Spreadsheet Woes – Burden in SOX Compliance and Other Regulations

End User Computing (EUC) or end User Developed Application (UDA) systems like spreadsheets used to be ideal ad-hoc solutions for data processing and financial reporting. But those days are long gone.

Today, due to regulations like the:

Sarbanes-Oxley (SOX) Act,
Dodd-Frank Act,
IFRS (International Financial Reporting Standards),
E.U. Data Protection Directive,
Basel II,
NAIC Model Audit Rules,
FAS 157,
yes, there?s more ? and counting

a company can be bogged down when it tries to comply with such regulations while maintaining spreadsheet-reliant financial and information systems.

In an age where regulatory compliance have become part of the norm, companies need to enforce more stringent control measures like version control, access control, testing, reconciliation, and many others, in order to pass audits and to ensure that their spreadsheets are giving them only accurate and reliable information.

Now, the problem is, these control measures aren’t exactly tailor-made for a spreadsheet environment. While yes, it is possible to set up a spreadsheet and EUC control environment that utilises best practices, this is a potentially expensive, laborious, and time-consuming exercise, and even then, the system will still not be as foolproof or efficient as the regulations call for.

Testing and reconciliation alone can cost a significant amount of time and money to be effective:

It requires multiple testers who need to test spreadsheets down to the cell level.
Testers will have to deal with terribly disorganized and complicated spreadsheet systems that typically involve single cells being fed information by other cells in other sheets, which in turn may be found in other workbooks, or in another folder.
Each month, an organisation may have new spreadsheets with new links, new macros, new formulas, new locations, and hence new objects to test.
Spreadsheets rarely come with any kind of supporting documentation and version control, further hampering the verification process.
Because Windows won’t allow you to open two Excel files with the same name simultaneously and because a succession of monthly-revised spreadsheets separated by mere folders but still bearing the same name is common in spreadsheet systems, it would be difficult to compare one spreadsheet with any of its older versions.

But testing and reconciliation are just two of the many activities that make regulatory compliance terribly tedious for a spreadsheet-reliant organisation. Therefore, the sheer intricacy of spreadsheet systems make examining and maintaining them next to impossible.

On the other hand, you can’t afford not to take these regulations seriously. Non-compliance with regulatory mandates can have dire consequences, not the least of which is the loss of investor confidence. And when investors start to doubt the management’s capability, customers will start to walk away too. Now that is a loss your competitors will only be too happy to gain.

Learn more about our server application solutions and discover a better way to comply with regulations.

More Spreadsheet Blogs

Spreadsheet Risks in Banks

Top 10 Disadvantages of Spreadsheets

Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry

How Internal Auditors can win the War against Spreadsheet Fraud

Spreadsheet Reporting – No Room in your company in an age of Business Intelligence

Still looking for a Way to Consolidate Excel Spreadsheets?

Disadvantages of Spreadsheets

Spreadsheet woes – ill equipped for an Agile Business Environment

Spreadsheet Fraud

Spreadsheet Woes – Limited features for easy adoption of a control framework

Spreadsheet woes – Burden in SOX Compliance and other Regulations

Spreadsheet Risk Issues

Server Application Solutions – Don’t let Spreadsheets hold your Business back

Why Spreadsheets can send the pillars of Solvency II crashing down

amazon.co.uk

amazon.com

Contact Us

(+353)(0)1-443-3807 – IRL
(+44)(0)20-7193-9751 – UK

Check our similar posts

9 Cloud Security Questions you need to ask Service Providers

Companies in Ireland and the UK who are considering cloud adoption might already have a general idea of the security risks inherent in cloud computing. However, since different providers may not offer the same levels of risk mitigation, it is important to know which providers can give sufficient assurance on cloud security.

Here are 10 cloud security questions to ask service providers vying for your attention.

1. Where will my data be located?

There are a variety of reasons why you will want to ask this question. One big reason is that there are certain countries that don’t have strict legislation (or any legislation at all) pertaining to cloud computing. In that case, the provider won’t be as motivated to apply high levels of risk mitigation.

