Spreadsheet Compliance with ClusterSeven for the 2007 Microsoft Office System White Paper

Transcription

1 Spreadsheet Compliance with ClusterSeven for the 2007 Microsoft Office System White Paper July 2006

2 Executive summary The exponential rise in concern over corporate control and regulatory compliance has exposed spreadsheets as a major source of business risk. ClusterSeven provides a solution to this challenge that can meet the needs of regulatory compliance, operational risk and auditors without reducing business flexibility and the ability of Excel to power innovation and opportunity. The largest single list of publicised spreadsheet errors ( shows that almost all significant risk incidents in spreadsheets have been caused by authorized users working in spreadsheets that are being used and consumed as business applications. ClusterSeven is focused on addressing this problem. It does this by focusing on the spreadsheet as an application, rather than as a document by understanding, reporting and alerting the critical changes to cell level and VBA content (both formulae and data) during business operations. This complements and contrasts with the document level management capability offered by Microsoft Office Sharepoint Server 2007 and Office Excel Most importantly, ClusterSeven delivers spreadsheet change information in a way that it can be analyzed and signed off as part of regular business workflow. ClusterSeven customers are regularly finding significant issues in seconds that would have previously taken hours or would never been discovered until a financial loss had been created. This paper addresses the additional benefits that ClusterSeven brings to the capabilities of the Microsoft Office System and, in particular, the 2007 release. It does this by examining the five dimensions of a complete solution: 1. The spreadsheet lifecycle 2. Regulatory requirements 3. Business scalability 4. Operational usability 5. Data management We are really impressed with the positive effect that ClusterSeven has had on our operations and culture. We now have a fully-automated and systematic set of business controls that actually encourages our spirit of innovation while ensuring best practice in terms of operational risk and compliance. Investment Bank When ClusterSeven approached us, it was the first time that we had seen such a product. We immediately realised its value to us as a company, Hedge Fund ClusterSeven is the only company that we found which offered a practical solution to spreadsheet management within our organisation Energy Trader All of these dimensions drive toward the overall objective of delivering a sustainable, adopted solution that can deliver benefit to all stakeholders the business, the operational risk managers, compliance, IT and audit. ClusterSeven provides a unique power over the visibility, integrity and analysis of business processes supported by spreadsheets. Its integration with the 2007 Office System provides an enterprise platform that can fully protect and exploit Excel s strategic value to the business. Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 2 of 16

3 Contents The solution to enterprise spreadsheet management 4 The five dimensions of a complete solution 5 The spreadsheet lifecycle 5 Regulatory requirements 6 Business scalability 8 Operational usability 9 Data management 10 Technology framework 12 Conclusions 14 References 14 Links 14 Financial regulation documents 14 Appendix Spreadsheet Compliance in the 2007 Microsoft Office System, Microsoft April 2006 (reproduced with the kind permission of Microsoft Corporation) Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 3 of 16

4 The solution to enterprise spreadsheet management The white papers by PricewaterhouseCoopers 1, Microsoft 2 and Panko 3 have become the must-read literature on spreadsheet compliance. All these papers identify critical spreadsheet management requirements in two dimensions: At a functional level, the need to manage and monitor the changes occurring to business critical spreadsheets. At an organisational level both papers recognise that a sustainable solution is critically dependent on engaging all the key stakeholders in the organisation. ClusterSeven delivers the technology to achieve both these objectives. The behaviour and impact of users are monitored at the highest level of granularity (i.e. cell and macro level). This capability extends the functionality available in the 2007 Microsoft Office System and fills the gap recognised in the Microsoft white paper. Furthermore, ClusterSeven ensures operational adoption by delivering new benefits across the organisation without detracting from the enormous productivity benefits that Excel provides. These benefits include: Reduced risk including the rapid identification of common errors and bad practice, an integrated sign-off environment, improved resilience against fraud, improved disaster recovery and the ability to directly integrate validated spreadsheet output with central systems. Regulatory compliance including a demonstrable control framework, a clear segregation of duties and the rapid location of material issues that may require stakeholder reporting. Increased business opportunity by enabling faster product release, rapid observation of previously inaccessible business trends and improving the confidentiality of the intellectual property of the business. Financial savings including lower capital adequacy requirements, a major reduction in the many hours spent chasing spreadsheet problems (both business and IT), a major reduction in the number of control checks and improved workflow and audit efficiency 1 The Use of Spreadsheets:Considerations for Section 404 of the Sarbanes-Oxley Act, PricewaterhouseCoopers, July Spreadsheet Compliance in the 2007 Microsoft Office System, Microsoft, April Spreadsheets and Sarbanes-Oxley: Regulations, Risks and Control Frameworks, Panko, Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 4 of 16

5 The five dimensions of a complete solution The functional and organisational requirements for sustainable compliance, together with the advances in capability provided by the 2007 Microsoft Office System, create a demanding set of criteria against which to test any solution. Any solution (be it manual or technology) must therefore be understood and assessed against a range of business dimensions. ClusterSeven believes they are best captured under the following headings: 1. The spreadsheet lifecycle 2. Regulatory requirements 3. Business scalability 4. Operational usability 5. Data management 1. The spreadsheet lifecycle The file servers of a large organization will contain hundreds of thousands of spreadsheets. Of these, as many as a few thousand will be critical to the operational fabric of the business, with such spreadsheets being used repeatedly with continuous changes. When spreadsheets are employed in such operational roles they become true business applications. Each version of an operational spreadsheet is final in the sense that it represents a snapshot of the business at a specific time point. A sequence of such snapshots contains the history of that business activity in terms of changes and trends of data, plus the evolution of functionality. If something abnormal has occurred it will be in this history, but extremely difficult to locate. For regulators and operational risk managers it is the operational spreadsheets that present the greatest concern. This is because they are handling the regular transactional flows of the business where error (and occasionally fraud) is unlikely to be spotted and, if it occurs, is likely to impact multiple external parties. These risks are minimized by: 1. Preventing changes by unauthorized users 2. Monitoring changes by authorized users These objectives are achieved by the integration of Office Sharepoint Server 2007, Excel Services and ClusterSeven as shown in Figure 1 below. This figure shows how an initial spreadsheet created in Excel enters the operational cycle of Release-Operations- Validation-Maintenance. Typically the completion of this cycle is slow and expensive, with data validation and functional testing consuming high levels of resources. This expense is often minimized by reducing the frequency of validation but, in so doing, this creates major exposure to operational errors between validation dates. ClusterSeven integrates with the 2007 Microsoft Office System to provide a complete and continuous solution for the operational lifecycle by: Enabling the immediate monitoring of spreadsheet integrity after it is released from testing, so there are no gaps in the handover. Tracking the trend of all cell values over time. This enables the trends of Key Performance Indicators (KPIs) to be easily reported to the business. Providing rapid alerts to users or controllers based on cell, range or worksheet level content changes (against both formula and value-based criteria) Capturing an audit trail defining who, what, where and when for all changes at a VBA and cell level. Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 5 of 16

