automatically enforces the
separation of these roles from that of the enduser.
Deployment
Regardless of whether spreadsheets are
produced live or are scheduled for production
at particular times, they may be subject to
run-time criteria. Thus each potential user,
depending on his or her role, may have a
different set of parameters that apply to the
population of those spreadsheets, so that each
user sees just what is needed, and has
relevant capabilities to interact with the
spreadsheets, as necessary. In practice, what
this means is that you have a single master
copy of a spreadsheet (held in a secured
central repository) but many different versions
of that spreadsheet ‘template’ may be
populated at run-time. This has significant
benefits in terms of the management and
auditing of spreadsheets because you do not
have lots of copied and amended versions of
the same spreadsheet scattered around the
organisation, which is typical of many
organisations.
Two additional capabilities that are provided
are web-enabled spreadsheets and an ad hoc
query capability. In the case of the former, all
page 73
Figure 3: The Step Sequence Designer
Qtier-Rapor processes and user menus are
web-enabled as are functions such as the use
of run-time criteria and the application of
security. In other words, no web development
skills are needed by spreadsheet designers,
as this is managed automatically by the
software.
As far as ad hoc enquiries are concerned, the
Qtier-Rapor end-user interface has a query
and reporting tool built into it and users can
employ this to create their own queries
against the catalogues (and data therein) for
which they have appropriate permissions.
Finally, one particular noteworthy feature that
fits within the area of deployment (and
compliance) is that Qtier-Rapor can be set to
automatically generate authentication codes
that will be printed on any spreadsheet where
a hard copy is required. A typical
authentication code, which is unique for each
instance, might look something like: ‘Ó¨Qtier
Ra-pöÅ• LogID: 2652Ó¨”. There is also support
for cell authentication stamps (using check
digits), to certify the validity of data. These
codes may include a corporate logo, if
required.
Qtier-Rapor
Product information
Control and compliance
While we have already mentioned a number of
aspects of control and compliance there are a
number of elements in this area that we have
not discussed. However, before doing so it is
important to note that Qtier’s perspective is
that spreadsheets need to not just be
monitored (compliance) and an audit trail
produced, but that relevant controls also need
to be put in place so that only authorised
people may do authorised things.
On the control side then, the first thing to
appreciate is that Qtier-Rapor allows you to
define the environment that must apply to
each spreadsheet. This involves ticking boxes
as to which controls are to be applied to any
particular spreadsheet where some of these
controls are supplied out-of-the-box by Qtier
but you can also define your own using the
development facilities described earlier.
Typical controls might be: that new processes
must apply compliance rules; that auditors
are not allowed to edit this spreadsheet; that
comments are required whenever a change is
made; whether the owner of the spreadsheet
is allowed to audit it; whether process
descriptions are required; that the root folder
must be used for the workbook location; and
so on. In addition, you can also define rules
that apply to workbook settings such as the
ability to insert default values, whether
compliance values can override defaults, if
‘save as’ is permitted and so forth.
page 74
The other side of the control equation is
security, which is role-based (either by
individual or group). The product provides
synchronisation with Microsoft’s Active
Directory. As you might expect, you can hide
columns or rows, define cells as read-only,
and so forth. There is also anti-tampering
support that can be applied whenever a
spreadsheet is opened, closed, saved or
printed.
As far as compliance is concerned, there is a
distinction within the product depending on
whether you are in the WIP environment or in
the deployment environment. This makes
sense: end users almost certainly will not be
allowed to amend formulae or add macros or
make any other structural changes to a
spreadsheet, so you don’t need the same level
of management control. So, for example,
within the WIP environment this has built in
version control with new versions being
created automatically for you, whereas in the
live environment there is simply the ability to
take a snapshot of a particular spreadsheet.
One feature that isn’t in the WIP environment
is check-in/out: if you start work on a
spreadsheet the software will tell you if
someone else is already working on it but it
won’t prevent you from doing so too.
As you would expect, there is an extensive
audit trail and there is the ability to open and
compare spreadsheet versions within the
Awaiting Audit WIP development cycle, though
this does not include comparison of any
associated macros.
Qtier-Rapor
Summary
Qtier’s biggest competitors are not other
vendors but a) a failure of awareness, in some
companies, that the use of spreadsheets
presents any sort of an issue; b) that if there is
an issue then we should get rid of
spreadsheets altogether; and c) that if there is
an issue and we don’t think we can get rid of
spreadsheets then I can fix it by using some
control and compliance and maybe some
auditor’s tools. The first of this has his head in
the sand, the second is unrealistic and only
the third starts to address the issue. However,
as long as the development of spreadsheets,
and particularly spreadsheet applications, is
left in the hands of user departments who
have often very little formal training in the use
of spreadsheets, then there will continue to be
ongoing problems. In our view, spreadsheets
should be treated as a corporate resource and
the development of spreadsheet applications
should be managed just like any other
development process. Qtier-Rapor enables
this and, as more companies do so too (a
process that seems to be happening faster in
Europe than in the United States), then we
expect Qtier to capitalise on this trend.
page 75
Risk Integrated Enterprise Spreadsheet Platform
Fast facts
Key findings
Risk Integrated is a consulting company that
specialises in financial risk assessment and
management, particularly in the banking and
financial sectors. Because many organisations
within this sector use spreadsheet models
from such things as deal structuring or real
estate modelling the company has developed
software, known as the Enterprise
Spreadsheet Platform (ESP), in order to assist
its clients.
In the opinion of Bloor Research the following
represent the key facts of which prospective
users should be aware:
Risk Integrated, coming as it does from the
perspective of risk management, takes a
somewhat different approach from many
other companies addressing the question of
enterprise spreadsheet management. It takes
the position that in the markets at which it is
aimed, the developers of spreadsheet models
are not only skilled in the use of Excel but that
there are appropriate mechanisms in place to
ensure that spreadsheets are adequately
tested and checked prior to deployment. What
ESP aims to do is to take the risk element out
of the equation in so far as users of those
spreadsheets are concerned, both in terms of
data entry and deployment.
Note that ESP is neither a compliance tool
(providing detailed audit trails and change
tracking and/or management) nor an auditor’s
tool (for error detection, spreadsheet
comparison and so forth). It is complementary
to both of these types of products.
ESP separates end users from the logic built
into the spreadsheets that they are
(unknowingly) using. This significantly reduces
the risk of both errors and fraud.
Through support for message queuing, Risk
Integrated aims to automate the input of data
into spreadsheets as much as possible. Where
that it is not possible it generates web forms
that users employ to enter data.
All cells that require user data entry are given
a descriptive name to make life simpler for
users. The software understands these
descriptions so that spreadsheet cells are
always populated from the correct fields in the
web form.
ESP also separates output from spreadsheet
logic. Rather than issue spreadsheets to
users, ESP allows you to generate customised
reports from its environment. This means that
users never have access to formulae,
calculations or data that you wish to keep
private.
Bottom line
As far as we know, ESP is unique in the
marketplace: it is the only vendor that comes
at the problem of spreadsheet management
specifically from a risk perspective. Certainly
there are other products that include risk
management capabilities but these tend to
come at the issue from the perspective of the
status quo: that is, “we have a risk issue so
let’s manage it”, whereas Risk Integrated’s
approach is more one of “we have a risk issue,
let’s prevent it”. While the product is focused
specifically at a particular niche market
(primarily, but not exclusively, in financial
services) this does not mean that this is a
small market and we expect Risk Integrated’s
proactive approach to risk management to
prove attractive to a significant subset of that
market.
page 76
Risk Integrated Enterprise Spreadsheet Platform
Vendor information
Product description
Risk Integrated was established in 2000 as a
pure consulting company and started the
development of the ESP product in 2002. It
does not typically sell ESP as a stand-alone
solution but usually tailors it for individual
clients. Typical charges for an engagement
specific to ESP would be in 6 figures.
The way that ESP works is that super-users
and experts with appropriate authorisation
develop Excel spreadsheet models in the way
that they always have and then load these into
the ESP system. What happens is that these
spreadsheets, or existing spreadsheets that
have been loaded, together with all of their
inputs, formulae, outputs and so forth, are
encapsulated within a C++ wrapper. From this
a web form is generated for manual input of
data, while the software uses XML and support
for message queuing software to obtain data
that can be feed directly into the spreadsheet
from external sources such as databases,
stock feeds and so forth. In general, Risk
Integrated would recommend (and so would
we) that the more input data can be automated
the better.
The company is privately owned and funded
and it has offices in both the UK and United
States. As it uses an associate model we
cannot be precise about the number of
employees but it is between 10 and 20.
Web address: www.riskintegrated.com
As far as user input is concerned a web form
that simply asked for ‘column 4, row 3’ would
not be much use, so as a part of the process of
generating the web form, each cell is a given a
descriptive name. Note that the layout of the
web form can be customised and it does not
have to match that of the spreadsheet. As the
software knows which name refers to which
cell it will automatically insert the data from
the correct field on the web form. Note that
any rules applying to the relevant cell (such as
a range check) will also apply to the form.
On the deployment side ESP provides a similar
separation between logic and output. Rather
than send reports in spreadsheet format, ESP
supports the ability for you to produce
customised and date stamped reports that
provide the user with the information that he
needs to know but without the formulae,
calculations and data that you wish to keep
private.
Summary
ESP does not remove risk entirely: the developers of spreadsheets are still exposed to it and,
despite the use of descriptive names for data entry fields, you can never ensure that there will
never be data entered into the wrong field. However, ESP does significantly reduce risk by not
exposing end users, either at the input or reporting level, to the spreadsheet per se. This
means that you cannot get (via end users) transposition errors, you cannot get cut and paste or
zeroing errors, you reduce, if not eliminate, the possibility of fraud, and so on. Given the
potential costs (see www.eusprig.com) associated with spreadsheet errors this is a significant
advantage.
page 77
ROISoft ExSafe
Fast facts
There are three distinct types of product
aimed at the spreadsheet management
market: development automation tools,
control and compliance tools, and auditor’s
tools. The first of these are about automating
the development process for spreadsheet
applications but are limited to providing
management capability for new spreadsheets
only. On the other hand, both control and
compliance, and auditor’s tools, are about
managing existing as well as future
spreadsheets. That said, auditor’s tools are
focused almost exclusively on finding errors
and don’t do anything for security or auditing
and version control. That’s why they cost a few
hundred dollars rather than the hundreds of
thousands or more than you can spend on full
control and compliance tools (which often
include auditor’s tools as well). ExSafe from
ROISoft is a control and compliance product.
However, not all control and compliance
products have the same perspective on the
market. There are some that are focused on
monitoring what the user does and there are
others that emphasise compliance with
specific regulations, particularly SarbanesOxley. ExSafe, on the other hand, comes from
the point of view that the first thing that needs
to be done with spreadsheets is to provide
security and then you can build control and
compliance on top of that, rather than the
other way around. ExSafe, then, is a control
and compliance tool with security at its heart.
page 78
Key findings
In the opinion of Bloor Research the following
represent the key facts of which prospective
users should be aware:
• Security is implemented down to cell level
with access permissions and rights defined
at that level (or higher). In order to minimise
the administration required, inheritance is
implemented.
• Spreadsheets are stored centrally in a SQL
Server database and are encrypted. This
removes the potential dangers of users
emailing spreadsheets to non-authorised
users or of temp files created by Excel after
a crash, because the spreadsheets will not
be readable by non-authorised users.