So if your data is hosted off shore, then you might want to reconsider or at least conduct a deeper study regarding the security conditions there.

2. Do you have provisions for regulatory compliance?

Certain standards and regulations (e.g. PCI DSS and possibly the EU Data Protection Directive) have specific guidelines pertaining to data stored in the cloud. If your organisation is covered by any of these legislation, then you need to know whether your provider can help you meet requirements for compliance.

3. Who will have access to my data?

In a cloud environment, where your data is going to be managed by people who aren’t under your direct supervision, you’ll have to worry as much about internal threats as you would with external threats.

Therefore, you need to know how many individuals will have access to your data. You also need to know relevant information such as how admins and technicians with data access rights are screened prior to getting hired. You also need to determine what access controls are being implemented.

4. How is data segregated?

Since there will be other clients, you will want to know how your data is going to be segregated from theirs. Is there any possibility of an accidental or intentional data breach due to poor data segregation? Find out if your data is going to be encrypted and how strong the encryption algorithm is.

5. How will you support investigative activities?

Sometimes, even if strong cloud security measures are in place, a data breach can still happen. If it does happen, the provider should have ways to track each user/administrator’s activity that can sufficiently support a detailed data forensics investigation.

Find out whether logs are being kept and how detailed they are.

6. Are we protected by a Disaster Recovery/Business Continuity plan? How?

Don’t be fooled by sales talk of 100% up-time. Even the most robust cloud infrastructures can suffer outages too. But the important thing is that, when they do fail, they should be able to get up and running in the soonest time possible.

Don’t just ask about their guaranteed RPOs and RTOs. Find out whether your data and applications will be replicated across multiple sites. Unless the provider says they will be, you need to find a provider with a better infrastructure.

7. Can I get copies of my VMs?

In a cloud infrastructure, your servers are actually in the form of files known as virtual machines (VMs). Because VMs are just files, they should be easily copied. There may be issues though, like the VMs might be stored in a not-so-popular proprietary format. Another possible issue is that the provider may simply not allow copying.

Having copies of your VMs can be useful should you later on decide to transfer to another provider or even duplicate your cloud infrastructure on your own.

8. What will happen to my data when I scale down?

One outstanding benefit of cloud computing is that when your business demands drop, you can easily scale down computing resources and reduce your cloud spending. ?But what will happen to your data when you decommission virtual servers? Will they be discarded?

You might want your data to be retained up to a certain period. On the other hand, you might also want them to be deleted immediately. Ask about the provider’s data deletion/data retention policies and see if they are in line with yours.

9. What will happen to my data if I decide to close my account?

There might come a time when you’ll want to terminate your contract with your cloud provider. Just like in issue #8, you’ll want to find out more about data deletion/data retention policies.

Although some providers can give you detailed answers, many of these answers can include a lot of technical jargon that can leave you totally confused. If you want someone you can trust to:

simplify those answers;
help you pick the right cloud service provider, and
even make sure cloud security is really upheld once your cloud engagement is ?under way

Contact Us

(+353)(0)1-443-3807 – IRL
(+44)(0)20-7193-9751 – UK

Why DevOps Matters: Things You Need to Know

DevOps creates an agile relationship between system development and operating departments, so the two collaborate in providing results that are technically effective, and work well for customers and users. This is an improvement over the traditional model where development delivers a complete design ? and then spends weeks and even months afterwards, fixing client side problems that should never have occurred.
Writing for Tech Radar Nigel Wilson explains why it is important to roll out innovation quickly to leverage advantage. This implies the need for a flexible organisation capable of thinking on its feet and forming matrix-based project teams to ensure that development is reliable and cost effective.
Skirmishes in Boardrooms
This cooperative approach runs counter to traditional silo thinking, where Operations does not understand Development, while Development treats the former as problem children. This is a natural outcome of team-centred psychology. It is also the reason why different functions pull up drawbridges at the entrance to their silos. This situation needs managing before it corrodes organization effectiveness. DevOps aims to cut through this spider web of conflict and produce faster results.