6 Delivering scheduled reports on all important changes, thereby accelerating integrity validation so that it can be performed as part of regular business workflow. Accelerating repair and maintenance by providing a user-friendly, drillable interface for all changes, reducing turnaround time and costs. Enabling changes to be signed off prior to the next phase of operational usage. Exposing spreadsheet maturity by displaying the rate of change of functionality. This demonstrates to IT whether it should be migrated into a central application or whether the functional volatility is still too high for system specification. Figure 1 The operational management of Excel Document management Risk: Unauthorised access Solution: Office Sharepoint Server 2007 plus Office Excel 2007 Information Rights Management Document sharing/publication Risk: Unauthorised viewing/changing of selective spreadsheet content Solution: Office Excel 2007 Services Business operations Risk: Erroneous changes to logic or data by authorised users Solution: ClusterSeven Key performance trends Migrate to central systems Release Operations Business alerts Sign off Spreadsheet Creation in Excel Cell level audit trail Change history Maintain Test functionality and validate data Integrity reports It may be noted that the metadata created by ClusterSeven (e.g. alerts, reports, sign-off approvals, audit trails) offer the opportunity for direct integration with workflow management environments such as Office Sharepoint Server 2007 in order to provide complete business process assurance. 2. Regulatory requirements Regulators are rarely prescriptive about their requirements for information systems and, not surprisingly, there are no direct regulations on spreadsheet compliance. Instead Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 6 of 16

7 regulators define a set of high level requirements against which to test the risks of financial information processes. What is clear is that regulators expect executives to know what is happening in their business, to know when something is going wrong, to have processes in place to exert remedial action and to pay the penalty if they don t. Information systems, including spreadsheets, must measure up to these tests. From a solution perspective these control objectives may be considered against the following themes of corporate governance: Segregation of duties: this principle goes back to some of the earliest standards of business control. In a spreadsheet context this requires the ability to separate the roles of spreadsheet builder/modifier from the application user. Since the complex world of financial products inevitably requires these two roles to overlap, ClusterSeven solves this problem by providing an independent monitoring and sign-off environment for all critical changes. This is done without restricting the freedom of the business user to change their models. ClusterSeven users are already frequently discovering critical changes that they would not have picked up in any other way or would have required major investigative effort. Frequency of control checks: The main focus of the Sarbanes-Oxley Act is a company s control framework, requiring both management attestation and auditor confirmation as to its effectiveness. Where manual controls are utilised, the Public Company Accounting Oversight Board (PCAOB) has given guidance for auditors in the form of recommended test frequencies, which depend on how often the control is utilised in the business. The table below is taken from the Pricewaterhouse Coopers publication and interpretation of this guidance (Sarbanes-Oxley Act: Section 404 Practical Guidance for Management July 2004): Frequency of manual control s performance Typical number/range of times to test controls Annual 1 Quarterly 2 Monthly 2 to 5 Weekly 5 to 15 Daily 20 to 40 Multiple times a day 25 to 60 Factors to consider when deciding the extent of testing Complexity of the control Significance of judgement in the control operation Level of competence necessary to perform the control Impact of changes in volume or personnel performing the control Importance of the control - addresses multiple assertions - period-end defective control - only control that covers a particular assertion Where spreadsheets form a key control this guidance places a heavy administrative overhead on the business in order to repeatedly satisfy the standard control test requirements of inquiry, observation, examination and reperformance. By contrast, ClusterSeven is an automatic control. By focusing on just the critical changes, it reduces the level of complexity and judgement required to operate the control and provides clear repeatability even during changes in volume and personnel. On average, ClusterSeven clients are able to audit a full days trading activity in a large (e.g. 50Megabyte) trading book in less than 10 minutes, when previously it may have taken hours. Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 7 of 16

8 Understand the end-to-end supply chain: a map of an end-to-end business process (such as financial trade to settlement) against the supporting central applications will commonly look like Figure 2 below. Since the fit of applications to business requirements is not complete, there are a number of processing gaps where information is manipulated and supplemented in spreadsheets before being re-entered into other applications. These gaps represent control weaknesses in the ability to track a transaction through the entire process. ClusterSeven addresses this problem by tracking all the changes to data through any managed spreadsheets. More importantly, since all the spreadsheet data is centralised in the ClusterSeven data repository this provides a more robust source for direct integration with other applications. Figure 2: A sample/typical information supply chain Business Process Risk Layer Order Cash Central Systems Infrastructure Speed of resolution The pressure to rapidly disclose material events to stakeholders creates a major burden for spreadsheet-sourced information. Indeed, a control test applied by regulators to financial business processes is to ask how quickly they can see any unexpected changes to key business outputs (such as P&L) and then how quickly they can locate the cause of the change. By broadcasting alerts on key business parameters, and enabling a rapid drill down on all changes, ClusterSeven dramatically reduces the resource requirement to locate the source of change, demonstrating improved control and providing more time for the analysis of the business reasons for the change. 3. Business scalability Any solution to the problem of managing spreadsheets must be able to scale in all the technical dimensions of the problem such as the number of spreadsheets, their size, their complexity, the level of user activity and their distribution across the business. The number of operational spreadsheets in a large business will be hundreds or even thousands, but this number can easily become obscured by the hundreds of thousands of previous versions of these same spreadsheets that will also be saved. For ClusterSeven each sequence of version saves is seen as one timeline (even where the title of the spreadsheet is revised to fit regular Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 8 of 16

9 business process), that is attached to the current operational spreadsheet. This immediately eliminates much of the confusion caused by the proliferation of these old files. In addition, using in-built load management (including clustering and fail-over) ClusterSeven is able to scale to monitor and manage the largest volume requirements. The size and complexity of spreadsheets varies greatly. The most sophisticated will exceed 100MB in size and run to hundreds of sheets, containing tens of thousands of formulae and many thousands of lines of VBA code, testing the capability of Excel to the limit. With the expansion of the maximum sheet size in Office Excel 2007 to one million rows and 16,000 columns this challenge is set to get even greater. ClusterSeven manages spreadsheets that exceed 100MB and has an architecture that scales to the maximum capabilities of Excel. ClusterSeven also detects changes across the range of Excel content, including formulae, data, named ranges and VBA code. By analysing the different types of formula changes it can also highlight those that are most likely to lead to operational risk events. The distribution and activity of spreadsheets across the business presents another dimension of challenge. For a business seeking to achieve spreadsheet control there is an immediate question as to whether the spreadsheets will be managed in their existing locations (central file servers or desktop drives) or whether the business will be obliged to relocate its spreadsheets to particular file repositories, such as enterprise content management systems. Relocation will create the onus of business process change and may delay successful implementation or even frustrate adoption. ClusterSeven is able to monitor spreadsheet activity across a wide variety of file environments, both on central file servers and on networked user machines as well as formal enterprise content management repositories. This provides a range of alternatives from which businesses can (if desired) make multiple choices. Since ClusterSeven does not rely on the establishment of formal repositories, it can immediately establish a control framework, from which an informed understanding of spreadsheet activity can then be used to determine the requirement for more formal data repository environments. Equally, because ClusterSeven is independent of the business choice of enterprise content management system the solution is able to maximise existing investment in these infrastructure components (such as Office Sharepoint Server, Hummingbird, FileNet et al). An additional dimension of activity is the peakiness of spreadsheet usage. Many business processes supported by spreadsheets incur most activity at period ends (for example end of day or end of month). ClusterSeven uses an asynchronous framework, combined with a tiered and clusterable architecture to ensure that the load during intense periods of activity can be handled across the available hardware with minimum impact on performance. 4. Operational usability The sustainability of a solution can be viewed from a number of different perspectives that may create user resistance or otherwise frustrate business adoption: these are the degree to which it may disrupt the familiarity and flexibility of Excel; the degree to which it impacts on the technical performance of client machines or Excel itself; and most importantly for any technology that presents itself as a real world solution the degree Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 9 of 16