• ExSafe provides a complete, time-stamped
audit trail of all changes made to a
spreadsheet including attempted (but failed)
changes—we especially like this last
feature.
• Cell-level version control is included within
the product.
• ExSafe facilitates the segregation of roles
(owners, editors, users and so on) and has
specific features supporting ‘ownership’.
• As a first release it is perhaps not
surprising that some features of more
mature products are not yet available within
ExSafe. For example, there are no facilities
to help you to compare spreadsheets or to
investigate the relationships between
spreadsheets.
• There are built-in discovery features within
ExSafe (which will also discover Word and
PowerPoint files), as well as an open API.
The bottom line
ExSafe provides compliance through its audit
trail, it controls the environment through
which you can use spreadsheets and it
provides exemplary security capabilities.
Where it lacks features (not surprising in a
first release) are in ancillary areas such as
auditing (for example, comparing
spreadsheets). As these requirements can be
met through the use of third party tools that
cost no more than a few hundred dollars, this
is not a major issue and should not hold the
company back. It is, of course, too early to
form firm conclusions about ROISoft in a
market that is becoming increasingly crowded
but we do like the way that it has approached
security in particular and its initial sales bode
well for the future.
ROISoft ExSafe
Vendor information
ROISoft is an Irish firm that also has offices in
the United States. It was established in 2005
and is privately funded though with backing
from Enterprise Ireland. The first version of
ExSafe was launched at the beginning of
December 2006 though the company has been
in ‘stealth’ mode until just recently.
Nevertheless, it has managed to acquire two
major investment banks as customers
already. Typical prices for a complete
company-wide installation would be in 6 or 7
figures.
ExSafe is Microsoft certified and leverages
Windows Server 2003, SQL Server 2005 and
Microsoft Active Directory for role-based
security. It supports versions of Excel from
2000 onwards, including Excel 2007. An offline
feature of the product is available that allows
you to work in disconnected mode with
automated synchronisation once a connection
is re-established.
ROISoft web address: www.roi-soft.com
page 79
ROISoft ExSafe
Product information
page 80
As previously discussed, ROISoft has come at
the issue of control and compliance from the
standpoint of security in the first instance and
we will therefore discuss these security
capabilities first before proceeding to consider
the product’s control and compliance
features.
Security
Some of the security features you require in
an Excel spreadsheet are obvious: for
example, you want to be able to control who
can see what, who has editing permissions
and so on. Further, you want these facilities
down to cell level and you want them by
function. For example, a particular user might
be allowed to update an input cell but not be
permitted to edit a formula. Examples of how
ExSafe implements these capabilities are
illustrated in Figures 1 and 2.
In addition, where users have read-only
access to some fields but update capability
with others, then you would like the different
cells colour coded or with some other
appropriate indication as to what this user can
and can’t touch. In Figure 3, for example, the
red cells can neither be read nor written while
the green cells may be read but not updated.
All of these sorts of features you would expect
from any control and compliance tool and
ExSafe is no exception in providing these. In
particular, ROISoft applies what it calls
Prescriptive Cell Security (PCS) whereby
passwords and user-defined permissions are
all applied at the cell level.
Now, this might be thought to imply that there
is a heavy administrative overhead in defining
such a granular level of security (and security
can also be implemented at the sheet and
range levels). However, the security
mechanisms in place are defined at the folder
level and can then be inherited. This means
that you only have to define the differences
that pertain to any particular individual with all
other permissions being held in common: thus
the administrative overhead is significantly
reduced.
Figure 1: Workbook permissions
Figure 2: Cell and Range permissions
However, there are also more complex
security issues involved in spreadsheet
management. Two such are the issues of
emailing spreadsheets to colleagues and what
happens when Excel crashes. In the first
instance, the practice of emailing
spreadsheets to colleagues is potentially
dangerous, and represents a potential security
breach, if they can then open and use that
spreadsheet willy-nilly. In the second case a
similar problem potentially arises because
Excel will attempt to recover your files if it
crashes. In particular, it will create a temp file
that anyone can read.
Figure 3: Cell and Range colour coding
ROISoft ExSafe
Vendor information
page 81
In order to avert both of these potential
breaches of security, ExSafe automatically
encrypts all spreadsheet data, even to the
extent that those temp files will be encrypted.
This means that unless you log on to ExSafe
and unless you are an authorised user thereof,
you will not be able to read any of the contents
of any spreadsheet, whether recovered or
original. In order to enable this, all
spreadsheets are stored centrally in a SQL
Server database, where the audit trail (see
next section), as well as all security details,
are also held.
Control and compliance
While the security features in ExSafe as are as
advanced (and often more so) as any other
vendor’s in the market it is perhaps not
surprising, given that this is a first release,
that it is perhaps not quite as advanced in
terms of control and compliance features.
Nevertheless, all of the basics are in place,
notably full auditing, auto-discovery and
version control.
Auditing does what it says on the tin in that it
provides full cell-level auditing of all changes
(whether to data, formulae, macros or
whatever), who made those changes, and with
a timestamp for the time of the change as
opposed to when the spreadsheet was saved,
as illustrated in Figure 4. The spreadsheet
‘owner’ can also optionally enforce the entry
of an associated note when the spreadsheet is
being saved (for example, you have changed a
figure in your budget—why?). One feature we
particular like is that the software will also
record attempted (but failed) changes.
In the case of Discovery, this allows for
automated discovery of all the spreadsheets
that exist within a particular domain. In
addition, you can apply rules during the
discovery process that should enable the
ranking of spreadsheets in terms of the risk
they pose to the business, either because they
Figure 4: Cell level auditing in ExSafe
fall under regulatory control (such as a
Statement of Earnings) or because they
represent mission-critical applications. This is
important because large corporations will
have many spreadsheets that they need to
bring under management and it is likely that
they will wish to do this in an iterative manner,
beginning with those spreadsheets that pose
the greatest risk. However, the other half of
this risk assessment relates to the complexity
and size of the spreadsheet (the more of either
and the greater the risk of errors) and, lacking
auditing tools within ExSafe, this part of the
risks assessment equation will be limited at
best.
Finally, in so far as version control is
concerned, it is worth noting that Microsoft
SharePoint 2007 now offers complete version
control at the document level. However, it
does not offer version control at any lower
levels and certainly not at the cell level, which
is what you need if you are to have proper
management control of the environment: this
is what ExSafe provides.
ROISoft ExSafe
Product information
Summary
ROISoft is a new entrant to the enterprise
spreadsheet management market and there
are a number of incumbent vendors with
which it will directly compete that already
have substantial user bases. In order to
compete effectively it needs to offer
something different over and above the
facilities offered by this competition. This it
has done by focusing on security. In addition, it
is aided by the fact that these competitors are
all US-based and have little or no European
presence. However, neither of these factors is
likely to give ROISoft an advantage for long,
particularly if these rivals see ROISoft being
successful with its security message (which
would not be surprising given that the vast
majority of frauds are perpetrated by
authorised users).
ROISoft therefore has a window of time in
which to establish itself as a major contender
and, as is often the case, this will depend as
much on the company’s marketing efforts as
the technical excellence of its product. The
company has got off to a good start; we will
watch its future development with interest.
page 82
Sheetware XLSpell
Fast facts
The market for providing complementary
products to Microsoft Excel comes from two
directions: business intelligence vendors
aiming to provide additional functionality,
especially in the area of automation and
development; and a second group of suppliers
that address this market from the perspective
of governance and compliance, providing the
auditing, security and control that is lacking in
Excel. In this latter category there are two
broad categories of products: control and
compliance tools and auditor’s tools.
Sheetware’s XLSpell is a suite of tools that
addresses the auditor’s market.
Note that auditors in this context covers two
distinct functions. In the first instance, best
practice in the development of spreadsheets is
for a segregation of roles between the author,
editor and auditor of spreadsheets, where
auditor in this context refers to a function that
is internal to the company. Needless to say,
auditing is also an external function. In fact,
XLSpell is suitable for use by both internal and
external auditors. However, a further point to
appreciate is that the more internal processes
in place (such as the segregation of roles) to
ensure the validity of your spreadsheets then
the less work will be required by external
auditors and the lower their resulting fees. In
other words, implementing internal auditing
processes will save money not just because
you are basing your decisions on more
accurate and reliable information but also
through reduced annual fees.
Specifically, the XLSpell suite includes tools
for formulae checking, sheet comparisons, a
sheet mapping tool that allows you to see the
structure of your spreadsheet, a drill-down
capability that allows you to see where data
has come from, a number finder, and a tool for
boosting the performance of spreadsheets.
Each of these capabilities is available
separately as well as within the suite.
page 83
The bottom line
From an enterprise perspective XLSpell
should properly be considered as a suite of
tools and utilities, primarily focused on
detecting errors (though the performance
module may also prove to be of interest) and
auditor functions. Given the potential costs
associated with spreadsheet errors, which can
be very substantial (see www.eusprig.com),
these relatively inexpensive tools should pay
for themselves in short order.
Vendor information
Sheetware is a small, privately financed
company based in the UK. It was founded in
2002 and released XLSpell in a beta version in
2004. The product suite is now in version 1.2
and it currently runs with Excel 97, 2000 and
XP. As previously stated you can licence each
of the individual modules of the suite
separately. Indeed, the company’s biggest
seller is the individual product, XDrill.
Sheetware’s primary target is SMEs and
departments of larger organisations.
Primarily, the company sells through its web
site, where the products are available for free
30-day download or, because the products are
relatively inexpensive ($199 for a single
business user for XLSpell, $309 for a small
business version – 6 users – of XDrill) you can
licence them directly from the web site. Free
versions of the software are offered to
registered charities. The company also has a
UK-based distributor.
Sheetware web address: www.sheetware.com
Sheetware XLSpell
Product description
page 84
As previously noted, XLSpell consists of a
number of modules and we will discuss each
of these separately. However, as the products
most likely to be of interest to enterprise
users we will focus primarily on XDrill and
XLMapper.
XDrill
Put simply, XDrill answers the answer, “where
does that number come from?” You start by
clicking on the cell you are interested in, or on
a chart item, and the XDrill menu will come up,
offering you options such as the ability to
simply drill from this point, or drill directly to
inputs or to trace errors. You can also define
the depth to which you want to drill and what
links you want to use, as illustrated in Figure 1.
Once you actually activate the drill-down
process the software will bring up the relevant
details, with the calculation path (which will
include details from different sheets or
workbooks automatically, if that is necessary)
for that cell highlighted in bold text, as
illustrated in Figure 2. Inputs and errors are
also indicated, using colour coding. Further,
should you make any change in the original
spreadsheet then this will be dynamically
reflected within the drill-down window so that
you can see the impact of changes. For
example, if you changed the highlighted cell
“Remaining life of opening asset” from 24 to
12 then the “Profit before Tax” entry in the
drill-down window would change to 5,925.
Another feature of the software is that you can
opt to hide zeros, blanks and precedents that
don’t contribute to results. You can also
choose to show only those cells in lookups or
large sums that actually contribute to the
results. For example, if you have a LOOKUP
function that looks at a list of 100 cells and
picks one, XDrill can be set to only show you
the one number that is picked, but you can
display all 100 cells if you wish.
Finally, in so far as the trace errors option is
concerned, effectively the same sorts of
facilities are provided except that there are
also facilities to run ‘what-if’ and sensitivity
analyses.
