The Agency Insider with Linda McGlasson

Spreadsheets Still Subject to Fraud Target

Spreadsheets Still Subject to Fraud Target

Excel and fraud -- these two words have only recently received the serious attention they deserve.

I wrote about this type of fraud last year. Whether creating or updating reports for senior management, or keeping track of equipment inventories - or the hundreds of other uses for spreadsheets - financial institutions depend on these workhorses to retain and create repositories of valuable data.

Without even considering the external threats that flaws in Microsoft Excel spreadsheets pose, the concern that many institutions may overlook is the potential for fraud perpetrated by employees.

The Institute of Internal Auditors recently filled a hole in their practice recommendations related to technology risks created by users via databases and spreadsheets. This is a move whose time has come, and Ralph Baxter, an executive at ClusterSeven, showed it to me. With the sheer number of user-developed applications, especially financial applications using Excel, the need for properly auditing these spreadsheets is now.

Having the auditors' body finally acknowledge not only the value of spreadsheets in the workplace, but the potential damage they can do without proper monitoring, is like turning on the refrigerator light by slightly opening the fridge door. Hasn't that light always been on anyway, or just when you open the door? Wasn't the IIA recommending this anyway, or only when a problem was found by accident? To understand more about this topic, check out the latest release of the Global Technology Audit Guide (GTAG).

Since I wrote about three types of spreadsheet fraud last year, there have been some evolutions, and here's how Ralph Baxter explains them:

  • Presentation Fraud: Here the spreadsheet is set to display and print different numbers to those calculated. Common examples are hidden rows or columns, or setting the font color to be the same as background. Less well known is conditional formatting. This can change or hide data depending on its value.
  • Data Fraud: Here input data for an otherwise correct spreadsheet are replaced by false values. For example, spreadsheet links may be redirected to alternative data sources, changing the spreadsheet results.
  • Incremental Fraud: This is seen in communities where bonuses are calculated on the value of a changing portfolio of many items (e.g., trading). Over multiple days, the fraudster sequentially adds a small amount to a cell buried in the detail of the spreadsheet. The incremental approach avoids sudden output changes that might generate suspicion. Over time, the adjustments contribute a material difference, triggering the payment of the performance bonus. Thereafter, the increments are then removed on a similarly gradual basis. By the end of the process, all evidence of the manipulation has been removed but the trader has retained their bonus.
  • Burial Fraud: Here a fraudulent change is made to a key transaction in a list, and the user then sorts the list using standard spreadsheet functionality. With thousands (or more) transactions, such a change is virtually impossible to locate manually.
  • Function Fraud: This makes use of the extensible nature of advanced spreadsheets such as Excel to create new functionality beyond standard cell-based formulas. It includes the fraudulent manipulation of macros or UDF (user defined functions) that are difficult for an average user to understand.
If there are other types of spreadsheet fraud you've seen, please share your experiences.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.