10 to which it can be incorporated into regular business processes so that important information can be extracted and remedied from what will be a large volume of spreadsheet activity. In order to maintain the Excel user experience the ClusterSeven solution is a background monitoring solution, providing a detective approach to highlighting changes that may impact spreadsheet integrity, rather than a preventative approach. Equally, to ensure compatibility with the current file management experiences of users, ClusterSeven can watch spreadsheets held on existing file servers, without requiring any relocation of files. In order to ensure that there is no deterioration in the performance of client machines the ClusterSeven solution is a non-invasive, server-based application, operating remotely from client machines. This also enables the solution to manage all versions of Excel from 97 onward. Information on spreadsheet change activity is then made available only to authorised users via the ClusterSeven Enterprise Spreadsheet Management client component. Beyond these areas of potential user resistance, ease of operation is the most important aspect of ensuring adoption. For large workbooks, containing many sheets and millions of cells, the volume of change information will be large. This information can only be managed as part of real business processes if it can be filtered to ensure that only the key changes relevant to the user are returned for business management. These key changes are likely to vary from user to user for example operations will be interested in one set, financial reporting in another and front office IT in yet another. The ClusterSeven solution meets these challenges by providing userdefined reports, locating just those cell changes that are relevant to individual business roles. For example one user may focus just on changes to formulae and VBA while another can focus just on data changes. In addition, ClusterSeven provides a suite of business alerts that may be linked to a wide range of changes within the content of the spreadsheet and across either single or multicell ranges. These alerts are delivered through the messaging layers of the organisation (such as and netsend) and include structurally-based aspects (e.g. formulae changes) and value-based thresholds (e.g. maxima or minima). ClusterSeven even offers a no change alert to indicate when a certain area of the spreadsheet should have been updated, but has not. 5. Data management The primary reason for adopting a spreadsheet compliance solution is to ensure confidence in the output of spreadsheets so that this information can be utilised elsewhere in the business. If the spreadsheet itself is the document of record then validation of this piece of business information completes the information supply chain and no further risk should be created. However, if the information that has been validated in a spreadsheet is then required elsewhere in the business that data must be extracted from the spreadsheet and passed into other systems or other spreadsheets. If the process of extraction is manual then all of the effort in validating the integrity of the data will be lost. This demonstrates that an additional key piece of any spreadsheet compliance solution is to enable automatic extraction and loading into other systems. Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 10 of 16

11 By providing a centralised and structured data repository based on Microsoft SQL Server ClusterSeven ensures that the validated data captured from spreadsheets can now be integrated directly with other systems (e.g. for back office reconciliation). This removes the need for further re-keying or the use of links to spreadsheets which are notoriously prone to failure. This approach provides a further contribution to increasing efficiency and reducing operational risk. In addition, each version of a spreadsheet represents successive snapshots of the business at those time points. If a user wishes to understand the trend of any business parameter over time (as represented by a particular cell value through many successive version saves) the work involved is extremely arduous, error-prone and rarely pursued. As a result the data stored in historical spreadsheets is virtually inaccessible and any business intelligence that might be gleaned from understanding the way in which the business has evolved is effectively lost. The value history of every cell is captured in the ClusterSeven data repository. This information is available for direct interrogation enabling ad hoc observation of business trends or the correlation between separate business trends (in the same spreadsheet or others). This information may also be exported into analytical and business intelligence packages for more sophisticated interpretation. One example is the determination of the co-variance between individual cells from the histories of different spreadsheets to deliver an arbitrage opportunity such as the sparkspread between gas and electricity prices. This new power over distributed and unstructured data is unique. Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 11 of 16

12 Technology framework The ClusterSeven solution may be integrated with the 2007 Microsoft Office System as shown below in Figure 3. It may also be implemented with earlier versions of Excel from 97 onwards. ClusterSeven does not require any component to be installed on the client machines of monitored users it is neither an Excel add-in nor does it place any code (VBA or otherwise) in the workbook. This avoids any impact on client performance and also ensures that there are no compatibility issues if users wish to utilize the new server-side functionality available in Office Excel This independence means that ClusterSeven is not impacted by the most recent Excel file format changes. ClusterSeven provides the option to monitor native file systems (e.g. Microsoft Windows Server, DFS, NetApps, EMC Clariion) without the need for proprietary content management repositories. Alternatively, ClusterSeven may be integrated with Enterprise Content Management (ECM) software to maximise the value of existing infrastructure and utilise their document management functionality (e.g. access control, versioning and vault capabilities). Within this sector, the advances in Office Sharepoint Server 2007 mean that it is set to become a key platform for work management components and applications. This makes the combination of the 2007 Microsoft Office System and ClusterSeven a highly adaptable and future-proofed environment for spreadsheet compliance. The ClusterSeven solution comprises a suite of components built in 100% Microsoft technologies as described below: Figure 3: Integrated architecture of ClusterSeven and Office 2007 ClusterSeven component (.Net) Microsoft Component MS or Third Party component Administration Generation Validation Workflow Analysis ClusterSeven Console Office Excel 2007 ClusterSeven ESM Office Sharepoint Server 2007 BI Analytics Office Excel 2007 Presentation Layer ClusterSeven File Watchers IIS Web Services Communication Layer Office Sharepoint Server 2007 File Storage Excel Services ClusterSeven Servers (clustered) Application Layer Microsoft Windows Server ClusterSeven Data Warehouse ClusterSeven Datamart Output Layer ClusterSeven Database (MS SQL) Data Layer Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 12 of 16

13 The ClusterSeven file watchers detect user interactions with those spreadsheets nominated for management. These spreadsheets may be located on local desk-top drives, native file servers or Enterprise Content Management document repositories. This flexibility means that ClusterSeven is fully compatible with Office Excel 2007 files, whether or not they utilise the new server sidefunctionality. When a relevant user interaction is detected a new version of the spreadsheet is retrieved by the ClusterSeven application servers. The ClusterSeven application servers conduct the change analysis between the relevant versions of the spreadsheet, together with the generation of business reports and alerts. The complete set of changes in cell content and VBA are added to the database, alongside the time and user stamp for the relevant interaction. The ClusterSeven enterprise spreadsheet manager provides authorised users with the primary user interface for the reporting, analysis and sign off of important spreadsheet changes. Authorised users are given selective access to key functionality and spreadsheet histories according to security roles determined in the ClusterSeven console. The enterprise spreadsheet manager also provides the configuration environment for business users to select those spreadsheets to be managed, to determine the critical areas for integrity reporting, to complete the sign off of validated changes and to conduct ad hoc analysis on the trends in key performance indicators. Alerts on critical changes may be delivered through the chosen message layer of the organization e.g. , netsend. The ClusterSeven database (based on Microsoft SQL Server) provides a centralised and structured information resource, holding the full temporal history of all managed spreadsheets. This frame-by-frame sequence builds the movie version of the spreadsheet. ClusterSeven is not a business intelligence solution. However, the changing cell values within successive versions of a spreadsheet contain a rich and detailed transcript of the evolution of the business much of which will not be available from central systems. Under conventional spreadsheet usage it is very difficult to interrogate this history. ClusterSeven allows users to see the value changes over time for any cell, thereby offering the opportunity to observe ad hoc data trends. Alternatively, the information may be exported to tools such as Excel or other business intelligence applications for more sophisticated analysis. The ClusterSeven datawarehouse and ClusterSeven datamart are optional components to support this extraction process. The ClusterSeven console is an administrator resource that enables configuration of the solution for local network and server infrastructure, to define user roles and to allow the bulk selection of spreadsheets to be placed under management. ClusterSeven also recognises that spreadsheets are not always the end of the business process - they are commonly intermediate parts of larger business processes. This requires the information to be communicated elsewhere. ClusterSeven enables captured spreadsheet data to be directly integrated with other business systems. This avoids the loss of integrity that may occur if spreadsheet data is returned to other locations via manual processes or fragile spreadsheet links. Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 13 of 16