Figure 1: Options for defining drill down parameters
Figure 2: Drill down results for selected cell
Sheetware XLSpell
Product description
page 85
XLMapper
Whereas XDrill tells you about the
antecedents of a particular cell, XLMapper is
concerned with the structure of the
spreadsheet as a whole. Similarly, where
XDrill is primarily an auditor’s or accountant’s
tool, XLMapper is more suited to the IT
department or to a business analyst,
particularly when it comes to discovering
errors. For example, Figure 3 shows an
illustration of XLMapper in use. Here, this is
displaying a conventional spreadsheet but with
the application of XLMapper. The cells shown
in grey are those that are copies of their
neighbours, while those highlighted in green
are not. So, cell G12, for example, has a
different formula to G11, and G13 is a change
again. This perhaps suggests that G12 is in
error (and G13 is correct). Note too, cells B10,
11 and 12. What happened to Cost 3?
In other words, XLMapper highlights changes
in formulae. Some of these will be expected
but others will be unexpected and it is these
latter that you are likely to be interested in.
Note that you can customise the colour coding
to your own liking. Alternatively, there is also
a text option which will display various
symbols (notably ‘F’ instead of green) in the
various cells of the spreadsheet.
You can make changes directly in your
spreadsheet when using XLMapper or the
software will create a copy for you to which
you can make appropriate corrections. A
useful feature would be the ability to tell the
spreadsheet (subject to authorisation) that
particular details are correct so that they do
not continue to be highlighted by XLMapper.
For example, suppose that it is correct that
only Costs 1, 2, 4, 7 and 19 should be included
in this spreadsheet, then it would be useful to
be able to turn off highlighting. In the absence
of this feature it would be good practice to
append a note to these cells to the effect that
these cells are correct, perhaps with an
appropriate explanation.
Other software
XLSpell includes a number of other tools, as
follows:
• Spreadsheet “Spell Checker”—this is a
further error checking tool, which is used to
check whether formulae or charts refer to
the correct cells. It assesses each formula
and chart against a list of rules that are
designed to catch common spreadsheet
errors. Potential problems are reported in a
similar way to spelling mistakes in Word,
providing a familiar interface for users.
Figure 3: XLMapper in use
• Sheet comparison tool—this is another tool
that will be of interest to enterprises, which
does what its name suggests: allowing you
to compare spreadsheets to detect any
differences between them.
• Performance tool—XLSpell has a facility to
work out the best order in which
spreadsheet calculations should be made in
order to optimise performance and it can
also automatically re-arrange sheets with
the same aim in mind. There are also
facilities to show you how long each sheet
takes to calculate and you can also look at
blocks of calculations in terms of
performance.
• Number finder—this tool allows you to
search for any instance of a particular
value, or a range of values, across a
spreadsheet. You can also look for
combinations of numbers that add up to a
specific total, or approximately a specific
total. For example, you can ask to see ‘all
combinations of 3 numbers that add up to
60, plus or minus 1’. One common use is
where a balance sheet does not balance;
the number finder will check to see what is
being missed.
One further Excel product is offered by
Sheetware that is not part of XLSpell, which is
ExcelFIX. This restores damaged or corrupt
Excel files that cannot be opened. This product
works with any version of Excel from 95
onwards, except that 2007 is not yet
supported.
Sheetware XLSpell
Summary
Leaving aside business intelligence based
extensions to Excel, there are two approaches
to compliance and error checking for
spreadsheets: you can licence a complete,
integrated suite or you can use individual
products for specific functions. The former
tend to be expensive, typically running into at
least five figures and often six or seven. An
approach based on point solutions may
therefore be more cost effective in this
particular instance. Sheetware offers useful
facilities that are inexpensive, and which are
certainly worthy of consideration.
page 86
eXpresso
Fast facts
The market for spreadsheet management
solutions is broadly split into four areas:
monitoring tools, which audit what anybody
does to any spreadsheet at any time; control
and compliance tools that extend monitoring
to include security and management of who is
allowed to do what; auditor’s tools that allow
you to compare spreadsheets, detect errors in
formulae, find out where data came from and
so on; and automation tools that provide
controlled development environments for
creating new spreadsheet applications (but
only new applications—no facilities are
provided for existing spreadsheets).
eXpresso falls into the monitoring, control and
compliance categories though it also has the
ability to compare spreadsheets. However,
where it differs from other products in the
spreadsheet management market is that it
provides on-line, real-time collaborative
capabilities for the use and management of
spreadsheets. In addition, it is the first product
in this sector (as far as we know) to be offered
as a service.
Key findings
In the opinion of Bloor Research the following
represent the key facts of which prospective
users should be aware:
• eXpresso controls all relevant spreadsheets
through a secure, centralised database and
the user interfaces with Excel through a
web browser.
• eXpresso does not provide facilities for
discovering existing spreadsheets so you
will need to tell the software which
spreadsheets to upload. There are also no
facilities provided for assessing the risks
associated with any existing spreadsheets.
• Full version control and an audit trail
(including detailed cell history reports) are
provided.
• By default, all spreadsheets are locked for
use against everybody except the ‘owner’.
However, the owner can invite contacts to
share a spreadsheet with the owner
applying relevant locking criteria down to
cell level.
• Using eXpresso, shared users of a
spreadsheet can exchange notes and there
is also an on-line chat facility. There is also
an alerting capability, which means that you
can get the software to automatically send
you a notification when a relevant event,
such as a cell change, occurs.
page 87
• There are no workflow capabilities in the
product and nor are there any specific
facilities for designing approval processes.
However, we are pleased to hear that these
capabilities are on the product roadmap for
a future release.
• There is an automated facility to convert
spreadsheets from one format into another.
This will be particularly useful when you
exchange information with third parties via
spreadsheets. We have not seen any other
product with this capability.
The bottom line
While there are certainly facilities in other
products that eXpresso lacks, this is perhaps
not surprising in a first release. More to the
point, there are significant capabilities in
eXpresso that other offerings do not have. In
particular, no other vendor (at least that we
are aware of) has any collaborative
capabilities for sharing spreadsheets and we
are similarly unaware of any other product
that can provide the automated conversion of
spreadsheets that is provided within eXpresso.
So, there are technical benefits, as well as
drawbacks, to the eXpresso offering. That is
almost beside the point. The big advantage
that eXpresso offers is that it is available as a
service à la Salesforce.com. Given that leading
control and compliance tools typically cost six
to seven figures for enterprise-wide
implementation, the ability to implement
eXpresso for a much lower monthly charge
and on an incremental basis is potentially
compelling. Moreover, it is the only vendor in
this market to have such an offering at
present. As a result, we believe that eXpresso
has the potential to become a major player in
this market within a very short period of time.
eXpresso
Vendor information
page 88
Background information
Product availability
eXpresso is a new Software as a Service
(SaaS) offering from SmartDB Corporation,
which was founded in the mid nineties and is
privately owned with venture capital backing.
The company has historically specialised in
data integration (particularly, in the early days,
on ETL—extract, transform and load) for
Oracle environments. Today, its leading
product is SmartDB Workbench, which
provides a variety of tools for developing,
testing and deploying adapters that can be
used to integrate Oracle with other
environments, especially legacy mainframe
environments. The company also markets a
suite of pre-built ‘intelligent’ adapters and a
special-purpose environment for companies
wanting to migrate from PeopleSoft to Oracle
environments.
eXpresso is in its first release (June 2007)
although the platform it has been built upon is
actually three years old as it was originally
designed for another project. eXpresso is
available both as a service (SaaS) and via an
enterprise license, though the company’s
main focus is on the SaaS offering.
The company is US-based and uses
distributors in Europe. It has customers in 20
countries.
SmartDB web addresses
www.smartdbcorp.com
The product works with versions of Microsoft
Excel from Excel 2000 onwards and requires
the use of an Oracle database for the
enterprise version (it will be transparent to
SaaS users). In theory the product should run
on top of any relational database so the
company will consider porting it to, say, SQL
server or DB2 if there is sufficient demand at
the enterprise licence level.
The company plans to add comparable
facilities for managing and sharing Word
documents and PowerPoint presentations, at
some point in the future.
eXpresso
Product information
page 89
Product description
eXpresso is a product that treats Excel
spreadsheets as a corporate resource,
bringing them under management control in
order to provide the security that is lacking in
Excel itself and adding control and compliance
capabilities. In addition, and unlike all the
other enterprise spreadsheet management
products that we have seen, eXpresso adds
collaborative capabilities for shared working
with spreadsheets. As has been stated, the
software as a service model is the one that
eXpresso is targeting and this report will focus
on the facilities provided when using this
approach though the enterprise version of the
product will not be significantly different: it
simply means that you will be self-hosting the
environment.
Figure 1: Architecture of eXpresso
Architecture
The architecture of eXpresso is both similar
to, and significantly different from, the other
spreadsheet management control and
compliance tools that are available on the
market. This is because all of the other
vendors centralise spreadsheets around a
content or document management system of
some sort, which may be proprietary or it may
be Microsoft SharePoint 2007 or, in one case,
Documentum. eXpresso, on the other hand,
centralises on an Oracle database, as
illustrated in Figure 1, which shows the
architecture of the product.
Whereas conventional approaches to
spreadsheet management simply store Excel
documents as Excel documents, eXpresso
decomposes them and stores all the various
elements of the spreadsheet (data, formulae,
macros, formatting, cell references and so
forth) within relational tables inside an Oracle
database. In addition, spreadsheet images are
stored as BLOBs (binary large objects) are
also stored within the database. This means
that all the security, management, auditing
and so forth that is available within the
database can be directly applied to
spreadsheets and the elements within them.
At run-time, spreadsheets are presented to
users through the eXpresso interface via their
web browser, with the various tabular data
being re-transformed back into spreadsheets
data. There is, of course, an overhead involved
in this transformation process, which is
performed by the Abstractor shown in Figure
1 (and for which various patents are pending),
but this should not be noticeable to the end
user as it will be small compared to any
delays that may occur in the browser.
Figure 2: ‘My Spreadsheets’ page
Using eXpresso
The first thing that you do when you want to
use eXpresso is to log on (with conventional
security applied so that only authorised users
have access to eXpresso spreadsheets) and
then you will be presented with the ‘My
Spreadsheets’ page, as illustrated in Figure 2.
This shows the user’s (secure) Excel
spreadsheets together with the File Name,
details of when it was initially uploaded and
most recently updated and how, whether this
spreadsheet is locked, who it is shared with,
and the various collaboration tools that
support alerts (which you can set as required;
for example, whenever a change is made to a
cell), chat, the exchange of notes and so forth.
There are also shortcuts to cell tracking (for
which you can produce history reports),
comparison capabilities (to compare two
spreadsheets or versions of the same
spreadsheet—see later), tags (which can be
used to filter the spreadsheets shown so that
you can look at just those spreadsheets
pertaining to a particular task), file sharing
and upload and download facilities.
The other notable point about this screen that
needs to be discussed is the conversions tab.
This is provided so that you can convert
spreadsheets from one format into another.
This is important when you want to use
eXpresso
Product information
page 90
spreadsheets to integrate with third party
organisations such as Salesforce.com or DHL.