The Seeds of Collaboration

Social and personal relationships work best when the strengths of each party compensate the deficiencies of the other. In the case of development and operations, development lacks full understanding of the daily practicalities operating staff face. Conversely, operations lacks ? and should lack knowledge of the nuances of digital automation, for the very reason it is not their business.
DevOps straddles the gap between these silos by building bridges towards a co-operative way of thinking, in which matrix-teams work together to define a problem, translate it into needs and spec the system to resolve these. It is more a culture than a method. Behavioural change naturally leads to contiguous delivery and ongoing deployment. Needless to say only the very best need apply for the roles of client representative, functional tester and developer lead.

Is DevOps Worth the Pain of Change?

Breaking down silos encroaches on individual managers? turf. We should only automate to improve quality and save money. These savings often distil into organisational change. The matrix team may find itself in the middle of a catfight. Despite the pain associated with change resistance, DevOps more than pays its way in terms of benefits gained. We close by considering what these advantages are.

An Agile Matrix Structure ? Technical innovation is happening at a blistering rate. The IT industry can no longer afford to churn out inferior designs that take longer to fix than to create. We cannot afford to allow office politics to stand in the way of progress. Silos and team builds are custodians of routine and that does not sit well with development.

An Integrated Organization ? DevOps not only delivers operational systems faster through contiguous testing. It also creates an environment whereby cross-border teams work together towards achieving a shared objective. When development understands the challenges that operations faces ? and operations understands the technical limiters – a new perspective emerges of ?we are in this together?.

The Final Word ? With understanding of human dynamics pocketed, a DevOps project may be easier to commission than you first think. The traditional way of doing development – and the waterfall delivery at the end is akin to a two-phase production line, in which liaison is the weakest link and loss of quality inevitable.

DevOps avoids this risk by having parties work side-by-side. We need them both to produce the desired results. This is least until robotics takes over and there is no longer a human element in play.

Top 10 Disadvantages of Spreadsheets

Fraudulent manipulations in company Excel files have already resulted in Billion-Dollar losses. The main underlying reason behind this spreadsheet vulnerability is the inherent lack of controls, which makes it so easy to alter either formulas, values, or dependencies without being detected.

Disadvantages of Spreadsheets

Comprehensive information and data your organisation needs, to circumvent the threats posed by spreadsheets.

Buy Now

1. Vulnerable to Fraud

Of all the spreadsheet disadvantages listed here, this is perhaps the most damaging. Fraudulent manipulations in company Excel files have already resulted in Billion-Dollar losses. The main underlying reason behind this spreadsheet vulnerability is the inherent lack of controls, which makes it so easy to alter either formulas, values, or dependencies without being detected.

2. Susceptible to trivial human errors

While fraud will always be a threat to spreadsheet systems, there is a more significant threat that should make you seriously consider getting rid of these outdated systems. And that is its extreme susceptibility to even trivial human errors. Missed negative signs and misaligned rows may sound harmless.

But when they damage investor confidence or cause a considerable loss of opportunity amounting to millions of dollars (Are we serious? Google up ?spreadsheet horror stories? to find out), you should understand that it?s time to move on to better alternatives.

3. Difficult to troubleshoot or test

So how about testing spreadsheets to mitigate the risks of items 1 and 2? Good luck. Spreadsheets just aren?t built for that. It?s not uncommon to have interrelated spreadsheet data scattered across different folders, workstations, offices, or even geographical locations.

Worse, even if you are able pinpoint the locations of every related file, tracing the logic of formulas from one related cell to another can take ages. It?s pretty obvious now how you?ll also encounter a similar problem when troubleshooting questionable data.

4. Obstructive to regulatory compliance

Combine items 1, 2, and 3, and what do you get? A big headache impacting regulatory compliance. There are number of regulations that have a serious impact on the use of spreadsheets.