14 Conclusions The most important step toward achieving spreadsheet compliance is the recognition of Excel as a key component of the enterprise application infrastructure and a strategic business asset. This requires a collaborative analysis between the key stakeholders in the organisation, including the business, IT, regulatory compliance and audit. The 2007 Microsoft Office System marks a major step towards exposing the previously under-recognised strategic value of Excel. It includes the new server-based technology of Excel Services and the establishment of Office Sharepoint Server 2007 as the hub for all record management processes. These capabilities address many of the enterprise requirements to achieve regulatory compliance over spreadsheet assets when considered as a document. To augment the 2007 Microsoft Office System, ClusterSeven provides an unprecedented level of transparency over any spreadsheet activity in the business. It does this in a way that allows the ClusterSeven platform to become a practical part of business workflow and thereby establish a sustainable compliant environment. More importantly, however, ClusterSeven enables the spreadsheet to maintain its enormous value as an instrument of business speed and innovation whilst allowing it to deliver validated, high integrity information to the rest of the business. References 1. The Use of Spreadsheets:Considerations fro Section 404 of the Sarbanes-Oxley Act, PricewaterhouseCoopers, July Spreadsheet Compliance in the 2007 Microsoft Office System, Microsoft, April Spreadsheets and Sarbanes-Oxley: Regulations, Risks and Control Frameworks, R.Panko, Communications of the AIS, 2006 Links Information about ClusterSeven Information about public spreadsheet errors Information about the 2007 Microsoft Office System /preview/default.mspx blogs.msdn.com/excel Financial regulation documents Sarbanes-Oxley Act, Data Protection Act, Basel II: International Convergence of Capital Measurement and Capital Standards Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 14 of 16

15 Appendix Copyright ClusterSeven Ltd June 2006 All Rights Reserved Page 15 of 16

16 Spreadsheet Compliance in the 2007 Microsoft Office System White Paper April 2006

17 Table of Contents Executive Summary... 3 Introduction... 4 Regulatory Compliance... 4 Background... 4 Spreadsheets: An Enterprise Software Resource... 4 Process Challenge... 5 Every Situation is Unique... 5 Compliance Strategies for Spreadsheets Evaluate the Current Situation Implement Appropriate Controls Develop a Long-Term Spreadsheet Development and Maintenance Methodology... 9 How the 2007 Microsoft Office System Can Help Address Compliance Challenges Preventing Unauthorized Access to Spreadsheets Managing and Monitoring Spreadsheet Changes Retaining and Archiving Spreadsheets Developing Robust Spreadsheet Models Conclusion Links Information About the 2007 Microsoft Office System Financial Regulation Documents Appendix Table of Relevant Regulations Microsoft Office System Capabilities Matrix... 23

18 Executive Summary Spreadsheets offer the flexibility and ease of use of a desktop application, combined with the power to perform complex data analysis. As a result, spreadsheets are used to support critical business processes in most organizations. In fact, research indicates that over half of financial management reporting is performed with spreadsheets. Despite this, a disparity exists between the importance of spreadsheets to business processes and the level of corporate resources devoted to spreadsheet development, testing, and maintenance. Organizations today are under considerable regulatory pressure to ensure that financial reporting processes are both transparent and well-documented. Three visible examples of such legislation are the Sarbanes-Oxley Act (United States, 2002), the Data Protection Act (European Union, 1998), and the Basel Capital Accord (Basel II, 2006), which together impact most publicly-traded companies around the world. However, corporate finance is just one area affected by compliance legislation; separate industry and local regulations also exist. An organization must take into account all applicable policies and requirements when developing a regulatory compliance framework. Implementing a sustainable spreadsheet compliance framework requires cooperation between each level of an organization, from executive management to the individual business user. Such a framework must meet the needs of both the business and the IT department. This paper will describe the steps that should be taken to identify and control spreadsheets once an overall compliance frame work has been implemented. An example of the approach taken by the Microsoft Corporation Financial Compliance Group is also included. When combined with a sound compliance strategy, technology can help enforce policies and increase business productivity. The final section will discuss capabilities available in the 2007 release of the Microsoft Office system that can help address the following common compliance challenges: Preventing unauthorized access to spreadsheets Managing and monitoring spreadsheet changes Retaining and archiving spreadsheets Developing robust spreadsheet models The strategies and technology described in this paper can help organizations achieve success in establishing spreadsheet control policies that meet both regulatory requirements and business needs.

19 Introduction Because of the ease of use, flexibility, and power of spreadsheets, they support many critical business functions and often fill roles where other solutions would be too slow or costly to implement. As a result, spreadsheets have quietly become a key component in the analysis and reporting processes within most organizations, including the mission-critical area of financial reporting. In the United States and around the world, there has been increasing focus on demonstrating regulatory compliance, especially within corporate financial processes. This is due in part to new legislation, such as the Sarbanes-Oxley Act and an increased public scrutiny of corporate accounting practices, that has highlighted a need for stricter controls over the analysis supporting financial statements. Because spreadsheets are an enterprise resource that support key business processes, it is important to determine how they fit into an overall strategy for regulatory compliance. This paper will provide the reader with a set of practical strategies for addressing spreadsheet compliance from an organizational level. It will also describe capabilities in the 2007 release of the Microsoft Office system that can help support and enforce a compliant spreadsheet environment. While these strategies highlight financial analysis and reporting scenarios, they are not regulationspecific and can be applied to scenarios where spreadsheets are employed across different industries and geographies. Regulatory Compliance Background Regulatory compliance is now, more than ever, a key issue for organizations around the world. Financial compliance is one area in particular that has received much scrutiny in recent years. New legislation has been written to ensure that organizations financial analysis and reporting processes are both transparent and accurate. The three most visible examples of this legislation are the Sarbanes-Oxley Act (United States, 2002), the Data Protection Act (European Union, 1998), and the Basel Capital Accord (Basel II, 2006), which together affect most publicly traded companies 1. Corporate finance, however, is just one of many areas where compliance policies have been defined and enforced. The pharmaceutical and health industries, for example, have been subject to strict regulation for years. Compliance policies also are subject to local legislation, with regional governments often establishing their own compliance requirements. An organization must take into account all applicable policies and requirements when developing a regulatory compliance framework. Spreadsheets: An Enterprise Software Resource Though they may not be thought of in the same manner as database or custom software systems, spreadsheets are a key enterprise asset for most organizations. In the words of auditor PricewaterhouseCoopers, spreadsheets are an integral part of the information and decision- 1 A list of relevant regulations can be found in the Appendix.