The problem, of course, is that these companies
expect spreadsheet data in a particular format
but that format may not be suitable for use
inside your own organisation. What eXpresso
can do, through the use of its Abstractor
transformation technology, is to automate the
conversion of your spreadsheet format to
theirs.
Once you open a spreadsheet, the eXpresso Edit
Screen appears, as shown in Figure 3. As can
be seen, this is precisely a Microsoft Excel
interface, which has been implemented by
means of Microsoft Web Components.
Figure 3: The Edit screen in eXpresso
Going beyond this, the major feature of
eXpresso that distinguishes it from competitive
products is its collaboration capabilities and
Figure 4 shows a part of the functionality
provided, illustrating how the spreadsheet
‘owner’ can share selected files with other
users, define access control rights (see later)
and attach messages.
Note that this sharing obviates the need to
email spreadsheets to collaborators, which is
inherently dangerous and insecure. Instead,
anyone you share a spreadsheet with must also
be authorised by the eXpresso system. A
secondary benefit is that this approach
facilitates remote working since you can simply
retrieve spreadsheets by connecting to the
system via the Internet. For off-line working
there is a check-out (download) capability that
will provide automated synchronisation once
you log back in and upload the spreadsheet you
have been working on.
Control and compliance
As already indicated, security is applied directly
by eXpresso and spreadsheet owners can apply
relevant access controls to those that they
share spreadsheets with. These controls can be
set to read-only or to provide write access and
individual controls can be applied to cells,
ranges, columns, rows and so forth.
On the compliance side, as mentioned, a
complete cell level history is maintained so that
you can track all changes to a spreadsheet: who
made a change, when, from what values to
those values, and so on.
Figure 4: Setting Collaboration preferences
However, what eXpresso does not have (and
this is hardly surprising in a first release) is the
ability to discover existing spreadsheets and
automatically load them into the eXpresso
environment. Further, it does not have any
facilities for assessing the risk associated with
any particular spreadsheet, either because of
its potential impact on the business or because
of the size and complexity of the spreadsheet.
Such functionality is important as it enables a
measurement of the most important
spreadsheets to take under management
control. However, this typically requires the use
of Auditor’s tools and these can be had
relatively inexpensively from third parties.
eXpresso
Product information
page 91
That said, eXpresso does offer spreadsheet
comparison capabilities, as shown in Figure 5,
which allows you to compare two different
spreadsheets or versions of the same
spreadsheet. Note both the colour coding and
the reference at the bottom that we are here
comparing all cells. As alternatives you can
compare ranges, rows, columns and formulae.
Finally, one other significant aspect of control
and compliance that eXpresso does not provide
is workflow or some means of defining approval
processes and the segregation of duties: that is,
a formal process by which the owner,
developer, tester and auditor of a spreadsheet
have formalised roles prior to the spreadsheet
going into production. However, this capability
has been identified as a key new feature by the
vendor and will be added in an upcoming
release of eXpresso.
Summary
At present, eXpresso is the only SaaS vendor in
this marketplace and we believe that software
as a service makes sense for spreadsheet
management. However, it is likely that other
suppliers will move to compete with eXpresso,
particularly if it is as successful as we expect.
Assuming that to be the case then SmartDB
needs to make the most of the time window
(whatever that may be) that it has before other
SaaS offerings appear. This is both a technical
consideration (it needs to add further
functionality that it is currently lacking) and a
marketing one, in the sense that it needs to
rapidly build significant market momentum. If it
can achieve these goals then the product’s
future should be a bright one.
Figure 5: Comparing spreadsheets in eXpresso
Spreadsheet Advantage
Fast facts
The market for providing complementary
products to Microsoft Excel comes from two
directions: business intelligence vendors
aiming to provide additional functionality,
especially in the area of automation and
development, and a second group of suppliers
that address this market from the perspective
of governance and compliance, providing the
auditing, security and control that is lacking in
Excel. In this latter category there are two
broad categories of products: control and
compliance tools and auditor’s tools.
Spreadsheet Advantage’s suite of tools
addresses the auditor’s market.
Note that auditors in this context covers two
distinct functions: in the first instance, best
practice in the development of spreadsheets is
for a segregation of roles between the author,
editor, auditor and user of spreadsheets, where
auditor in this context refers to a function that
is internal to the company. Needless to say,
auditing is also an external function. In fact,
Spreadsheet Advantage is suitable for use by
both internal and external auditors. However, a
further point to appreciate is that the more that
you have internal processes in place (such as
the segregation of roles) to ensure the validity
of your spreadsheets, then the less work will be
required by external auditors and the lower
their resulting fees. In other words,
implementing internal auditing processes will
save money not just because you are basing
your decisions on more accurate and reliable
information but also through reduced annual
fees.
Specifically, Spreadsheet Advantage includes
tools for row and column alignments, sheet
comparisons, spreadsheet analysis, circularity
discovery, a sheet mapping tool that allows you
to see the structure of your spreadsheets, and
precedent and dependent analysis, amongst
others.
page 92
The bottom line
From an enterprise perspective Spreadsheet
Advantage should properly be considered as a
suite of tools and utilities, primarily focused on
detecting errors and auditor functions. Given
the potential costs associated with spreadsheet
errors, which can be very substantial (see www.
eusprig.com), these relatively inexpensive tools
should pay for themselves within a very short
period.
Vendor information
Spreadsheet Advantage is an Australian
company that was founded in 2005 by
professionals experienced in auditing and
consulting. The product was introduced in the
same year. It already runs under Windows Vista
and will support Excel 2007 by the time this
report is published.
The company is privately owned and sales are
conducted directly from the company’s web
site: you can download an evaluation copy of the
software that you can use for no charge for 30
days. After that the license fee is US$299—
discounts may be available for large numbers
of users. Support is available vie e-mail.
Spreadsheet Advantage web address
www.spreadsheetadvantage.com
Spreadsheet Advantage
Product description
page 93
As previously noted, Spreadsheet Advantage consists of a suite of tools, which we will discuss in turn. However, there are a
number of additional features that do not conveniently fit under the headings that follow. These include a number of
facilities that allow you to jump to the cells you are looking for (via bookmarks, dependent arrows or shortcut keys), a list
names facility that lets you list all the range names in a spreadsheet, a nested IF display that allows you to visualise the
structure of this nesting, and precedent/dependent capabilities for which you can use colour coding to highlight all the
cells that are dependent on, or precedent to, a group of cells. These facilities are further leveraged by the software so that
you can trace the ultimate source of any error values in a particular cell.
Row and Column Aligner
The Row and Column Aligner is a precursor to the Spreadsheet Comparison (see next). The point here is that when you
want to compare two spreadsheets, whether they are different sheets or versions of the same spreadsheet, it is often the
case that additional rows or columns will have been added or removed from one to the other, which makes any sort of
visual or automated comparison very difficult. What Spreadsheet Advantage does here is to automatically insert new blank
(actually filled out with cross-hatches) rows or columns so that the two spreadsheets match up with comparable rows in
the same rows, and comparable columns in the same columns, thereby avoiding the task of having to do this manually.
Spreadsheet Comparison
Once the relevant spreadsheets have been
aligned, the Spreadsheet Comparison tool
allows you to compare two versions of the same
spreadsheet or two different spreadsheets. It
then generates a workbook with a single
comparison report sheet for that pair of
spreadsheets. As can be seen in Figure 1 the
software groups adjacent cells that contain the
same formula in this comparison report. Thus
the formula in cells AC21 to AR21 have changed
but these are grouped together in a single item
rather than listing every cell in the range. Note
that differences are highlighted using bold,
coloured (red) text.
Figure 1: Comparing spreadsheets
It is worth noting that this tool has been applied
to some very large spreadsheets, up to 30Mb in
size and containing over 100 worksheets.
In addition to Spreadsheet Comparison there is
also a Bookmark Comparison capability that
allows you to compare two different cell ranges,
which can be useful for checking formulae
consistency.
Spreadsheet Analysis
Spreadsheet analysis provides statistical
analysis for your spreadsheets. For example, in
Figure 2 the analysis shows the number of
stored and used rows and columns, and the
number of unique formulae used in each
spreadsheet. Further, it also shows the
formulae references to other spreadsheets so,
here, OtherCosts has three formulae that refer
to the Assumptions sheet. Note that the
software attempts to order the spreadsheet
analysis so that later spreadsheets refer back
to earlier ones. Where this is not possible the
references arte highlighted in a yellow box so
OpCosts has one reference to Operations, for
example.
Figure 2: Analysing spreadsheets
Spreadsheet Advantage
Product description
Spreadsheet analysis helps you to understand
the structure and logic flow of your
spreadsheets. Also, in conjunction with
precedent/dependent analysis it can help you to
determine your most complex spreadsheets.
Bearing in mind that complexity directly
correlates with the likelihood of errors, this can
help you to assess which spreadsheets expose
you to the greatest risk.
Circularity Finder
Circularities (that is, for instance, where A
references B, B references C and C references
A) are ill-advised: they can result in the whole
system locking up and failing to calculate
anything. Even if the circularity is valid, such an
approach can result in very poor performance.
It is therefore a very good reason to remove all
such references: however, you have to find
them first and this is what the Circularity Finder
does. Note that some circularities may be
conditional (that is, they only apply when an
input is set to a particular value) but
Spreadsheet Advantage can find these too.
Map
Figure 3: Mapping spreadsheets
Figure 3 shows the result of Spreadsheet
Advantage’s Map facility. Here, ‘F’ means that
the cell contains a formula, ‘>’ that the
formula is the same as the one to the left, ‘v’
that it is the same as the one above and ‘+’ for
both. ‘T’ represents a text cell and ‘N’ a
numeric one. What this enables you to do is to
see where there are unexpected changes. For
example, the red ‘F’ in the middle of row 4 looks
suspicious, as it indicates a change of formula
in the middle of the row. By selecting that cell
and using the relevant short-cut key the
software will take you directly to the actual cell
in the spreadsheet so that you can examine it
for any potential errors.
page 94
Summary
Compliance and Control products, which
typically include the sort of auditing capabilities
that are provided by Spreadsheet Advantage,
usually run into at least five, commonly six and
even, sometimes, seven figures. This will be too
costly for most small and medium sized
enterprises as well as for departments within
larger organisations. For these people,
auditors’ tools should be a must buy: the
uncontrolled and untested use of spreadsheets
is potentially dangerous to your bottom line and
Spreadsheet Advantage can help to rectify the
issues raised.
Spreadsheet Detective
Fast facts
The market for providing complementary
products to Microsoft Excel comes from two
directions: business intelligence vendors
aiming to provide additional functionality,
especially in the area of automation and
development, and a second group of suppliers
that address this market from the perspective
of governance and compliance, providing the
auditing, security and control that is lacking in
Excel. In this latter category there are two
broad categories of products: control and
compliance tools and auditor’s tools. Southern
Cross Software’s Spreadsheet Detective is a
suite of tools that addresses the auditor’s
market.
Note that auditors in this context cover two
distinct functions. In the first instance, best
practice in the development of spreadsheets is
for a segregation of roles between the author,
editor and auditor of spreadsheets, where
auditor in this context refers to a function that
is internal to the company. Needless to say,
auditing is also an external function. However,
a further point to appreciate is that the more
that you have internal processes in place
(such as the segregation of roles) to ensure
the validity of your spreadsheets then the less
work will be required by external auditors and
the lower their resulting fees. In other words,
implementing internal auditing processes will
save money not just because you are basing
your decisions on more accurate and reliable
information but also through reduced annual
fees.
page 95
Key findings
In the opinion of Bloor Research the following
represent the key facts of which prospective
users should be aware:
• Spreadsheet Detective has the most
extensive range of auditing tools that we
have seen from any vendor in this class.
