Managing Spreadsheets in a Regulated Environment
Christoph Nickel, Senior Product Manager, Laboratory Informatics, Agilent Technologies, Inc.
The implications and impact of government regulations are far reaching for public companies today. The Sarbanes-Oxley Act requires more stringent Securities and Exchange Commission (SEC) oversight and auditor independence, better corporate responsibility, and improved business processes for financial disclosure. Further, the Food and Drug Administration’s (FDA) 21 CFR Part 11 mandates for reliable electronic records that are maintained with high integrity. But when it comes down to the day-to-day activities under scrutiny, companies continue to struggle with how to establish proven and efficient processes to reduce the costs and risks associated with managing electronic records and financial data, particularly the spreadsheets used to track revenues, costs, commissions and analytical data.
Asking users to remember to manually sign out a spreadsheet, and log the changes they made is very prone to error. Routing paper documents for review and signature can take days or weeks as interoffice mail is miss-delivered or responsible persons are away from the office. And, managing corporate spreadsheet templates on the desktop and emailing them to colleagues is not secure, and not a good option for compliance.In a recent report published by Price Waterhouse Coopers (PWC), it was discovered that “a spreadsheet error at a major financial institution was deemed a significant factor in a $1 billion financial statement error in the classification of securities. The error resulted from a flawed change control process – an unapproved change to a formula within the spreadsheet – and other control deficiencies, including lack of technical and user documentation, insufficient testing and inadequate backup and recovery procedures.” (The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act, PWC, July 2004). With proper security, carefully defined internal controls, and a secure mechanism for managing corporate spreadsheet templates, this type of error can be avoided.
As far as the analytical laboratory environment is concerned, Microsoft Excel has become the de facto standard spreadsheet application for almost all types of calculations. Excel’s powerful and flexible calculation tool can handle all the analytical results from chromatographic data systems. Unfortunately, like all off-the-shelf spreadsheet applications, Excel was not designed to meet specialized regulatory requirements such as change documentation and access control. Excel is completely open and offers only isolated security measures, for example, password protection for individual spreadsheets. The standard Excel tools by no means address the needs of secure and traceable data management. There are two major reasons for errors in Excel spreadsheets; first, the system does not prevent unauthorized users from making significant changes, and second, there is no mechanism to track and document all changes for full traceability. In essence, Excel is almost perfect but the difference between almost and truly right is important. Think of a hole in a dam.
A further parameter in the equation is the cost effectiveness of the enterprise. All organizations seek to improve compliance with corporate Standard Operating Procedures (SOPs) and regulatory mandates, and at the same time improve overall business results. To do this requires spreadsheet security, traceability, and access control that is automated and executed without any user interaction. This type of secure data handling prevents undocumented errors, protects intellectual property, and ensures well-documented data exchange.
The conditions and constraints described above helped Agilent Technologies and Scientific Software Inc (SSI) to draft a set of functional requirements for and subsequently develop the Cerity Enterprise Content Manager (ECM) product. Previously marketed by SSI as CyberLAB enterprise content management system, Agilent Cerity ECM together with remediation services for Microsoft Excel (RSME) provide a powerful solution to address these business challenges by extending compliance for spreadsheets out to the desktop.
The Agilent Cerity ECM and RSME solution helps organizations speed up verification of spreadsheets, establish access and change controls for standard spreadsheet templates and reduce computational errors. This enables for compliance and secure collaboration, while minimizing the risk of non-compliance with regulatory mandates. More and more, corporate auditors are citing the use of spreadsheets in financial calculations as areas where internal controls are needed for remediation per Section 404 of the Sarbanes-Oxley Act.
Integration of Microsoft Excel in Agilent Cerity ECM
The successful implementation of a corporate-wide electronic content management solution is dependant upon the end users utilizing the system. Providing users with an interface that is integrated with the desktop products they use on a daily basis removes some of the intimidation and training issues. Desktop integration adds menu items and toolbar buttons into Microsoft Office and other applications such as Windows Explorer and Adobe Acrobat. In Microsoft Excel the added toolbar contains buttons with familiar icons representing standard functionality and provides users with direct access to files stored in the secure Agilent Cerity ECM repository. Users can search for and open any file they have access to, check the file out for editing, and save new versions of the file back to Agilent Cerity ECM without leaving the familiar desktop application.
Spreadsheet Security Throughout The Entire Lifecycle
The Agilent Cerity ECM and RSME solution contains a complete feature set to secure and manage spreadsheets throughout their entire lifecycle, from creation through destruction. The combination of standard Agilent Cerity ECM features and the additional RSME desktop integration features provide a full suite of compliance enabling features including secure spreadsheet access, version control, electronic signature, audit trail, archive, and enforcement of record retention policies.
Compliance with regulatory mandates is a complex process, which no software package in and of itself can ensure. Compliance requires not only software features but policies, procedures, user training and appropriate implementation of the features that the software provides. Agilent Cerity ECM with remediation services for Microsoft Excel provides a solution designed to help the implementation of compliant processes for the creation, management, and sharing of spreadsheets and all electronic files throughout the enterprise.
For more information:
www.agilent.com/chem/cerityecm