20 making framework for companies. 2 However, evidence has shown that in some organizations there is the general perception that spreadsheets are a tactical tool without strategic importance. As a result, the resources dedicated toward the implementation and control of critical spreadsheets are small in comparison to other information technology assets. These disparities represent the most significant road block to spreadsheet compliance. Before controls can be implemented and enforced, management must acknowledge spreadsheets as a critical enterprise resource and then budget and plan accordingly. Process Challenge One common misconception in organizations is that spreadsheet compliance can be achieved through the use of technology. While technology plays a role in any compliance strategy, the most important component is process. Critical spreadsheets and other enterprise IT resources require sound development and usage practices that include controlled testing, deployment, maintenance, and use. An effective plan will incorporate these steps into the larger compliance framework for spreadsheets and other enterprise resources. The points listed below are prerequisite to developing such a plan. Executive-Level Commitment The need for compliance policies must be recognized at all levels within the organization. Cooperation between managers across functional departments is important to defining robust controls that are in line with business objectives. Without executive-level commitment it will be difficult, if not impossible, to enforce and maintain an effective compliance strategy. Getting IT and Business Users on the Same Page To be successful, a compliance strategy must be driven by the needs of the business and its users. A plan that fails to do so will hinder business productivity and prove unsustainable. This problem can be addressed from the start by engaging both IT staff and individual users. Collaboration is particularly important when defining spreadsheet controls because members of the business team often serve as both users and developers of critical spreadsheet applications. Because IT staff have knowledge of spreadsheet functionality, getting them involved early can help reduce duplication of work and increase the robustness of the solution. Allocating Appropriate Resources Implementing an effective compliance strategy takes time and effort. Representatives from many different groups must assist in defining controls that meet business objectives. Representatives often include members of the IT, internal audit, and finance departments, but can involve others depending on the needs of the organization. Additionally, it may make sense to use software to help monitor and control spreadsheets, but this can require financial and development resources as well. Once implemented, the control processes must be monitored and enforced by dedicated people with an understanding of the overall compliance strategy. Every Situation is Unique Every organization is unique in how it uses technology in its business, and each has its own set of challenges and goals to consider when developing a compliance framework. As a result, there is no single prescriptive compliance solution that satisfies the needs of all. An effective strategy will 2 PricewaterhouseCoopers. The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act. July 2004.

21 consider the operational risks, business objectives, and specific regulations with which the organization must comply. The following section offers specific steps for identifying and controlling critical financial spreadsheets, but these strategies can be adapted to meet the particular needs of the organization s larger compliance framework. Compliance Strategies for Spreadsheets Once an organization has an overall framework for regulatory compliance, the following steps can help identify and control critical spreadsheets in a way that can be maintained. There are three key steps to implementing this process: 1. Evaluate the current situation. 2. Implement the appropriate controls. 3. Develop a long-term spreadsheet development and maintenance methodology. This section will cover each of these in detail. 1. Evaluate the Current Situation Inventory Relevant Spreadsheets Before critical spreadsheets can be controlled they must first be identified. Perform an inventory to count the number of spreadsheets in the organization that may have an impact on compliance. In most organizations this applies to spreadsheets concentrated in specific high-risk departments. In the case of corporate finance this includes areas that support the analysis and reporting of financial accounting data. During the inventory, note each spreadsheet s purpose and relationship to critical business processes. This information will be important for determining the appropriate controls for each spreadsheet. Inventories can be completed manually by inspecting hard drives and shared folders, or automatically by using software that scans a corporate network to target spreadsheets. Identify Business-Critical Spreadsheets Not all spreadsheets in an organization require rigorous compliance controls. An inventory may return thousands, if not hundreds of thousands of spreadsheets, many of which will likely have little or no compliance impact. It would be overwhelming and unproductive to implement strict controls for each spreadsheet. Therefore, teams must identify and isolate the spreadsheets that support critical business processes, where a lack of controls could lead to material errors. In corporate finance, materiality is often defined as an error that involves 5 percent of net income or total assets, but this definition should be tailored to satisfy the organization s compliance requirements and the departments involved. In most cases, only a small percentage of an organization s spreadsheets match these criteria. Case Study: Microsoft Corporation As an example, the Microsoft Corporation Financial Compliance Group works with management, internal auditors, and external auditors to perform an inventory of important spreadsheets used for financial reporting. A recent inventory yielded 42 business-critical spreadsheets in use. The following filtering criteria were used to identify these spreadsheets.

22 Quantitative Criteria Microsoft uses the following criteria to flag inventoried spreadsheets for further analysis. 1. A spreadsheet that documents a journal entry greater than a pertinent dollar threshold. This threshold is derived as a percentage of materiality on a quarterly basis to support quarterly reporting. 2. A spreadsheet that serves as a recording ledger for an account with a balance greater than a pertinent dollar threshold. This threshold is derived as a percentage of materiality roughly four times greater than the threshold for supporting a journal entry. 3. A spreadsheet that directly supports a financial statement disclosure. Qualitative Criteria Qualitative criteria are formed by an assessment of the inherent and historical risks of the information contained within a spreadsheet. Microsoft conducted a risk assessment to identify these important criteria. Examples of qualitative criteria used by Microsoft include: 1. Whether the spreadsheet contained a high degree of complexity. For example, the spreadsheet includes complex use of formulas and calculation, a high number of connections to multiple worksheets or external data sources, or employs macros or other code. 2. Whether the spreadsheet is used by a new department or division that lacks an established report history. It is important to note that quantitative and qualitative criteria are not applied sequentially; instead they form a two-pronged approach to identifying business-critical spreadsheets. While it is often the case that business-critical spreadsheets meet both quantitative and qualitative criteria, this is not a requirement. 2. Implement Appropriate Controls Once business-critical spreadsheets have been identified and the risks defined, the next step is to implement appropriate controls for each one. Often this process cannot be implemented all at once. It may be necessary to break up the work by division or business unit, addressing the most important areas first. The section below describes the risks and corresponding control activities Microsoft uses to manage its critical spreadsheets. Control Activities Control activities are the steps taken to mitigate risk and to meet the control objectives. The control activities employed by Microsoft corporate controllers fall into two categories: Preventative controls that prevent undesirable events from occurring. Detective controls that detect undesirable events that have already occurred. The table below specifies the potential compliance risks for business-critical spreadsheets and the corresponding control activities defined by the Microsoft Financial Compliance Group.

23 Potential risk Unauthorized access and modification of data or formulas may result in output or reporting errors. Loss of the archived (prior reporting period) spreadsheets may damage the audit trail. Control activity Save spreadsheets to a location that allows restricted user access and regular backups. Unauthorized modification of historical data may damage audit trail. Spreadsheets may be initially set up with incorrect formulas or inadvertent changes may degrade the model integrity of the spreadsheet, resulting in output and reporting errors. Convert spreadsheets from previous reporting periods to a read-only format and securely archive them for later retrieval. 1. Test overall model mechanics and material changes before the spreadsheets are used. 2. Retest spreadsheets once annually. 3. Lock formula cells to prevent inadvertent changes. 4. Review mechanics each reporting period in sufficient detail to detect inadvertent changes. Entered data is incomplete or disagrees with the source, which results in output and reporting errors. Lack of knowledge about how to properly use spreadsheets compromises the current and future ability to generate correct results and accurate reports. Check cells* are used to validate data accuracy and the completeness of entry. *A check cell is subtotal cell that counts how many records (line items) are entered and the value of the records entered. Divide spreadsheets into three worksheets to separate input values, formulas, and resulting calculations. Document key elements of spreadsheets, such as input cells, formula cells, output cells, and data sources; and summarize calculation methodology and spreadsheet use procedure. Defining and implementing control activities, including those described above, is an important step toward addressing the compliance risks associated with business-critical spreadsheets. The next section describes how an organization can apply these principles to new business-critical spreadsheets through a controlled development process.