• Spreadsheet Detective has a number of
facilities, such as its sensitivity report,
which we have not found (or rarely found)
elsewhere.
• Unlike many suppliers that have limited or
no support for earlier versions of Excel,
Spreadsheet Detective supports all versions
of Excel (with the exception of 2007 which is
shortly to be released) from Excel ’95
onwards.
• Like most products in its class, Spreadsheet
Detective uses spreadsheets to display its
analyses. Given the wealth of detail that
Spreadsheet Detective can present we
would like to see the company
implementing more intuitive (and simple)
visualisation techniques, including colour
coding.
Bottom line
Spreadsheet Detective is one of the longest
established and most comprehensive suites of
auditing tools that we have seen. This is not to
say that other products may not have features
that are not in Spreadsheet Detective or that,
in some instances, we might prefer a
competitor’s implementation of a particular
feature but, overall, the product is clearly the
market leader, and deservedly so.
Spreadsheet Detective
Vendor information
page 96
Vendor background
Product availability
Spreadsheet Detective from Southern Cross
Software was first introduced in 1997. While
there are other products on the market that
were available for in-house use only prior to
this date, as far as we know this makes
Spreadsheet Detective the first product in the
spreadsheet management market to be have
been made commercially available.
Given its longevity as a product it is perhaps
not surprising that Spreadsheet Detective
supports Microsoft Excel from version ‘95
onwards. This is extremely rare: we know of
no other supplier that still supports ‘95 and
many do not support ’97. That said, the
product does not currently support Excel 2007,
though this is under test. The company uses
Microsoft style version numbering and the
current version of the product is Spreadsheet
Detective 2006, with the 2007 version due for
release shortly.
Southern Cross, as its name implies, is an
Australian company, which is privately owned.
It is the leading supplier in both Australia and
New Zealand and is also well established in
the UK. On the other hand the company has
rather neglected the North American market
though it still has major customers there: for
example a major automotive manufacturer
that uses the product world-wide. There is
also support for European languages though,
again, the company has not focused on this
area.
Sales are by download, starting at (US) $180
for organisations and $48 for individuals
though you can have an evaluation copy on a
free download basis. Support is via email.
Web address: www.spreadsheetdetective.com
In addition to Spreadsheet Detective, Southern
Cross has also developed a product called 123
Detective, which provides similar functionality
for Lotus 123 environments that was
developed at the behest of Lotus (IBM) and
which is available only from that company.
Spreadsheet Detective
Product description
Introduction
Spreadsheet Detective consists of a number of
different auditing tools and while these are all
distinct (with a few exceptions) the various
tools provided can be broadly categorised as
belonging to four groups: formula
investigation, precedent/dependent analysis,
worksheet analysis, and other tools. We will
consider the facilities provided under these
headings. However, before doing that it is
appropriate to describe the product’s
‘AutoName’ facility that is leveraged across
the product. What this does is to provide a
label (name) for all formulae and defined
ranges, which means that in relevant tools you
have a name (for example ‘FixedCost’)
associated with the relevant entry rather than
cryptic references to row numbers. Examples
of Autonames feature in some of the figures
that follow. There are also facilities to control
and override AutoNames. Note too that
Autonames in Spreadsheet Detective are
based on heuristics that determine which cells
contain useful text to make Autonames out of,
rather than relying on a particular layout of
the spreadsheet.
Formula investigation
page 97
can be confusing. However, the advantage
of stripes is that they can be superimposed
on any existing cell colouring without
having to turn that off. If cells have been
coloured in blue then Spreadsheet
Detective will use pink stripes instead.
2. Audit formula report—this is a report of all
the unique formulae (in other words each
formula appears only once) and defined
ranges within a spreadsheet, along with
their label (autoname) initial value.
Formulae themselves are colour coded to
identify errors.
3. Full annotations—this is illustrated in
Figure 2. Apart from the autonames shown,
the important feature here is the use of
lines, dots and circles, and so on, as
follows:
a.Red dots mean that the cell contains the
same formula as the cell to the left while
and empty dot means that there is no
formula.
b.Red boxes show new formulae.
c. The various green figures (such as #)
also have various meanings.
Spreadsheet Detective provides three major
formulae tools:
1. Audit formulae with shading—this is
illustrated in Figure 1 where horizontal
shading means that the formula is the
same as in the cell to the left, vertical
shading where it is the same above, crosshatching indicates that this is a new
Figure 2: Annotation features
Figure 1: Auditing formulae using cell shading
formula and speckled (diagonal hatching)
means that this formula is a copy of a
non-adjacent cell. In other words this tool
is designed to enable the visual
identification of inconsistencies. Note also
the native Excel green and red triangles:
these are intended to highlight potential
errors but are not a reliable guide, hence
the need for more detailed inspection. Our
only concern with this tool is that it might
be preferable to use different colours
rather than all of these blue lines, which
While you can turn red dots off we are
concerned that this diagram is overcomplicated though, to be fair, we have not
seen any other product that provides this
wealth of detail.
Other formula-based capabilities include a
formula map that represents each cell as a
single character; the ability to identify and list
formulae that reference other workbooks; the
ability to flag cells that are, or are not,
referenced by any unique formula; and a
facility to visualise array formulae.
Spreadsheet Detective
Vendor information
Precedent/dependent analysis
There are two tools in this category:
precedent/dependent dialog and precedent
and dependent reports. The former is
illustrated in Figure 3. Here, the active cell
(H37) is described in the central box, with
precedent cells (B2, I37 and H38) to the left
and dependents (H36) to the right. You can
click on any precedent or dependent and
automatically make that the active cell.
page 98
Secondly, there is a Worksheet Summary
report that shows the number of formulae in
any particular worksheet that refer to other
worksheets. This is illustrated in Figure 4. You
can drill down to these formulae by double
clicking on the relevant cell. In particular, you
can identify when two worksheets reference
each other, which is not best practice when it
comes to developing spreadsheets. The report
also provides details of circular references.
Figure 3: The precedent/dependent dialog
While the dialog is primarily about moving
backwards and forwards to/from precedents
and dependents, the precedent report
describes how the active cell was calculated,
allowing you to drill down through successive
levels within the precedent (or dependent)
tree.
Worksheet Analysis
In this area there are two major capabilities.
The first is a spreadsheet comparison tool that
allows you to compare different versions of
the same spreadsheet or different
spreadsheets. Relevant symbols are inserted
to indicate when a new formula has changed
or where a row or column has been inserted,
and so on. Once again, however, we would
prefer the use of colour coding rather than
symbols. In addition, the comparison is
presented as a single spreadsheet rather than
as two spreadsheets side-by-side: the latter
has the advantage that you can insert blank
rows or columns rather than, again, using
symbols.
Figure 4: Worksheet Summary report
In addition to these tools there is also a facility
to show how multiple workbooks are, or are
not, related; a report that provides a summary
of all worksheets in a book; and the ability to
highlight formulae copied between
worksheets in three dimensional models.
Other tools
Perhaps the most significant of the other tools
provided in Spreadsheet Detective is the
Sensitivity Report. This shows how sensitive a
selected output value is to all relevant input
values. While this may be valuable in its own
right it can also be used to highlight
anomalous results: such as a zero sensitivity
that may suggest an error in the spreadsheet.
Further tools provide facilities for
manipulating name ranges and for chart
documentation.
Summary
Spreadsheet Detective is, deservedly, a market leader for auditing tools, both in terms of
sales and functionality. However, the product is starting to look its age with respect to the
visualisation used. Other, newer entrants to the market may not offer as rich functionality as
yet but they do so in a way that is clearer and easier for the auditor. In our view, Southern
Cross needs to focus on this area in forthcoming releases if the company is to retain its
leadership position.
Spreadsheet Professional
Fast facts
page 99
Fast Facts
Bottom line
The market for providing complementary
products to Microsoft Excel comes from two
directions: business intelligence vendors
aiming to provide additional functionality,
especially in the area of automation and
development, and a second group of suppliers
that address this market from the perspective
of governance and compliance, providing the
auditing, security and control that is lacking in
Excel. In this latter category there are two
broad categories of products: control and
compliance tools and auditor’s tools.
Spreadsheet Professional from Spreadsheet
Innovations is a suite of tools that addresses
the auditor’s (both internal and external)
market, though it also includes tools to help
with the construction of spreadsheets.
While we have placed Spreadsheet
Professional in the category of auditor’s tool
the product should not really be regarded (or
at least not wholly) in this light. This is
because it does not have some of the
functionality (such as precedent and
dependent analysis) that you would normally
expect from a product in this category. On the
other hand, it does have a number of features
that are not commonly found in auditor’s
tools, such as break-even and sensitivity
analysis, and in some of the documentation
and spreadsheet building capabilities
provided. This makes any comparison with
other products difficult. However, it is clearly a
market leader as its large customer base can
testify to, which suggests that users like the
broad range of capabilities that is offered.
Spreadsheet Professional
Vendor information
page 100
Vendor background
Product availability
Spreadsheet Innovations is a UK-based
company that was founded in 1994, which
makes it one of the first companies to
recognise the potential importance of the
spreadsheet management market. It also has
the largest, or one of the largest, user bases,
with around 6,000 companies licensing the
product world-wide.
The current version of Spreadsheet
Professional was launched in 2001 and
supports versions of Excel from Excel 97
onwards though not yet Excel 2007. An earlier
version of the product (pre-2001) is still
available that does support Excel 95.
As with other products in the auditor’s tools
subset of this market, the product is relatively
inexpensive, with a base price of £295, though
there are discounts available for multi-user
licenses. A free trial version may be
downloaded. The company has distributors in
both South Africa and Australia. For
companies specifically interested in SarbanesOxley compliance the company has partnered
with Miricle Solutions to provide a combined
package to address the issues posed by
Sarbanes Oxley. This package, consisting of
Spreadsheet Professional together with
Miricle Solutions’ video training, which is
closely linked to Spreadsheet Professional,
describes in detail the errors associated with
spreadsheets, how to avoid them and how to
use Spreadsheet Professional to detect them
and document your spreadsheets.
Web address:
www.spreadsheetinnovations.com
Support is via email.
Spreadsheet Professional
Product information
page 101
Introduction
Spreadsheet Innovations describes Spreadsheet Professional as providing four different types of
tools, which fall into the categories of ‘building’, ‘testing’, ‘documenting’ and ‘using’ tools
respectively. We will discuss the various capabilities provided under these headings.
Building tools
By ‘building tools’, Spreadsheet Innovations means tools that help you create spreadsheets.
However, we should distinguish between the sorts of tools that Spreadsheet Innovations provides
and those of template-driven, automated development environments for spreadsheets, which
represent a wholly different class of product. We should also comment that these are generalpurpose tools rather than specialist capabilities that some vendors offer for, say, building
complex financial models.
There are five building tools provided, as
follows:
1. The first tool supports the setting up of
spreadsheets in a standard format, in
order to support best practices.
2. The Build Bar is intended to minimise the
keystrokes used when creating a formula,
formatting it and copying it across a
spreadsheet, eliminating the need to drag
and drop. There is also an automatic colour
coding option with the software
automatically applying a particular colour
depending on whether the cell contains a
formula or an input.
