Miscellaneous - Asbjoedt/CLISC GitHub Wiki

Interesting references

What Guido van Rossum (inventor of Python) thinks of Excel:

Video about the first spreadsheet application:

Link to international spreadsheets risk interest group:

Article by Dr. Victoria Lemieux:

Notable excerpts from Lemieux's article

Archiving: The Overlooked Spreadsheet Risk (2005) by Dr. Victoria Lemieux.

p. 1

...spreadsheets may be used to perform reconciliations by downloading information from two systems into separate MS Excel spreadsheets. MS Excel functions and pivot tables are then used to create summary data for each source.

p. 2

...discussion of SOX archiving requirements and how to mitigate archiving risks and introduce into an organisation best spreadsheet archiving practices for SOX compliance.

Equally important, however, are the risks associated with failing to properly archive spreadsheets.

Why should spreadsheet archiving be considered a critical risk area? Simple: there are risks to the business when critical information is not properly retained and accessible, especially in the post-SOX world.

p.3

Lemieux uses an example of improper spreadsheet archiving in the article, that was characterized by:

  • Individualistic naming of files
  • Ad hoc assignment of storage location
  • Absence of any objective criteria governing deletion of spreadsheets from storage; no understanding of these spreadsheets as "records" that needed to be kept as evidence
  • Failure to preserve a link to the business context in which the spreadsheets were created
  • Inability to guarantee the authenticity and reliability of spreadsheets; no effort was made to "lock" down their content as part of a formal archiving process; after a period of time their integrity was seriously questionable

p. 4

Many still rely on back up processes better suited to disaster recovery than to the preservation of evidence to meet legal and regulatory requirements.

p. 5

It is best to address spreadsheet archiving as part of setting up (if there is no programme in place), maintaining and ensuring compliance with an organisation-wide records management programme.

Good records management practice calls for the establishment of Records Retention Schedules. These are documents that identify the records that must be created by law or regulation, and the period of time for which those records must be retained.

...the U.S. courts have shown a distinct favouritism for the submission of evidence in its "native" form (i.e. electronic) rather than receiving a paper "copy".

p. 6

...there is the question of whether removing the records from their business context has the potential to diminish the evidentiary qualities of the records. Unless carefully procedurally contreolled, there easily could be a danger of reduced record integrity. Therefore, a better approach is to identify the records, properly manage and archive them "in situ" (i.e., winthin a production environment) or a corporate archiving environment, and apply appropriate indexing for retrieval.

Steps must be taken to ensure that spreadsheet content, sctructure and contect, that is the links to the business transactions, that they were created to support, are retained for their required period of time in a form acceptable to regulators, investigators and the courts.

p. 10

...spreadsheets are created using end-user processing technology readily available on the desktop. As such, spreadsheets are often created and managed by the end-user, who may be very unfamiliar with the principles of managing the software or records life cycle

The following two categories are recommended

  • Spreadsheets that do not, or only minially, process data and which are created and maintained by end users
  • Spreadsheets that do more complex processing of data in order to perform or support critical processes and in which that IT department may have more involvement in the design and management

It is recommended that the archiving of spreadsheets that fall into the first category be dealt with in the same manner as the archiving of other unstructured content (e.g., Word files some MS Access databases). Spreadsheets that perform more complex processing functions, on the other hand, are better handled as mini applications in which their archiving is dealt with in the context of managing the application life cycle.

Although, spreadsheets that fall into the first category do not perform complex functions, they still do form an important part of the trail of evidence that SOX requires. For this reason, it is risky simply to rely on archiving the source data and recreating the spreadsheet in the event of a request for documentation, as investigators will be looking for evidence with integrity and authenticity... As such, it is much less risky strategy to preserve, and be in a position to present, the entire evidentiary trail - source data and spreadsheet.

p. 11

Generally speaking the creation and management of spreadsheets, that fall in the first category falls to the end user.

...an organisation should establish some controls over how end users create and store spreadsheets.

  • Low criticality/small scale operations - designate folder on server as archival folder and place all spreadsheets in folder in P1317 or PDFIA format to lock down content.
  • High criticality/large scale operations. Introduce an electronic management system with WORM storage. Institute Life Cycle Management processes.

Paying attention to data archiving requirements at the time which a spreadsheet is created can make the process of archiving much easier and more effective in the long run.

p. 12

It is now generally agreed that reliance on backup processes is no longer a suitable data archiving strategy.

When archiving spreadsheets to off-line and less expensive storage, the spreadsheet can be retained in its production format (e.g., an MS Excel file) or it can be converted to and retained in an open standard format such as PDF/A or WL to protect against technological change. The decision about the best format in which to retain the file should be in proportion to the expected length of time for which the spreadsheet must be retained, that i, the longer the retention, the better it will be to retain in an open format.

It should be noted that the migrationof data into archival systems needs to be tightly controlled in order to ensure that data is not lost and that data authenticity and integrity is maintained.

p. 13

Most discussions of spreadsheet risk focus on the factors contributing to accuracy and reliability of spreadsheet data content. Archiving, however, is often overlooked. But, as argued in this paper, it is critical for full SOX compliance.

Jokes

I was trying to calculate the sum of all fears, but Open XML told me this information was classified.

I tried to calculate 2+2, but I did not Excel.

(a joke with a Radiohead reference wow!)