24 3. Develop a Long-Term Spreadsheet Development and Maintenance Methodology A long-term strategy for mitigating risk should include the use of a development methodology for critical spreadsheets. Academic research indicates that spreadsheet development shares many characteristics with traditional software development 3. Error rates tend to be similar between the two, as are the benefits gained from a sound development lifecycle that includes design, inspection, and maintenance. Historically, spreadsheet development has not received the level of developmental rigor given to other forms of enterprise software. As a result, spreadsheets that drive key aspects of the business often lack important controls and thus introduce a compliance risk for the organization. The solution is to treat the development of business-critical spreadsheets like enterprise software and adhere to a formal development methodology when creating them. Here is a recommended development approach to creating spreadsheets 4 : Define Requirements Begin by defining the requirements of the spreadsheet model. This phase should include a detailed description of the spreadsheet s business purpose, including the functions it will perform and its impact on the broader business process. It is wise to scope and define boundaries here as well; this will help prevent the spreadsheet from growing large and unwieldy during the design and development phases. Additionally, this phase should include validation from each spreadsheet user that the model will satisfy their business needs. Design The design phase maps a detailed plan for implementing the business requirements defined in the first phase and should result in a spreadsheet blueprint. This blueprint describes the formulas and functions needed for the core logic and layout of spreadsheet. Well-designed spreadsheets include the following characteristics: A clear, visual separation of input, output, and calculation cells. o This can be achieved through layout, placement, and formatting. Lockable and protectable cells that should not be modified. A standard organizational method. o For example, a top-down organization in which formulas never refer to cells located below them. Standard naming conventions throughout the spreadsheet. Named ranges to reduce errors and increase formula readability. Simple formulas. 3 Panko, Raymond R. and Nicholas Ordway. Sarbanes-Oxley: What about All the Spreadsheets? University of Hawaii, Adapted from the waterfall software development lifecycle.

25 o This can be achieved by dividing complex business logic among multiple cells. Extensive documentation throughout the spreadsheet. o For example, embedded comments throughout the spreadsheet and tables of contents and formatting legends to clarify structure and layout. It is imperative to incorporate spreadsheet user feedback during the Design phase to ensure that the final blueprint is flexible enough to be used, but strict enough to respond to organizational controls. Implement Once the blueprint has been created and validated, it is time to create the spreadsheet. If the Requirements and Design phases have been completed with care and a high level of detail, this step should simply assemble the pieces as described in the spreadsheet blueprint. Test and Verify Like any new piece of custom software, spreadsheets will contain errors. Thus, testing and verifying the spreadsheet s calculation accuracy is critical to ensuring confidence in the model. Different ways to test a spreadsheet include targeted audits, test case verification, scenario testing, and code inspection. Of these methods, code inspection has been shown to be the most complete for catching errors. Research indicates that code inspections tend to find on average over 80 percent of the errors in spreadsheets 5. However, this method is also the most resource intensive, involving teams of 1 to 3 reviewers who have a firm understanding of the spreadsheet to analyze it closely for logic and input errors. Regardless of the method, test passes should happen regularly throughout the implementation phase by individuals other than those who initially created the spreadsheet. In addition to good testing practices, third-party testing tools can be used to help identify and repair spreadsheet errors. Deploy At deployment, control activities must be determined and applied. The controls needed for compliance will vary depending on the complexity and importance of the spreadsheet. Examples of spreadsheet controls were described in the previous section of this paper. Other activities to consider at deployment include: A formal transition to a production environment. Back up of source files. Storage in a secure location, with strong file access management. Sign-off from development, test, and business users. A formal approach to versioning and documented release criteria and management. Training and education for users of the spreadsheet. Creation of a detailed user manual. Training courses to educate users and to verify proficiency using the spreadsheet. 5 Panko, Raymond R. and Nicholas Ordway. Sarbanes-Oxley: What about All the Spreadsheets? University of Hawaii, 2005.

26 Maintain and Document Maintenance and documentation are critical to ensure the long-term usefulness of a spreadsheet. Continued testing and verification of all changes made after deployment will help ensure that the logic remains correct. Further, documentation is important because it allows users, developers, and testers to learn and understand the purpose and function of the spreadsheet. These procedures will reduce the need for future testing and minimize user error. Documentation for critical spreadsheets should include the following: A detailed description of the spreadsheet s purpose. A change log that includes who made changes and how the changes affected the spreadsheet. Embedded comments to explain all input, output, and calculation cells. A description of standard, defined spreadsheet naming conventions. A legend that explains the formatting used in the spreadsheet. A user s manual that explains the proper use of the spreadsheet with example input and output values. Contact information for the person who created and is responsible for the spreadsheet. How the 2007 Microsoft Office System Can Help Address Compliance Challenges While technology alone cannot ensure spreadsheet compliance, organizations should take full advantage of the tools and technology available to help fulfill the compliance recommendations outlined above. Risks to spreadsheet compliance can be mitigated by implementing controls on important elements of business-critical spreadsheets to allow only authorized users to view content, make changes, and share information. This section presents a set of technologies included in the 2007 release of the Microsoft Office system that can be used in conjunction with a sound compliance strategy to address compliance challenges with spreadsheet use. These capabilities include: Preventing unauthorized access to spreadsheets. Managing and monitoring spreadsheet changes. Retaining and archiving spreadsheets. Developing robust spreadsheet models. Some of these capabilities are available in the current release of the Microsoft Office System. Preventing Unauthorized Access to Spreadsheets As the complexity and importance of a spreadsheet increases, so too does the cost of errors and innaproriate disclosures of data. The 2007 Microsoft Office system offers a number of options for helping to secure critical spreadsheets from unauthorized access and modification on both the client and server. This section will take a closer look at the following four technologies.

27 1. Microsoft Office Sharepoint Server 2007 permissions 2. Sharing spreadsheets using Excel Services 3. Information Rights Management 4. Workbook encryption 1. Office SharePoint Server 2007 Permissions Office SharePoint Server 2007 is a scalable enterprise portal, content management, and collaboration server built on Microsoft Windows SharePoint Services. Organizations can use Office SharePoint Server 2007 to store, protect, share, and track important documents and information through a single Web-based portal. All interactions within Office SharePoint Server 2007 are protected and monitored by a single sign-on system to safeguard against unauthorized access to critical documents. Office SharePoint Server 2007 uses a security model based on site groups and rights. Site groups are groups of users with related security requirements. Site owners can assign Security rights to each security group. An organization can customize the rights assigned to these site groups or add new site groups as needed. By default, Office SharePoint Server 2007 includes six site groups: Administrator, Web Designer, Contributor, Reader, Guest, and Viewer. Once groups and permissions have been defined, Office SharePoint Server 2007 safeguards the sites and documents stored within the portal using this permission structure. 2. Sharing Spreadsheets Using Excel Services Excel Services is a new server-based technology that supports loading, calculating, and rendering Microsoft Office Excel spreadsheets in a Web browser. Excel Services comprises two primary interfaces: Microsoft Office Excel Web Access allows customers to view spreadsheets in a Web browser and the Excel application programming interface (API) allows developers to share Excel features among applications. With the Microsoft Office system, customers can publish spreadsheets and view them with any modern browser, without the need to install software on the local computer. This allows organizations to share spreadsheets without exposing sensitive business logic. Finally, because Excel Services is part of Office SharePoint Server 2007, it takes full advantage of document management and workflow capabilities to help maintain control over critical spreadsheets. Controlling What Users Can See Publishing a spreadsheet to Office SharePoint Server 2007 saves the entire spreadsheet to the server to allow for data refreshes and recalculation. However, the parts of the spreadsheet accessible to viewers and available for download through the Web browser are controlled by the author of the spreadsheet. Microsoft Office Excel 2007 spreadsheet software provides three options for controlling the viewable area of the spreadsheet on the server: The entire workbook (default). Users can view the entire workbook and download it to the desktop. A subset of sheets. The workbook author permits users to view and download a subset of sheets. This does not affect how the spreadsheet appears when opened in Office Excel

