It looks like Microsoft has had enough of people moaning that Excel is a particular weak spot in financial reporting and corporate governance.
In a post on his Excel 2007 blog, Microsoft Excel team manager David Gainer drew readers' attention to a new Microsoft whitepaper on spreadsheet compliance and Excel.
The short summary is that Microsoft, too, read the PricewaterhouseCoopers demolition job on end-user computing and Sarbanes-Oxley compliance and it has done all it can to make sure the next release address the issues raised.
But both Gainer and the Microsoft report have some interesting things to say about the topic. What follows are some edited highlights to encourage you to read the full whitepaper (730k Word download).
Gainer sets the scene in his blog: "Over the past year, we've talked with customers, regulators, and solution providers to get a better understanding of what compliance means and how it applies to spreadsheets."
The whitepaper distills this research into a set of strategies users can apply to their own organisations and includes extensive coverage of how Office 2007 has been equipped to help enforce compliance controls.
The Microsoft report claims that over half of financial management reporting is performed with spreadsheets - which ExcelZone would not dispute, based on reader responses to online surveys. Even though Excel is so prevalent, the whitepaper noted a disparity between the importance of spreadsheets to business processes and the level of corporate resources devoted to development, testing, and maintenance.
"In some organisations there is the general perception that spreadsheets are a tactical tool without strategic importance. As a result, the resources dedicated toward the implementation and control of critical spreadsheets are small in comparison to other information technology assets. These disparities represent the most significant road block to spreadsheet compliance," the study comments.
Microsoft takes its lead from PwC in identifying legislative changes that are making spreadsheet compliance so important - notably the Sarbanes-Oxley Act 2002, the European Union's Data Protection Act and the 2006 Basel Capital Accord.
It also echoes the Big Four auditor's recommendations on internal controls and adds a few of its own:
- Before controls can be implemented and enforced, management must acknowledge spreadsheets as a critical enterprise resource and then budget and plan accordingly.
- To drive an effective compliance strategy, representatives from IT, internal audit, and finance departments need to be involved, along with other departments as needed.
- Automated systems can help monitor and control spreadsheets, which may require further financial and development resources as well.
- Once implemented, the control processes must be monitored and enforced by dedicated people with an understanding of the overall compliance strategy.
One of the most interesting sections of the whitepaper draws on the work of Microsoft's own Financial Compliance Group. The group put PwC's recommendations into practice and carried out an inventory that revealed the existence of 42 business-critical spreadsheets. These were classified according to the potential compliance risks in a table which also lists the corresponding control activities.
For example the risk of unauthorised access and modification of data or formulas can be countered by storing them in restricted directories. And to prevent the overwriting of historical data by unauthorised changes, the group suggested converting and archiving spreadsheets from previous reporting periods in read-only format to preserve audit trails.
Finally, there is no escape from the sales pitch, but it is clear Microsoft has taken the compliance problems associated with spreadsheets to heart. A healthly list of enhancements are documented, including measures to prevent unauthorised access and changes, archiving aids and new tools to help users design robust spreadsheet models
For example, the white paper explains how cell formatting can be used to clarify the appearance of complex spreadsheets models - particularly when multiple contributors are involved. Reusable cell formatting styles in Office 2007 will make it easier to indicate cells that are designed for user input, or those that contain formulae.
Related articles
