Shadow System - Overview

Overview

Shadow systems (a.k.a. shadow data systems, data shadow systems, shadow information technology, shadow accounting systems or in short: Shadow IT) consist of small scale databases and/or spreadsheets developed for and used by end users, outside the direct control of an organization's IT department.

The design and development process for these systems tends to fall into one of two categories. In the first case, these systems are developed on an adhoc basis rather than as part of a formal project and are not tested, documented or secured with the same rigor as more formally engineered reporting solutions. This makes them comparatively quick and cheap to develop, but unsuitable in most cases for long term use. In the second case, the systems are developed by experienced software developers that are not part of the organizations's information systems department. These systems may be off-the-shelf software products or custom solutions developed by contract programmers. FinLab and IT Works are examples of companies that produce off-the shelf shadow systems. Depending on the expertise of the developers, these solutions may exceed the reliability of those created by the organizations's information systems department.

The term can also refer to legitimate, managed replicas of operational databases that are isolated from the user base of the main system. These sub-systems can be used to track illegitimate changes to the primary data-store by 'back doors' exploited by expert but un-authorized users.

As stated in Price Waterhouse Coopers report on Spreadsheet Risk Management "The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act" :

"Many companies rely on spreadsheets as a key component in their financial reporting and operational processes. However, it is clear that the flexibility of spreadsheets has sometimes come at a cost. It is important that management identify where control breakdowns could lead to potential material misstatements and that controls for significant spreadsheets be documented, evaluated and tested. And, perhaps more importantly, management should evaluate whether it is possible to implement adequate controls over significant spreadsheets to sufficiently mitigate this risk, or if spreadsheets related to significant accounts or with higher complexity should be migrated to an application system with a more formalized information technology control environment."