Some of the many regulations that impact spreadsheet systems include:

Sarbanes-Oxley (SOX)
Dodd-Frank
Basel II
EU Data Protection
FAS 157

And to think it looks like regulatory bodies are just getting warmed up. Over the last two decades, we’ve seen a surge in regulations that directly affect spreadsheet-based systems. Now, you tell me that you haven?t wished there was a better way to beat regulatory compliance deadlines. Well, if you?re still using spreadsheets, then there certainly is a better way.

5. Unfit for agile business practices

We’re now in an age when major changes are shaping and reshaping the business landscape. Mergers and Acquisitions, Management Buyouts, earthquakes, tsunamis, hurricanes, uprisings, climate change, new technologies, and so on. If your business is not agile enough to adapt to such changes, it could easily be left behind or even face extinction.

Spreadsheets are normally created by individuals who have not the slightest know-how regarding software documentation. In the end, spreadsheet files become highly personalised user developed applications. So when it?s time for a new person to take over as part of a large scale business change, the newcomer may have to start from scratch.

Read further about Implementing Large-Scale Business Change

6. Not designed for collaborative work

Planning, forecasting, budgeting, and reporting are all collaborative activities. In other words, plans, forecasts, budgets, and reports typically require information from different individuals belonging to different departments. In addition, the final documents are a result of multiple exchanges of data, ideas, and files.

Now, if your company?s offices are scattered throughout the country or if certain team members are separated by large distances, the only way to exchange data stored in spreadsheets is through email.

Experience will tell you that such a method of exchange is susceptible to duplicate and even erroneous data. Team members will tend to find it hard to keep track of similar files going back and forth, and sometimes even end up sending the wrong version.

7. Hard to consolidate

When it comes to simple data entry and quick ad hoc data analysis tasks, spreadsheets are highly favoured by end users. This has made them one of the most ubiquitous office tools on the planet. But as a consequence, data in spreadsheet-based systems are distributed throughout the organisation.

So when it’s time to generate reports, you’ll really have to go through a slow consolidation process. In most cases, end users would have to collect data from different files, summarise them, and submit the same to their department heads through emails, portable storage media (e.g. CDs or USB flash-drives), or by copying to a commonly shared network folder.

Department heads would have to undergo a similar process before submitting them to their own superiors. This has to go on until all the information reaches their organisation’s top decision makers. Throughout the entire consolidation process, data is subjected to numerous error-prone activities such as copy-pasting, cell entry, and range specification.

8. Incapable of supporting quick decision making

In a spreadsheet-based environment, extracting data from different departments, consolidating them, and summarising the information so that it could aid the company’s top brass in making sound decisions can be very time consuming.

And because we know how susceptible spreadsheets are to errors, everyone involved in the information processing has to be ultra careful to keep the integrity of the data intact. Hence it would be prudent to enforce double-checking as much as possible.

This extra but necessary exercise can further delay the process. So, when the final information arrives at the hands of the top executive, he may not have much time to work with. (Read about Business Intelligence)

9. Unsuited for business continuity

As mentioned earlier, data in spreadsheet systems are never kept in a single place. In fact, it’s the exact opposite. The worse thing about it is that they’re always in the hands of non-IT personnel, who are understandably not familiar with storage and backup best practices.

Thus, if a major disaster strikes, full data recovery can be very difficult if not impossible. As a consequence, even if the company has financial reserves, the absence of data (e.g. accounts receivable records, customer records, and inventory) to work on can prevent the company from making a quick restart.

10. Scales poorly

As an organisation grows, data in spreadsheet-based systems get more distributed; subsequently compounding the issues outlined above. It is absolutely not advisable for a large organisation to keep using spreadsheets.

Contact Us

(+353)(0)1-443-3807 – IRL
(+44)(0)20-7193-9751 – UK

Spreadsheet Woes – Burden in SOX Compliance and Other Regulations