3. The Translation Bar shows the current
formula in English rather than symbols.
For example, “B3: Profits = Sales–Costs”
4. The Spreadsheet Painter provides similar
functionality to the automated colour
coding in the Build Bar, except that colours
are customisable and apply to more cell
types, such as headings and labels.
5. The Formula Tracer allows you to see how
a formula has been derived, as shown in
Figure 1. We would describe this as an
‘analysis’ tool rather than a ‘build’ tool but
that is a quibble.
Figure 1: Screenshot of the Formula Tracer tool
Spreadsheet Professional
Product information
page 102
Testing tools
Spreadsheet Professional can test for some
25 different potential error conditions, as
illustrated in Figure 2. Note that although
there is an option to evaluate Lotus rules this
does not mean that the product will run with
anything other than Excel.
When the test is run, the software will
generate an appropriate report that provides
statistics on all the results. An example of this
(for a small spreadsheet) is illustrated in
Figure 3.
Documenting tools
Spreadsheet Professional includes eight
documenting tools though, again, we would
consider a number of these to be really more
about analysis (that is, discovering what the
spreadsheet is doing).
Figure 2: Test options avaible in Spreadsheet Professional
The tools provided are:
1. A Summary Report that provides details of
when the spreadsheet was created, the
sheets that are in it and so forth.
2. A Range Name Report that provides a list
of range names and external references
and what they refer to.
3. A Maps Report that uses symbols to
support the visual inspection of
spreadsheets so that you can see if the
same formula has been copied across
adjacent cells. In our view, a more
graphical approach (for example, using
colour coding) is more intuitive for this sort
of mapping.
4. A Translation of Calculations Report that
shows the English description of each
formula, as displayed in the Translation
Bar described previously.
5. A Blank Input Sheets Report that identifies
required inputs and generates a relevant
blank input sheet.
6. A Current Input Values Report that shows
the value of each input.
7. & 8. Testing Reports that detail errors
based on the testing options discussed in
the previous section.
Figure 3: Test report
Spreadsheet Professional
Product information
page 103
Using tools
Like most vendors, Spreadsheet Innovations
provides a spreadsheet comparison tool
though, in this case, it merely displays the
differences between spreadsheets (which may
be different spreadsheets, different versions
of the same spreadsheet or even two separate
runs of the same spreadsheet) either for
inputs, formulae or results. By contrast, other
suppliers typically present the spreadsheets
themselves, with differences highlighted.
In addition, the former also includes a tool
that provides both sensitivity and break-even
analyses. The former is rare in products of
this type while we are not aware of any other
vendor offering break-even analysis.
Of the two functions, the sensitivity analysis
allows you to select a range to vary any input
cell by and then see the impact on any other
cell within the spreadsheet. However, while
we like the graphical reporting used (see
Figure 4) it would also be useful if you can see
sensitivity across all cells within a
spreadsheet simultaneously. The break-even
analysis, on the other hand, lets you see what
value the input cell has to be so that the other
cell has whatever target value you have set.
This is particularly useful when you are trying
to establish answers to questions such as
“how far can revenues drop before we stop
making a profit?”
Figure 4: Use of graphics in a report
Summary
Spreadsheet Professional is best regarded as a general-purpose product rather than as specifically an auditor’s
toolset, though it fulfils the latter purpose as well. Clearly, this has had significant appeal as an approach. The question,
however, is whether this will continue to be the case as spreadsheet management becomes more prominent as a
concern, not just for the business but for IT. There has to be the danger that organisations will start to ask for specialist
products to support development and specialist products to support auditing, and so forth. However, for the present,
Spreadsheet Professional offers something for everyone which is, no doubt, why it has been so successful.
Spreadsheet Management
Chapter 6 – Vendor and product comparisons
In this section we will discuss the various
vendors covered in this report under the
headings used in Chapter 4. Note that we have
attempted to be as comprehensive as possible
in our coverage in this report but there are no
doubt suppliers that we have failed to discover
during our research and there is at least one
vendor that failed to reply to our repeated
requests for information. Unless otherwise
stated, a detailed evaluation of each vendor’s
product is included within Chapter 5.
page 105
Because of the limited number of companies
in all of the sectors and sub-sectors of this
market we have not included any Bullseye/
Landscape diagrams in this report as these
would be misleading with such small numbers.
Instead we have reverted to conventional
scoring and bar charts to compare technologies
only.
Spreadsheet Management
Chapter 6 – Vendor and product comparisons: Auditor’s Tools
page 106
In many respects the vendors in this category are very similar. The vendors are based in a single
country, products are available via download, typically with a 30 day free trial, support is via email
and all the products have comparable prices with negotiable volume discounts for large-scale
enterprise deployment. The only exception (to some extent) is Operis, which primarily markets its
OAK product directly to its consulting clients.
All of this being the case there is little to differentiate the vendors per se, as opposed to their
product offerings. Thus the main differences between the suppliers are the breadth of their product
offerings and their ease of use, which is typically represented by the visualisation techniques
involved. Rather than simply awarding a score for each of these elements it will be more sensible
to discus each of these facets of the products in turn and, in the case of breadth of product list the
major capabilities provided by each product. These are illustrated in Table 1.
Operis
OAK
Circular references
Yes
Formulae errors
Yes
Formula expansion
No
Sheetware Spreadsheet Spreadsheet Spreadsheet
XDrill
Advantage Detective Innovations
No
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Yes
No
No
Formulae with names
Yes
No
Yes
Yes
Yes
Spreadsheet mapping
Yes
Yes
Yes
Yes
Yes
Formula derivation
No
No
No
Yes
Yes
Logic checks
Yes
No
No
Yes
Yes
Dependents
No
No
Yes
Yes
No
Precedents
Yes
Yes
Yes
Yes
No
Comparisons
No
Yes
Yes
Yes
Yes
Sensitivity
No
No
No
Yes
Yes
Breakeven analysis
No
No
No
No
Yes
Model reporting
Yes
No
No
Yes
No
Spreadsheet
analysis (stats)
No
No
Yes
Yes
Yes
Usage reporting
No
No
No
No
No
“Spell” check
No
Yes
No
No
No
Number derivation
No
Yes
No
No
No
Number/range finder
No
Yes
No
No
No
Development utilities
Yes
No
No
No
Yes
Table 1: Comparison of Auditor’s Tools
This table gives an idea of the range of facilities provided by each vendor (for more detailed
discussions and descriptions see the various product evaluations in Chapter 5). However, it is by no
means an exhaustive list; nor does it differentiate between lesser and greater functionality within
each feature. Nevertheless, it represents an accurate picture of the breadth of capability offered by
each vendor.
Spreadsheet Management
Chapter 6 – Vendor and product comparisons: Auditor’s Tools
Visualisation
In addition to the particular functionality
provided by the features highlighted in Table
1, another significant consideration is the
visualisation provided by each supplier. This is
important because better visualisation leads to
easier use. As an example, Figures 2, 3 and 4
illustrate the Spreadsheet Mapping capabilities
provided by Spreadsheet Advantage,
Spreadsheet Detective and Sheetware
respectively.
Figures 2 & 3: Mapping facilities of Spreadsheet Advantage and Spreadsheet Detective
These are very different. In Figure 2 you cannot
see the details of the spreadsheet that the
mapping refers to. In Figure 3 colour coding is
applied over the top of the spreadsheet and it
has the advantage that any cell colouring in the
spreadsheet can be retained with the stripes
and hashing being applied over the top of the
existing colours (and if a cell is coloured blue
then the stripes are in pink). However Figure
4, in our opinion, is much the easiest of these
three to understand.
Figures 5 and 6 show a different example, this
time showing precedents/dependents, with
the first example illustrating Spreadsheet
Detective’s approach and the second showing
Compassoft’s (see Control and Compliance
tools) Precedence Walker (there is also a
Dependency Walker).
Figure 4: Mapping facilities of Sheetware
Of course, Compassoft’s product costs orders
of magnitude more than Spreadsheet Detective
but the point should be clear that the more
graphical the approach is, at least potentially,
the easier it is to understand.
Amongst the various tools under consideration,
particularly praiseworthy visualisation
elements include:
• Spreadsheet Detective’s use of AutoNames
and tooltips (see Figure 3). Also Operis’
naming capabilities.
Figure 5: Precedents and Dependence facilities of
Spreadsheet Detective
• Spreadsheet Advantage’s spreadsheet
analysis and circular referencing.
• Sheetware’s spreadsheet mapping.
• Spreadsheet Innovations’ Breakeven analysis
capability.
Figure 6: Compassoft’s Precedence Walker
page 107
Spreadsheet Management
Chapter 6 – Vendor and product comparisons: Auditor’s Tools
Conclusion
The vendors considered here are:
To be more specific:
• Operis: OAK (the product) is from a company
Recommended as best-of-breed pure
Auditor’s tool:
specialising in complex financial modelling.
At the top end of the price range in this
sector of the market. Worth consideration
specifically for financial modelling as it has
specialised features in this area.
• Sheetware: Offers a modularised suite of
tools that can be licensed separately. By
far the most popular tool is XDrill, which
automates the answer to the question “where
does that number come from?” This is worth
considering in its own right even if another
tool is used more generally.
• Spreadsheet Advantage: Not as
comprehensive as its fellow Australian:
Spreadsheet Detective.
• Spreadsheet Detective: One of the two
leading vendors in the market with the widest
set of auditor’s tools from any vendor in the
space (including control and compliance
tools—see next section). We would like to
see some more use of modern visualisation
techniques (though this comment also
applies to other vendors) but Spreadsheet
Detective is highly recommended for its
breadth of capability.
• Spreadsheet Innovations: The other leading
vendor. Spreadsheet Professional (the
product) has a broader set of capabilities in
that it incorporates tools to help make the
task of spreadsheet development easier
(but not automated—see later) but is more
restricted than Spreadsheet Detective in that
it does not offer as wide a range of purely
auditing capabilities.
Unless you have special interests (when Operis’
OAK, for example, might be appropriate) then
the choice clearly lies between Spreadsheet
Detective and Spreadsheet Innovations as the
two most extensive product sets within this
market. Which choice you make will largely
depend on your requirements: the former if you
are solely concerned with auditing but the latter
if you also want help with development, though
it should be borne in mind that these are only
really utilities that are provided and, even
there, there is some overlap with Spreadsheet
Detective.
Note that your choice may be different if you
are using one of the control and compliance
products that offers auditor’s tools as here
you will be looking to fill in gaps rather than
necessarily requiring a complete tool in its
own right. XDrill could be a useful addition
regardless of which other product you adopt.
Spreadsheet Detective
Recommended as best Auditor/
Developer tool:
Spreadsheet Innovations
Recommended for complex financial
modelling:
Operis
Recommended as add-on to discover
where a number came from:
Sheetware XDrill.
Other vendors
Two other vendors, whose products are not
included in Chapter 5, are worth mention, as
follows:
Codematic: This is a UK-based consulting
company specialising in spreadsheet
management that developed XLAnalyst as
an in-house tool for checking things such as
circular references, numbers formatted as text,
conditional logic, complex modelling logic and
so forth. However, XLAnalyst is purely an error
checking tool rather than an Auditor’s tool. As
such it is not evaluated in detail in this report.
