A risk and control-oriented study of the practices of spreadsheet application developers

Abstract

Australian spreadsheet application developers and their development practices in the field were surveyed. The developer population was mainly of graduate level but otherwise varied. Their development practices exhibited a high level of risk with a very low level of managerial, IT department or auditor control. Few of the developers surveyed were aware of a spreadsheet control policy within their organisation and even less had a documented copy available to them. The applications in the study were of significant status and most were developed in relatively uncontrolled environments. Most applications were large and of moderate or high importance. The majority involved corporate rather than purely private data and the output of nearly one third was distributed beyond the organisation where it was developed. The developers usage of design, formula, input, output, review testing, documentation and security controls is reported together with developer opinions as to each control's appropriateness for their particular application. The significance to the management of end-user computing of tolerating a high level of risk is discussed and the need for an end-user spreadsheet control model is established. Suitable metrics to measure spreadsheet complexity, importance and developer expertise are required.