Surveys About Corporate Control Policies

The following studies surveyed spreadsheet developers to learn about their organization's control policies. This table is adapted from Panko and Halverson, "Spreadsheets on Trial," 1996.

Study Method/Sample Selected Findings
Cale 1994 52 IS & non-IS managers in 25 firms Less than 1/10 of companies had written policies on testing SSs; about ¼ had unwritten polices; about 6/10 had no policies. Documentation standards similar. About 70% strongly agreed that lack of testing standards produced serious problems. None disagreed. Reluctant to impose standards if developed by person for own use. More likely as used by others, if updates database, or as size grows. 90% would require testing for development lasting one week; 100% if one month.


Cragg & King [1993] FTF interviews with 17, questionnaire survey of 14, N=31.


1/10 said firm had formal policies. 9/10 said no one in firm responsible for SS development.
Floyd; Walls, & Marr [1995] 72 end users in 4 corporations 1/7 had development policies, 2/5 implementation policies; 2/3 development policies. 1/3 required approvals only for important models. Almost all: any policy existing initiated by workgroup. All functions had some policies; modification policies most common. None reported comprehensive standards for all models. None knew of disasters in their firms. Clan-based control policy: socialization.


Galletta & Hufnagel [1992] 107 MIS executives in mail survey End user computing, not just spreadsheeting. Restrictions on application development? 23% rule, 58% guideline, 28% donít address; compliance level if address: 27% full compliance, 58% partial compliance; 15% ignore. Post-development audit requirement? 15% rule, 34% guideline, 52% donít address; compliance level if address: 10% full compliance, 49% partial compliance; 41% ignore.


Hall [1996]   Only 11% new of a comprehensive corporate policy; only 1/3 of these could be located it in written form. 


Hendry & Green [1994] Ethnographic interviews with 11 SS developers Modeled after Nardi & Miller [1991] but added a part in which the interviewer went over a specific SS with the developer. Generally repeated Nardi & Miller, but noted pattern of difficulty in comprehending parts of SSs. Describing efforts to build error-free models by taking specific actions. Later, Hendry [1994] noted that only three were "highly numerate" in carefully building models; Green [1994] said that comprehensive code inspection during a testing phase was not part of the "spreadsheet culture."


Nardi & Miller [1991] Ethnographic interviews with 11 SS developers Extensive joint development mixed programming & domain expertise; sometimes other built difficult parts; other times other checked for reasonableness, gave guidance. Considerable evidence of taking care in development; conscious of errors; spend considerable time debugging. Reasonableness, cross-footings, spot-checking of values, examining formulas. Gave one example of comprehensive code inspectionóthe subject was taking over a SS developed by another.


Speier & Brown [1996] Study of 3 departments Study of overall EUC, not just SS. Interviewed managers of 3 departments in a firm: financial operations, marketing and sales. Questionnaire interviews of 22 end users. Company has few corporate rules beyond backup, which is not enforced. Managers differed in concerns. End users differed by department in awareness of norms and perceptions of benefits. Mostly unwritten norms. Underscores importance of department perspective.



Copyright 1997 Raymond Panko.