Were spreadsheets a vehicle for the Societe Generale fraud?

A theory is circulating in IT security and compliance circles that inadequate, spreadsheet-based internal controls may have played a part in allowing Societe Generale's rogue trader Jerome Kerviel to build up positions that eventually resulted in a 7 billion euro loss for the bank. John Stokdyk reports.

According to reports based on his interview transcripts with French police, Kerviel knew colleagues' ID and password codes to create fictitious trading accounts and send email orders to build up his positions in the derivatives market. Although a low-ranking trader, Kerviel had worked in the bank's back and middle offices for five years, where he learned how the risk management software worked.

Some commentators have speculated that in addition to disguising his trades through a fictitious company and colleagues' accounts, he had been able to circumvent internal warning systems by opening and manipulating the Excel spreadsheet reports used by managers to monitor traders' activities.

Over at the Register, banking headhunter Dominic Conner drew on his Parisian contacts to produce a thoughtful analysis that suggested password security in the sector is not as rigorous as the rest of us might expect, leading to a Kerviel-like scenario he described as "permission creep".

He explained: "A common bad technique is to embed usernames and passwords into applications, especially Excel report sheets. These tend to be powerful administrator or developer accounts, granting unlimited access with little or no auditing."

A copy of Kerviel's CV doing the rounds on the internet indicates that he was not a super-boffin, but did know VBA, which would have been useful for doctoring spreadsheets to make them look as though trades were done by someone else.

"His VBA skills would have helped him a lot to keep the illusion alive," suggests Conner. "Knowing Excel, he would have been asked to sort out his colleagues' spreadsheets, and left sitting at their PCs able to execute any number of misdeeds while his colleague went off for lunch."

In an article published just before the Societe Generale scandal broke, Conner laid into the way quantitative models were used for financial analysis in banking, "so the basis for working out prices of derivatives is based upon the diffusion of heat through a metal bar". Excel is a very common tool for building such models, he explained, but the built-in functions are "garbage" and financial VBA is rarely done well - leading to just the kind of systematic vulnerabilities that Kerviel's fraud exposed.

Several other commentators jumped on the bandwagon. Dennis Howlett used the Societe Generale scandal to air his now-traditional spreadsheet rant on ZDNet. Compassoft CEO Paul Bach, meanwhile, saw it as an opportunity to promote his company's compliance tools.

"Spreadsheets are being used for business critical transactions every day," said Bach. "However, it is all too common to see a lack of even basic controls on these spreadsheets, let alone the type of controls that could be used to detect serious fraud or errors. If losses such as those suffered by Societe Generale are to be avoided in the future then it is imperative that companies monitor spreadsheet use on a broad scale, particularly in banking and finance organisations."

Subscribe to the ExcelZone newswire
To keep up with all spreadsheet-related developments, click the button to subscribe to the ExcelZone newswire. You will return to the AccountingWEB home page when your name has been added to the mailing list.