January 29th, 2008

On SocGen and spreadsheets: the similarities

Posted by Dennis Howlett @ 6:30 am

Categories: Enterprise applications

Tags: Spreadsheet, SocGen, It, Dennis Howlett

Larry Dignan talks about Societe Generale (SocGen) as if it is a rogue edge case. It’s not. In the early 2000’s was involved in framing discussions around implementing an international accounting standard covering derivatives and other exotic financial instruments. I consulted with TIBCOs former CMO, Fred Meyer as the company was heavily invested in the financial services market. I wanted to understand the structure of these complex trades and Fred knew how to explain these trades to a layman like me. TIBCO sold the integration software to SocGen which was designed to extract costs from running the many systems that traders use so the company had plenty of experience about how these trades come together.

Fred said - and I paraphrase - derivatives are no more than bets. It’s almost impossible to calculate their worth at any point in time during the period they are ‘live.’ You rarely have much of a clue about the values of the supporting hedges and often you’re juggling multiple derivative trades as complex bundles. In short, derivative trading is like being in a highly sophisticated casino. Only on this occasion, the house lost.

Larry quotes Richard Steinnon. The key sentence:

In my opinion the only reason that most of these companies have *not* experienced a major theft is that people in general, and frankly IT staff in particular are trustworthy. But trust is not a good policy.

This same speculation is repeated in a TimesOnline article where it is claimed Jerome Kerviel was earning a relatively paltry (by bank standards) €100,000 ($145,000) per annum. In France that’s in the top few per cent of earners but a fraction of what successful traders can make. The ’system’ works because as in any casino, winners score big. It has nothing to do with trust but a direct appeal to greed.

The Times article goes on to suggest that there is more to this than meets the eye. If the allegations are right, then Kerviel was executing what forensically is a simple and common fraud accountants term ‘teeming and laldling.’ Borrowing from Peter to pay Paul. The fact Kerviel managed to hoodwink superiors indicates both failed process and a lack of basic audit understanding. Given the background to this spectacular case, you have to wonder where this spreads. In my opinion, it isn’t just a matter of security but a fundamental lack of understanding around risk by everyone involved including both internal and external auditors.

Which brings me onto a recent story about a rogue spreadsheet at Tucson Unified School District which ended up with 300 employees being overpaid $140,000. Spreadsheets are the staple of finance departments to the point where the major application vendors have given up trying to fight them off. It is the ultimate user adopted program. Yet each year, tales emerge of significant errors arising because spreadsheets have not been authenticated, documented or tested. Why this continues to happen astonishes me and has been the subject of an annual rant I’ve penned for my UK accounting friends since 1999.

Ray Panko of the University of Hawaii has been conducting a variety of studies carried tracking different types of spreadsheet error. KPMG regularly publishes statistics on the same subject. At last year’s Eusprig Conference, it was said that:

Dean Buckner of the UK Financial Services Authority gave the Regulator’s View on the progress in the control of End User Computing (EUC) in the financial markets. His themes were echoed by many subsequent speakers

1. Change of mindset. He referred to the acceptance that spreadsheets are not going to be replaced by bigger systems, but rather that they are here to stay.

2. User training. This is still shockingly neglected; he still finds dumb solutions that could be replaced by cleaner methods.

3. There is no accepted base of ‘good practice’.

4. Because of (3) there is therefore no accreditation of spreadsheet skills.

5. He sees increasing mention of spreadsheet controls in audit reports.

6. Data standards – including data quality in Access databases, created to get over the 65535 row limit in Excel prior to the 2007 version.

7. Software support – more tools and technologies are becoming available to manage spreadsheets.

Despite all the facts and stories, businesses of all sizes regularly make financial decisions based on spreadsheets.

The parallels between SocGen and the spreadsheet problem may appear tangential but taken together they represent an appalling view of risk management at all levels. Just as we’ve not heard the last of the SocGen debacle, we will continue to hear horror stories about spreadsheet errors.