Codematic is planning to offer commercial
products for enterprise spreadsheet
management but, according to its web site, is
currently too busy on consulting engagements
to suggest any potential release dates.
UTS: Does not provide a full range of auditor’s
tools and it is not included in Chapter 5.
However, it does have two tools that may be of
interest. The first is MathLook for Excel and
the second is the Galaxy Enterprise Knowledge
Management System. The former is used to
present formulae using names rather than
symbols (a feature that is in a number of the
other tools) and the latter allows an enterprise
to apply a common approach to developing and
deploying engineering models so that the same,
secure user interface can be used to access
spreadsheet models as well as information
derived from other environments such as
Fortran, MathCad or the company’s own TK
Solver.
page 108
Spreadsheet Management
Chapter 6 – Vendor and product comparisons: Control & Compliance Tools
page 109
Control and Compliance tools
While the vendors in the Auditor’s Tools category were fairly homogeneous this is by no means
true for Control and Compliance tools. Here we have three companies (CIMCON, Compassoft and
Prodiance), all of which have an established background in building compliance solutions; three
companies (ClusterSeven, Lyquidity and ROISoft) that have built new (and only) products specifically
targeted at spreadsheet management; and two companies (Mobius and SmartDB) that have a
history in other markets that have identified spreadsheet management as an opportunity. Moreover,
the maturity of the various solutions varies widely, from products with a substantial history and
in excess of 100 users to the latest entrant, SmartDB, whose product only becomes available in
June 2007. Furthermore, SmartDB’s eXpresso is the first product to be available via Software as
a Service. All in all, therefore, the market is remarkable heterogeneous given that there are only
eight suppliers.
In particular, note that ClusterSeven and Lyquidity do not address the same markets as the other
vendors. ClusterSeven has been designed for environments where spreadsheets are already
treated as a corporate resource and the only requirement is the best possible monitoring of that
resource. In other words, the product is focused on compliance but not control. Lyquidity, on the
other hand, is more aimed at departmental solutions and the SME market where a minimal solution
is required at a low cost. It does not have anything like the functionality of the other products but
then an enterprise license for the product is just $8,995 whereas the other vendors are typically
talking about 6 or 7 figure sums.
Returning to the issue of heterogeneity, the same is also true with respect to the categories of
capability provided by each vendor. This is illustrated in Table 2.
Discovery
Compliance
Risk
Assessment
Control
Auditor’s
tools
Security
Collaboration
CIMCON
Yes
Yes
Yes
Yes
Yes
Yes
No
Cluster7
Yes
Yes
No
No
Comparison
Yes
No
Compassoft
Yes
Yes
Yes
Yes
Yes
Yes
No
Lyquidity
No
Yes
No
Yes
Comparison,
Formula
expansion
No
No
Planned
Yes
No
Yes
Consistency
checks
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
No
Yes
No
Yes
No
Future
Yes
No
Yes
Comparison
Yes
Yes
Mobius
Prodiance
ROISoft
SmartDB
Table 2: Comparison of Control & Compliance Tools
As should be obvious these are only very broad brush categorisations and the details of each
product are necessarily more complex than this. Note that with respect to Auditor’s tools none
of these vendors have the breadth of capability offered by the leading Auditor’s Tools such as
Spreadsheet Detective or Spreadsheet Innovations. However, where they do have equivalent
functionality the products in this category tend to make use of more advanced visualisation
capabilities than the pure play Auditor’s products.
Spreadsheet Management
Chapter 6 – Vendor and product comparisons: Control & Compliance Tools
Visualisation
However, that is not to say that there are not
significant differences between the various
vendors even in this category when it comes to
visualisation. Compare, for example, Figures
7 and 8, which show the approach to workflow
provided by Mobius (approvals process) and
Prodiance (change control) respectively.
Needless to say we find the more graphical
approach of Prodiance to be more appealing
and intuitive. Indeed, this is a particular
strength of the Prodiance product. Note that
in the scoring section that follows we have
not scored visualisation as a separate entity
but taken this into account across the various
scores.
The vendors
Vendors in this category include:
• CIMCON: One of only two vendors in this
category with over 100 customers, CIMCON is
clearly one of the market leaders with a long
history of compliance solutions.
• ClusterSeven: A compliance only solution
that has established a presence within
financial services, where it is focused. The
company has only a handful of users though
these are very large implementations.
• Compassoft: Has the largest share of any
company in the market, with more than 150
customers. It is thus the market leader. As
with CIMCON, the company has a significant
history of providing compliance solutions, not
just for spreadsheets.
• Lyquidity: A relatively new and very lowpriced (comparatively) solution. This makes
it attractive but the product does not have an
understanding of spreadsheet hierarchies
(amongst other things) at present, which
means that it will have limited application
within markets such as financial services
and may well be most suitable (because of its
very attractive pricing) to SMEs.
• Mobius: The largest and most wellestablished company in this group and the
only public one amongst them, with 450
employees and a world-wide presence
(revenues last year of just under $90m) it
has a significant customer base for its more
traditional products (records management
and so forth) that it can leverage with its
control and compliance solution. This gives
it an opportunity that its rivals do not have,
though the product is not currently as feature
rich (it was released later) as some of its
rivals.
• Prodiance: This was a spin-off from Agilent
after that company acquired Scientific
Software. As such the company has a solid
background in compliance though this is not
reflected in the size of its customer base,
since it has only been in existence since 2005.
• ROISoft: Another new entrant to the market,
having only launched its product ExSafe at
the end of 2006. Unlike other companies in
this market it has started by specialising
in security and has then built control and
compliance on top of that, rather than the
other way around.
• SmartDB: The most exciting of the new
entrants to the market (at the time of writing
it has not actually been released though the
platform the product is built upon is three
years old: availability is scheduled for June
2007) with its eXpresso product. This is the
first (as far as we are aware) product in this
space to offer spreadsheet management
through a Software as a Service (SaaS)
model similar to Salesforce.com, though
the software is also available in stand-alone
mode if required. We believe that this gives
the company significant potential within
the market, depending on how long it has
this advantage over its competitors. It is
notable also that eXpresso has significant
collaborative capabilities that are largely
missing from competitive offerings. Like
Mobius, SmartDB is an existing (privately
owned, 12 year old) organisation that is
branching out (from tools supporting Oracle
environments) into this market and it will
therefore have an established client base (in
20 countries currently) to leverage.
page 110
Spreadsheet Management
Chapter 6 – Vendor and product comparisons: Control & Compliance Tools
Scoring
In this section we provide comparative scores
for the technologies provided by the different
vendors, according to Table 2. However, as
SmartDB is the only vendor to have introduced
collaborative capabilities (for example, the
ability to share rather than email spreadsheets
and to control that sharing) over and above
those of conventional document management
systems, we have not bothered to score this
particular category. Of the remainder, the sorts
of facilities we are looking for include:
Discovery: The way in which this is
implemented: is it non-intrusive, what impact
will it have on performance, how much
implementation effort will be required and
how quickly can you get started? Further, how
effective this will be on an on-going basis,
whether this is automatic and iterative or
whether it is optional and you have the choice
to use scheduled updates, if necessary. Also,
includes the ability of the product to recognise
the links that exist between spreadsheets and
between spreadsheets and data sources, and to
handle those links automatically both initially
and when changes are made.
Compliance: The capabilities of the audit trail
(which should be down to cell level, have actual
times for changes not saves, the ability to
record failed changes, support for multiple time
zones, whether the audit trail can be encrypted,
and colour coding), whether there is support for
electronic signatures, if you can mandate the
attachment of notes when changes are made,
if there are ad hoc reporting or compliance
dashboards built-in, whether you can examine
cell histories, if there is trend analysis
available, if there are archival policies that you
can apply and whether there are facilities for
automatically generating alerts when changes
are made.
Risk Assessment: This is the process of
assessing the risks involved with any particular
spreadsheet so that you can determine which
ones need to be taken under management
most urgently. Risks assessment is typically
associated with Discovery and relies, at least in
part, on appropriate Auditor’s tools. Facilities
needed include the sorts of risk and complexity
analysis provided, including whether there is a
risk scorecard or dashboard.
Control: Support for version control (down to
cell level and including check-in and checkout and, if this is via a document management
system, what range of options is available),
the segregation of duties and workflow. With
respect to workflow: is it graphical, can it be
connected to business process management
systems and can it be used for building
spreadsheet applications as well as things such
as approval processes?.
Auditor’s tools: Apart from the various facilities
discussed in the section on this topic there are
a number of additional capabilities provided by
one or more suppliers in this grouping, notably
consistency checks (applied when the same
spreadsheet is reused on a regular basis but
with different data), the ability to apply colour
coding, the ability to query spreadsheets and
policy enforcement (for example, that this
spreadsheet complies with this template).
Security: Support for digital rights
management, LDAP and Active Directories,
encryption of data and audit trails, support
for off-line working; and locking down to cell
level based on roles, with passwords and
user permissions that can be applied down
to the cell level (which will need inheritance
to be implemented to avoid too heavy an
administrative overhead), along with the ability
to lock down macros and queries.
page 111
Spreadsheet Management
Chapter 6 – Vendor and product comparisons: Control & Compliance Tools
page 112
Ri
sk
sk
sk
y
rit
cu
ls
y
rit
ls
Se
cu
To
o
Se
cu
rit
y
s
To
ol
Figure 14: Lyquidity scores
Se
cu
rit
y
s
To
ol
r’s
ito
Co
nt
ro
l
Ri
sk
Di
sc
ov
er
y
rit
cu
Se
To
ol
r’s
es
s
ito
Au
d
m
nc
e
ia
As
s
Ri
Figure 13: ROISoft scores
Au
d
0
m
1
0
es
s
2
1
nc
e
3
2
ia
4
3
As
s
5
4
Co
m
pl
6
5
y
7
6
s
8
7
Co
nt
ro
l
9
8
en
t
10
9
en
t
Figure 12: Prodiance scores
10
sk
r’s
Ri
Ri
Figure 11: Mobius scores
Co
m
pl
ito
r’s
pl
Co
m
Di
Au
d
sk
ia
y
sc
ov
er
r it
Se
cu
r’s
es
s
As
s
ito
m
nc
e
ia
pl
Co
m
sc
ov
er
Co
nt
ro
l
0
Au
d
1
0
m
2
1
es
s
3
2
nc
e
4
3
As
s
5
4
y
6
5
To
ol
s
7
6
Co
nt
ro
l
8
7
en
t
9
8
y
10
9
en
t
Figure 10: Lyquidity scores
10
Di
ito
pl
Co
m
Di
Se
ia
y
sc
ov
er
rit
To
o
r’s
cu
l
Ri
Ri
sk
Au
d
ito
es
As
s
Co
nt
ro
sm
nc
e
ia
pl
Co
m
sc
ov
er
Di
Figure 9: Compassoft scores
y
l
0
Co
nt
ro
1
0
Au
d
2
1
sm
3
2
es
4
3
nc
e
5
4
As
s
6
5
y
7
6
ls
8
7
en
t
9
8
y
10
9
en
t
Figure 8: ClusterSeven scores
10
Di
sc
ov
er
Se
nc
e
y
pl
ia
Se
Au
d
Ri
sk
Co
m
Di
sc
ov
er
r it
To
o
cu
l
r’s
ito
es
Co
nt
ro
nc
e
As
s
sc
ov
er
Co
m
pl
ia
Di
Figure 7: CIMCON scores
l
0
’s T
oo
1
0
ito
r
2
1
Co
nt
ro
3
2
Au
d
4
3
sm
5
4
es
6
5
As
s
7
6
y
8
7
ls
9
8
sm
en
t
10
9
y
10
en
t
The following bar charts represent the score (out of 10) we have awarded the vendors based on the
criteria outlined on page 7
Spreadsheet Management
Chapter 6 – Vendor and product comparisons: Control & Compliance Tools
Conclusion
While we do not normally advocate the simple
addition of our technical scores in this case it is
not an unreasonable exercise though potential
buyers should apply their own weightings to
these figures according to their requirements.
