Top 10 Compliance Spreadsheet Risks and How to Avoid Them - PART 2
6: Evaluate Granular Controls
According to Forrester however, such content management approaches are giving way to more granular controls which audit spreadsheets at the cell level, can lock the underlying logic, and even roll back specific cell changes. "Many vendors are starting to move toward a fine-grained control approach, where everything that is done in a spreadsheet-data, formulas, and macros-at the cell level can be managed by centralized policies, " he says. With the new approach, "the focus is on adhering to policies rather than relying on repository management and library services to limit access, track versions, and provide check-in/checkout." Such approaches can help transform spreadsheets into more full-featured and compliance-friendly enterprise applications.
7: Enforce Policies and Procedures
Any spreadsheet management product will require companies to specify policies and procedures for appropriate spreadsheet use. When determining what's appropriate, again study critical business processes, and consider prohibiting spreadsheets from managing any complex or critical financial calculations. For example, using spreadsheets to test monthly cash flow projections could be acceptable, while calculating your company's daily foreign exchange exposure might be prohibited, to avoid running afoul of Basel II or Financial Accounting Standard rules.
8: Automate Critical Business Processes
Evaluate the effectiveness of current spreadsheets. In particular, for any spreadsheet handling a critical business process, beyond assessing change management or auditing controls make sure there's proper segmentation of data, logic, and presentation-otherwise automate and institutionalize it.
In general, using enterprise applications or add-on controls to automate financial business processes will lead to more cost-efficient and effective compliance. At the end of the day, from governance, risk, and compliance standpoint, statistics will show that the more you automate the more reliability you'll have from the data.
9: Monitor Centralized Application Adoption
The presence of centralized ERP or budgeting software which can track and audit corporate financials, however, is no guarantee that spreadsheets aren't still being inappropriately used to underpin critical decisions.
For example, one SOX auditor relays a story about a company that installed Applix TM1-server-based budgeting software-to automatically collate and formulate budget figures across the organization. Despite having a centralized tool to handle budget calculations, however, accountants in each business division still used Excel spreadsheets to perform their calculations, and then copied the information into TM1. Yet these spreadsheets offered no audit trail, accountability, or rationale for budget assumptions. Furthermore, accountants often manually reconciled multiple spreadsheets to create final budget figures, increasing the likelihood of errors.
Hence, simply building centralized tools for ensuring the accuracy of financial information isn't enough. Companies must also ensure such tools are easy enough to use and full-featured enough that users will willingly give up their spreadsheets.
10: Balance Enterprise Applications and Spreadsheets
In many organizations, however, users simply aren't going to surrender their spreadsheets. "One major reason why users are unwilling to eliminate spreadsheets and embed calculations into enterprise applications is that business methodologies-such as pricing, cost allocations, hierarchies, and others-change much too quickly for IT to respond with updates, " says Forrester's Evelson.
As a result, in many companies, the answer to the spreadsheet problem is simply better command and control: set spreadsheet polices and procedures, and then enforce them, by carefully managing -perhaps down to the column level-any spreadsheets entwined with critical business applications. In other words, a little oversight and tough love can help companies enforce the authenticity and reliability of their regulated financial information, while providing users with the spreadsheets they rely on to get their jobs done.
James Tanner is an analyst at Orthus limited (http://www.orthus.com). Orthus is a leading provider of information risk professional services, helping orgnisations globally to measure, minimise and manage the information risks they face. Orthus provide end to end services for clients to comprehensivly address risk in their environments including Insider Threats (http://www.orthus.com/itm_overview.htm) addressing issues including data leakage, sabotage and fraud; External Threats including penetration testing, virtualisation security, vulnerability management and Secure Software Development Life-Cycle; Supply Chain Threats including securing cloud services and data processed by third parties; and Legal and Regulatory challenges including Payment Card Industry (PCI) Data Security Standard (DSS).
Article Source: ArticlesBase.com