28 2007, only how it appears when viewed on the server. This mode is useful when workbooks contain numerous behind the scenes worksheets that hold intermediate calculations, source data, etc., but only a few sheets that users should see. A set of named items, such as Named Ranges, charts, tables, and PivotTable and PivotChart dynamic views. In this mode, users can only view and download specific items selected by the workbook author. Users access these items through a drop-down menu in their Web browser. The View Item Right Office SharePoint Server 2007 adds a new feature for spreadsheets (and other documents) stored in SharePoint document libraries. With this View Item Right, spreadsheet administrators can restrict user access to viewing and executing on the server. Users cannot download a copy of the spreadsheet or access any areas that were not published to be viewable on the server. This feature can hide and make inaccessible proprietary information contained in the workbook, such as specific formulas, the proprietary model, the external data connections, and hidden elements. The View Item Right affects the way Excel Web Access and the Excel API allow access to a workbook. 3. Information Rights Management Organizations can use Information Rights Management (IRM) to protect and maintain greater control over digital information, including confidential and sensitive spreadsheets. Microsoft Windows Rights Management Services (RMS) in the Microsoft Windows Server 2003 operating system allows organizations and individual users to set policies that allow better control over who can open, copy, print, or forward information created in Office Excel IRM in Office Excel 2007 With Office Excel 2007, Information rights management policies allow users to set different levels of file protection to balance the needs to efficiently share information and help protect privacy. Set file permissions at different levels and change the level for specific users and groups of users. Assign permissions according to roles and responsibilities. For example, set different permissions for a viewer, a reviewer, or a file editor. Restrict file printing to reduce the number of times a sensitive spreadsheet can be copied. Set expiration dates to provide a date after which a spreadsheet file can no longer be opened or used by others. Help prevent forwarded files from unauthorized access. Unintended recipients cannot open files protected with IRM policies. Instead, a message informs the recipient that they do not have access rights. Optionally, the file owner can include an address for contact. IRM and Office SharePoint Server 2007 Sharepoint document libraries are also highly integrated with Information Rights Management policies. Using IRM, Office Sharepoint Server 2007 can apply policies automatically to help protect spreadsheets as they are downloaded to a user s laptop. Offline use is unhindered, but permissions such as forwarding, printing, or editing can be disallowed as needed on a user-by-user basis. Finally, Office Sharepoint Server 2007 can employ IRM policies to expire content after a specified time. This helps reduce erroneous access and distribution of outdated spreadsheets.

29 4. Workbook Encryption Customers without Office Sharepoint Server 2007 can use the Secure a Workbook functionality in Office Excel 2007 to establish a basic level of file security. The Secure a Workbook feature allows users to specify a password to open the workbook. The workbook is encrypted using a symmetric encryption type known as 40-bit RC4. Stronger encryption types can be selected depending on the security needs of the organization. Managing and Monitoring Spreadsheet Changes Critical spreadsheets are living applications that inevitably change over time. A sound compliance strategy will include some level of on-going change management and monitoring for critical spreadsheets. In this section we will take a closer look at how Enterprise Content Management within Office SharePoint Server 2007 can facilitate this process. Enterprise Content Management in Office SharePoint Server 2007 The versioning, auditing, and workflow capabilities in Office SharePoint Server 2007 allow users to better manage important spreadsheets and documents without sacrificing productivity. Versioning Office SharePoint Server 2007 has a robust check-in/check-out and versioning mechanism that allows users to check in changes under a new major (1.0 to 2.0) or minor (1.8 to 1.9) version. Office Sharepoint Server 2007 will store as many back versions as is needed with a full version history showing who created the version and when each version was created. The author or administrator can set permissions to allow only a small group of authors in the immediate working group to see the latest minor version currently in use, while a larger group of readers can access the last fully-approved major version. Additionally, Office SharePoint Server 2007 has built-in retention and expiration functionality that can be used together with the versioning feature to destroy older versions of a document based on policy. This helps save space and reduce risk and confusion. Auditing Office System SharePoint Server 2007 allows administrators to audit key events within document libraries. While there is no built-in capability to audit changes within spreadsheets individually, the audit log records spreadsheet events such as Open, Modify, and Delete. Several built-in reports and mechanisms to generate custom Excel reports can be used to analyze information contained in the audit log. This data can also be accessed by custom systems for further analysis and reporting. Workflow With Office SharePoint Server 2007 customers can build workflows that map to important business processes. These capabilities facilitate more manageable collaboration, enforcable and measurable business processes, and more intelligent records management. Content Approval, which existed in Office Sharepoint Portal Server 2003, can now be augmented with workflow features. This allows administrators to set up a document library in which all documents must be reviewed (by an administrator or appointee such as the financial analyst in charge of the library) and approved before being available for broader use. This approval can be as simple as the administrator monitoring and changing a flag on the spreadsheet in the document

30 library, or it can be a custom workflow that sends messages to a group of approvers to confirm that the spreadsheet meets internal requirements needed for approval. Beyond content approval, Office SharePoint Server 2007 includes a set of out-of-the-box workflows for approval, gathering feedback, gathering signatures, and other business processes common to most organizations. Custom workflows can be created with Microsoft Office Sharepoint Designer 2007 or the Microsoft Visual Studio 2005 development system to codify crucial processes within the business. Retaining and Archiving Spreadsheets The ability to archive spreadsheets is just one component of a larger records management process that includes the collection, management, and disposal of corporate records (information important for the history, knowledge, or legal defense of a company) in a consistent and uniform manner based on the company s policies. The 2007 Microsoft Office system can help companies ensure that vital corporate records, including critical spreadsheets, are properly retained for legal, compliance, and business purposes and then properly disposed of when no longer needed. This section details the new record management capabilities provided with Office SharePoint Server Office SharePoint Server 2007 Record Repository Office SharePoint Server 2007 provides a scalable and efficient records management system with a specialized Records Repository site template. The Records Repository acts as the hub for all record management processes, including content collection (e.g., spreadsheets, documents, , and non-digital items), policy enforcement, item retention in response to external events, and content disposal (see Figure 1). The following capabilities, new to Office SharePoint Server 2007, help users fulfill records management requirements. Vault Capabilities The Records Repository has several features that help ensure the integrity of files stored in the repository. First is the ability to ensure that records are never automatically modified by the system. This means that records uploaded to a records repository and then downloaded later will be identical, byte for byte. Second are default version and audit settings that monitor changes to content to prevent direct tampering of records. Third, records managers can add and maintain metadata on items separately from the record s metadata. This allows information such as who manages the item to be changed without modifying the underlying record. Changes to this metadata are versioned as well.

