|Title||A risk and control-oriented study of the practices of spreadsheet application developers|
|Publication||29th Annual Hawaii International Conference on System Sciences|
|Series||January, pages 364-373|
Australian spreadsheet application developers and their development practices in the field were surveyed. The developer population was mainly of graduate level but otherwise varied. Their development practices exhibited a high level of risk with a very low level of managerial, I.T. department or auditor control. Few of the developers surveyed were aware of a spreadsheet control policy within their organisation and even less had a documented copy available to them.
The applications in the study were of significant status and most were developed in relatively uncontrolled environments. Most applications were large and of moderate or high importance. The majority involved Corporate rather than purely private data and the output of nearly one third was distributed beyond the organisation where it was developed.
The developer's usage of design, formula, input, output, review, testing, documentation and security controls is reported together with developer opinions as to each control's appropriateness for their particular application, The significance to the management of end-user computing of tolerating a high level of risk is discussed and the need for an end-user spreadsheet control model is established. Suitable metrics to measure spreadsheet complexity, importance and developer expertise are required.
Developers implemented controls more readily on formulae. Most respondents pointed out their formulae rather than typed in cell addresses. Parameterised constants and range names were commonly used.
These spreadsheetss still exhibited a high level of risk as less than half implemented cell protection on formulae and cross-footing of totals or avoided including formulae in input areas.