21 Feb Compliance Regulations and Spreadsheets
As Microsoft indicated in their guidance paper “Strategies for Addressing Spreadsheet Compliance Challenges”, spreadsheets are an enterprise software resource, and so are as much under regulation as mainline data processing systems.
However, because most see spreadsheets as a tactical, custom tool, often end-users and organisations do not recognise the need for routine checks and controls to the same extent or level of maturity as other ‘formal’ enterprise systems.
Indeed the purpose of many spreadsheets, however ‘fearsomely’ complex they are, is precisely to avoid rigid IT controls. And while IT can support spreadsheets by deploying assistive technology for technical things like change tracking, the first line of control is necessarily by humans – and the discipline and scrutiny of ‘peer review’ becomes crucial in particular.
Often compliance may not be wholly considered within the domain of the IT department, and business self-service tools like spreadsheets may seem to fall more comfortably under the auspices of business management.
There are indeed ‘compliance challenges’ with spreadsheets. We find that the first steps in a spreadsheet control project are often to determine what critical business processes are supported by spreadsheets, and then ensure the necessary business controls are in place.
A bottom-up approach of creating an inventory of spreadsheets will produce a huge list of potentially millions of files. Making everybody aware that spreadsheets are central to what we do is really important, and the spreadsheet inventory often helps bring this message home.
Some tools can produce a simple static analysis showing their size and complexity, but such a list is really best as a check on the first process of identifying critical spreadsheets, as so often users will overlook their spreadsheets as important parts of the business process.
Awareness of the sheer scale of reliance is an important first step. Developing awareness and establishing in-house measures to bring home the message about how to work safely and responsibly with spreadsheets is also important.
The Spreadsheet Safe syllabus is concerned with the nuts and bolts of using spreadsheets and the technical controls such as cross-check totals, and other validation features. Also there are important learning points related to versionning, documentation, data security, peer review, auditing and reconciliation.
Added to this a good knowledge and awareness of the applicable regulatory and compliance coverage will help ensure that each end-user is aware of their responsibility for custodianship of their data and their own calculation workflow.