31 Figure 1 Information Management Policies These policies provide controls that consistently and uniformly enforce the labeling, auditing, and expiration of records. Policies can be configured for a specific storage location or content type. For example, to ensure that all contracts are retained uniformly in an organization, expiration dates can be based on a common property such as the contract execution date. Hold The Records Repository allows IT staff, records managers, and legal authorities to apply one or more holds that suspend records management policies on specific items to prevent documents from being changed during litigation, audits, or other investigations. The process of creating, managing, and releasing holds is monitored and recorded so that the system can account for all actions taken. Record Collection Interface Records repositories provide a set of services that aid in content collection. These services allow people and automated systems to easily submit content to a records repository without necessarily having access or permission to any of the contents of the site. Content can be submitted through a Web service by using the SOAP protocol or through by using the SMTP protocol. Record Routing Content submitted to a records repository can be routed to the proper location within the records management system based on content type.

32 Extensibility To support deployments that require additional capabilities, Office SharePoint Server 2007 provides robust extensibility mechanisms. For example, the Record Collection Interface can be implemented on a different repository, allowing Office 2007 clients and servers to treat third-party repositories as records repositories. Additionally, records management policies are built on an extensible framework that allows customers to buy or build custom policies to extend or replace existing ones. Developing Robust Spreadsheet Models Microsoft Office Excel 2007 can be used to create a robust spreadsheet model that meets compliance challenges and enhances productivity. The following capabilities in Office Excel 2007 can help an organization deploy spreadsheet models that make it easier to become, and stay, compliant. 1. Cell Styles 2. Lock important cells 3. Using Excel Tables to reduce errors 4. Defined Names 5. Formula auditing tools 1. Cell Styles Complex spreadsheets with multiple contributors can be unclear and difficult to read. Users interpret the information in the spreadsheet differently, make errors based on assumptions, and are unable to quickly interpret or analyze the data. Cell formatting is an important tool that can be used to visually clarify the structure of a spreadsheet with color, font, borders, and data formats. Office Excel 2007 allows users to quickly define reusable cell formatting styles that make it easy to clearly indicate input cells, formulas, output cells and other key components. To make formatting updates simple, style changes are automatically applied to all cells using that style. Cell styles help distinguish input cells from calculation cells

33 2. Lock Important Cells In addition to making the spreadsheet more understandable, organizations can reduce user errors by password protecting (or locking) specific cells, ranges, or sheets. This is a key step in the development of a robust spreadsheet. Protect Worksheets This feature can be used to lock important areas of a spreadsheet to prevent users from modifying the values or formulas in those cells. For example, an author can password-protect selected cells and prevent different types of changes to cells and other elements in the worksheet. Allow Users to Edit Ranges Similar to the Protect Worksheet functionality, the Allow Users to Edit Ranges feature allows users to lock specific areas of a spreadsheet. In addition, an author can grant edit permissions to specific groups, users, or computers based on Windows authentication. 3. Using Excel Tables to Reduce Errors Tables are common elements n spreadsheets, and they are the standard method for organizing and displaying structured data. Office Excel 2007 now recognizes tables as a native object in spreadsheets, which allows users to create robust tables that better maintain structure and are significantly easier to interact with. A table consists of three pieces: header row, data region, and total row Common Tasks Tables make common tasks easier to perform and more robust. As data is added to a table, any elements associated with the table automatically adjust. Formatting applies to new rows and formulas update to include new data. PivotChart views, PivotTable views, Conditional Formatting, and Data Validation all will update to fit the new data. Referencing Data Formulas that reference data in a table do so by name (the name of the column, e.g. Sales ) rather than by an undecipherable A1-style address (e.g., D1:D10). This type of referencing is called Structured Referencing and it increases the readability of formulas to make them easier to maintain and edit later.

34 Structured referencing in Office Excel 2007 Better Formatting With Office Excel 2007, table formatting features behave intelligently. For example, if alternate-row formatting is enabled on a table, Office Excel 2007 will maintain the alternating format rule through actions that would have traditionally disrupted this layout, such as filtering, hiding rows, or manual rearranging of rows and columns. Additionally, Office Excel 2007 includes a large number of professionally designed table styles that look good out of the box. Office Excel 2007 tables support complex row and column banding that automatically adjust with the data 4. Defined Names Defined names simplify writing formulas in complex spreadsheets, especially those spreadsheets shared among several people. However, when a spreadsheet contains hundreds or even thousands of defined names, it becomes more challenging to perform tasks such as deleting multiple names, renaming names, and finding broken names. The new Name Manager dialog box, designed specifically for viewing and managing defined names, makes it easier to: View important details such as the name s reference, value, and scope. Create and scope names. Rename existing names. Delete multiple names at once. Sort and filter the name list by common criteria including scope, type, and if the name returns an error.

35 The Name Manager dialog box 5. Formula Auditing Tools Regulatory compliance legislation requires auditable and transparent practices for spreadsheets used in financial reporting. Office Excel 2007 provides auditing tools that, along with a consistent use of cell styles and naming conventions, can accelerate the testing of spreadsheet models and reduce the risk of error once a spreadsheet is in production. Auditing tools in Office Excel 2007 enable users to: Graphically display (or trace ) the relationships between cells and formulas. Trace a cell's precedents (the cells that provide information to that cell). Trace a cell's dependents (the cells that receive information from that cell.) Check for errors in a formula.

36 A formula showing its precedents using auditing arrows Conclusion Spreadsheets are commonly used as a critical resource in most organizations, yet they often receive little budgetary resources or sound management policies. This can result in an unnecessary exposure to regulatory compliance risks. As a result, it is important for organizations to develop a spreadsheet compliance framework that includes rigorous process controls around the development, testing, and use of business-critical spreadsheets. When these controls are combined with the current and forthcoming capabilities in the 2007 Microsoft Office system, companies will have greater success in implementing and enforcing spreadsheet policies.

37 Links Information About the 2007 Microsoft Office System 2007 Microsoft Office system Web site /preview/default.mspx Microsoft Office Excel 2007 Blog blogs.msdn.com/excel Financial Regulation Documents Sarbanes-Oxley Act, Data Protection Act, Basel II: International Convergence of Capital Measurement and Capital Standards Appendix Table of Relevant Regulations Name of law or regulation Issuing authority Primarily applies to Sarbanes-Oxley United States Public companies Data Protection Act United Kingdom Companies doing business in the U.K. Markets in Financial Instruments Directive (MiFID) United Kingdom Banks and financial institutions Basel II international Banks and financial institutions HIPAA United States Healthcare companies GLBA United States, federal and state Financial institutions Patriot Act United States Financial institutions DoD United States Government contractors California SB 1386 State of California All companies doing business in California Note: this table is not a complete list

38 Microsoft Office System Capabilities Matrix 2007 Release 2003 Release SharePoint Server Permissions Partial Support Excel Services Enterprise Content Management Partial Support Record Repository Excel Secure a Workbook Information Rights Management Partial Support Protect Worksheet Allow Users to Edit Ranges Cell Styles Partial Support Excel Tables Partial Support Defined Names Formula Auditing Tools This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, this document should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Microsoft Corporation. All rights reserved. This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Designer, Excel, the Office logo, Outlook, PivotChart, PivotTable, SharePoint, Visual Studio, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.