That said, on a straightforward mathematical
basis, taken across the board, we regard
Prodiance as the technology leader in this
category, closely followed by CIMCON and
Compassoft. However, it is only a relatively
narrow lead that is held by Prodiance.
Making specific recommendations is difficult
because it will depend on requirements: you
may have more of a bias towards control or
security, for example, or the emphasis may be
more on compliance (including discovery, risk
assessment and auditor’s tools). Anyway, to be
specific:
Recommended for best overall
capability and best control:
Prodiance
Recommended for best security:
ROISoft
All three of these suppliers come from a
background (at least in part) of providing
compliance solutions within the pharmaceutical
sector and they have the broadest range of
capabilities. However, Prodiance differs from
the other two companies in that it was originally
a part of Scientific Software, which was
acquired by Agilent in 2005, which specialises
in that market. Prodiance was spun out of
that company to focus on compliance more
generally, and specifically for the enterprise
spreadsheet management market. As a result,
it has significantly fewer customers than either
CIMCON or Compassoft (which is the market
leader in terms of its customer base, with over
160 customers). Nevertheless, we consider
Prodiance to be a market leader along with
these vendors, because of the strength of
its technology which, at present at least, we
believe to be superior to those of its rivals.
Of the other vendors, we expect Mobius to
continue to leverage its large installed base
and the fact that it is a well-established public
company. However, it does not at present look
like a potential threat to the market leaders
though its ability to support archival within
a records management system is attractive.
Similarly, neither ClusterSeven nor ROISoft are
going to be general-purpose product leaders
any time soon (though for specialised purposes
they will have their adherents). On the other
hand, Lyquidity may make inroads at the SME
level thanks to its lower cost of ownership,
though its (current) lack of features means
that it is unlikely to be of interest to large
enterprises. Most interesting, however, is the
advent of SmartDB’s eXpresso with its Software
as a Service model (and its collaborative
features) for spreadsheet management, which
could prove very appealing to a wide range of
users. While it is early days for this product (at
the time of writing it has not yet been released),
if the company can replicate the success of
Salesforce.com then the incumbent vendors
had better look to their laurels.
Recommended for best discovery and
compliance:
Compassoft
Recommended for best compliance
only:
ClusterSeven
Recommended for best risk
assessment:
CIMCON
Recommended for SaaS and
collaboration:
SmartDB
As can be seen from these results the vendors
are very close together in a number of respects:
this is why you can slice and dice our results in
a variety of ways and get different winners. We
expect this position to clarify in due course but
both the advent of new vendors into the market
and the fact that all of the established suppliers
have features in their products that are not in
other products, suggests that this is a market
that is still maturing.
page 113
Spreadsheet Management
Chapter 6 – Vendor and product comparisons: Automation Tools
There are only two genuine products in
this category that we are aware of: Actuate
e.Spreadsheet and Qtier-Rapor. Both of these
provide a complete development environment
for creating spreadsheet applications.
The former company is a US-based public
company (with revenues last year of $128.6m)
and has offices around the world while the
latter is based in UK but has partners in the
United States, Europe and elsewhere. The big
difference between these two products is that
Actuate provides a spreadsheet development
automation tool while Qtier also provides
explicit control and compliance capabilities.
That said, some of these sorts of facilities
(version control, for example) directly result
from the automation/development process,
so Actuate provides these too. On the other
hand, bear in mind that these are only control
and compliance capabilities provided for
spreadsheets built within these environments.
Neither product has any ability to manage
pre-existing spreadsheets let alone the ability
to discover them. Nevertheless, there is clearly
a substantial market for this sort of solution:
Qtier (a relatively small and unknown company)
has managed to acquire some 50 customers in
a relatively short period of time.
In practice, we expect both of these companies
to do well. We are inclined to prefer Qtier’s
solution at this point in time but Actuate has a
large existing user base that it can leverage.
Table 3 gives an overview of the capabilities
provided by both vendors:
Actuate
Qtier
Cell-level version
control
Yes
Yes
Security
Yes
Yes
Template-based
Yes
Yes
Wizard-based
Yes
No
Formatting separate
from logic
Yes
Yes
Federated data access
Yes
Yes
Dynamic serving
Yes
Yes
Audit trail
Yes
Yes
Workflow
No
Yes
Printed authentication
No
Yes
Scheduling
No
Yes
Alert generation
No
No
Table 3: Comparison of Automation Tools
Given the emphasis we have placed on
visualisation in the previous two sections we do
not believe that we need to belabour that point
here.
Recommended automation solution:
Qtier-Rapor
Risk Integrated
Risk Integrated, as its name implies, is focused
on taking the risk out of spreadsheets. To this
end it treats spreadsheets as three separate
logical components: the data sources used to
populate the spreadsheets, spreadsheet logic
and output. Spreadsheets are populated either
via automation or the generation of web forms
so that users never enter data directly into a
spreadsheet. Equally, reports are generated by
the software and are presented to the user so
that the user never gets to see the spreadsheet
logic either. Risk Integrated is a UK-based
consulting company that primarily markets
its product to its clients. As its lower level of
functionality would indicate (it is around the
same price as Auditor’s tools), it is significantly
less expensive than full automation products.
page 114
Spreadsheet Management
Chapter 6 – Vendor and product comparisons: Conclusion
In an ideal world one might design a new
spreadsheet paradigm, based on appropriate
industry standards, where all facilities were
encapsulated into either query, reporting
or planning environments, and provided the
necessary security and auditing capabilities.
Unfortunately, we do not live in such an idyllic
setting: spreadsheets as they currently exist
will continue to be used in their millions
and any attempt to move users to another
environment is doomed to failure. The
challenge is therefore to provide as close to
this type of functionality as possible, while
at the same time offering comprehensive
management capability yet without removing
the obvious benefits to end users.
If we accept the arguments outlined in this
report for spreadsheet management (and
we believe these to be overwhelming) then
control, security and auditing must be imposed
externally, without impacting on the user’s
ability to use Excel (or whatever) as he or she
sees fit. As we have discussed, this can either
be done through the provision of auditing on its
own (where security is not considered an issue)
or by a combination of control and compliance.
There has been a growth in plug-in approaches
to spreadsheets. We regard these as
inadequate: on the one hand they offer auditing
and security but are not as rich in their
capabilities as complete control solutions, while
on the other hand they are limited to siloed
environments such as business intelligence
or planning and budgeting but do not span
the entire enterprise—which is precisely what
you don’t want. Moreover, these are bound
to installations within particular, vendorsupported versions of Microsoft Office and
therefore have limited deployment possibilities.
The emphasis for any product selection policy
should be to ensure cross-functional and
cross-application capability.
While it is impossible to remove entirely the
possibility of errors occurring in spreadsheets,
it is possible to greatly reduce their likelihood.
This can be accomplished in two ways: first, by
treating spreadsheets as enterprise resources
that need to be properly tested and checked
prior to deployment and, secondly, by using
tools that simplify the spreadsheet environment
both with respect to heterogeneous data
access and the use of automation (for example,
in generating spreadsheets from design
templates)—reduction in complexity paired with
design-driven automation should lead directly
to a reduction in error rates.
To conclude: while evolving, this is still an
emerging market and there are vendors
that are taking different approaches.
However, we would argue against plugins and clearly favour either or both of the
compliance only or control and compliance
approaches, where appropriate, with these
being supplemented by automation and/or
auditing tools. Which combination will best
suit your company’s requirements will depend
on your circumstances but what is certain is
that you should be considering spreadsheet
management as a matter of urgency.
More information
Bloor has set up a page on its website dedicated
to this report, where you can find further
information regarding this subject.
Please click here to access this page.
page 115
Bloor Research overview
About the author
Bloor Research has spent the last decade
developing what is recognised as Europe’s
leading independent IT research organisation.
With its core research activities underpinning
a range of services, from research and
consulting to events and publishing, Bloor
Research is committed to turning knowledge
into client value across all of its products
and engagements. Our objectives are:
Philip Howard
Research Director - Data
• Save clients’ time by providing comparison
and analysis that is clear and succinct.
• Update clients’ expertise, enabling
them to have a clear understanding
of IT issues and facts and validate
existing technology strategies.
• Bring an independent perspective,
minimising the inherent risks of product
selection and decision-making.
• Communicate our visionary
perspective of the future of IT.
Founded in 1989, Bloor Research is one of
the world’s leading IT research, analysis
and consultancy organisations—distributing
research and analysis to IT user and vendor
organisations throughout the world via
online subscriptions, tailored research
services and consultancy projects.
Philip started in the computer industry
way back in 1973 and has variously worked
as a systems analyst, programmer and
salesperson, as well as in marketing and
product management, for a variety of
companies including GEC Marconi, GPT,
Philips Data Systems, Raytheon and NCR.
After a quarter of a century of not being
his own boss Philip set up what is now
P3ST (Wordsmiths) Ltd in 1992 and his
first client was Bloor Research (then
ButlerBloor), with Philip working for the
company as an associate analyst. His
relationship with Bloor Research has
continued since that time and he is now
Research Director. His practice area
encompasses anything to do with data and
content and he has five further analysts
working with him in this area. While
maintaining an overview of the whole space
Philip himself specialises in databases,
data management, data integration, data
quality, data federation, master data
management, data governance and data
warehousing. He also has an interest in
event stream/complex event processing.
In addition to the numerous reports Philip
has written on behalf of Bloor Research,
Philip also contributes regularly to www.
IT-Director.com and www.IT-Analysis.
com and was previously the editor of
both “Application Development News”
and “Operating System News” on behalf
of Cambridge Market Intelligence (CMI).
He has also contributed to various
magazines and published a number of
reports published by companies such
as CMI and The Financial Times.
Away from work, Philip’s primary
leisure activities are canal boats,
skiing, playing Bridge (at which he is
a Life Master) and walking the dog.
Copyright & disclaimer
This document is subject to copyright. No
part of this publication may be reproduced
by any method whatsoever without the
prior consent of Bloor Research.
Due to the nature of this material, numerous
hardware and software products have been
mentioned by name. In the majority, if not
all, of the cases, these product names are
claimed as trademarks by the companies
that manufacture the products. It is not
Bloor Research’s intent to claim these
names or trademarks as our own.
Whilst every care has been taken in the
preparation of this document to ensure
that the information is correct, the
publishers cannot accept responsibility
for any errors or omissions.
Suite 4, Town Hall,
86 Watling Street East
TOWCESTER,
Northamptonshire,
NN12 6BS, United Kingdom
Tel: +44 (0)870 345 9911
Fax: +44 (0)870 345 9922
Web: www.bloor-research.com
email: info@bloor-research.com
Download