<< Denise
I would like to respond to this message from the
perspective of the pharmaceutical industry, a heavily
regulated industry where the requirements that SOX seems
to be demanding have been in place for many years - I'm
sure that the are processes that can be transferred from
pharma to the financial industry in order to meet the
latest requirements. >>
Dave, I printed out your entire response for my SOX
folder. Really good stuff.
<< #1 In Pharma the MD is ultimately responsible for
ensuring all computerised systems that collect/calculate
data are fully validated and controlled. (If he/she doesnt
then the ultimate sanction is a prison sentence!). This
requirement is typically passed down to the QA / IT and
Operational departments. Spreadsheet "control" may be the
responsibility of IT - this would involve maintaining an
inventory of sytems, users, access rights etc and ensuring
that only validated systems are available to users.
Spreadsheet Validation would be down to the owner, and
would typically be approved by the QA department.
Validation must produce documented evidence that the
spreadsheet operates as expected and that all users are
trained in its use (Specifications, Test Protocols, formal
release notices and standard operating procedures).
Procedures must also be in place to remedy any errors via
a formal change control procedure. >>
I would be willing to wager good money that these exact
standards are imposed in financial areas. I think that the
standards are in flux, despite the SEC's "Final Ruling".
But I also believe that the standards will become more
rigid, not less.
Incidentally, the penalty for noncompliance for CEOs and
CFOs is similarly jail time. Why else would there be such
a panic to comply? ;-)
So, question for you: If IT is ultimately responsible for
spreadsheet control, does that mean that your IT
department has an Excel expert on staff? And how does IT
ensure the security of the spreadsheets, when Excel is
notoriously easy to burglarize?
And what kind of indemnification is offered to people who
sign off on the various levels of report generation? I ask
because one topic of conversation has been whether some
type of D&O liability insurance is required for non-D&O,
ie, extending D&O liability coverage to mid-level managers.
Also, who is responsible for maintaining the formal change
control procedures? And (more importantly for me), how do
you enforce the no-change rule once a report has been
validated? (I have grown extraordinarily weary of managers
who don't understand that when you change a "little" thing
about a massive report, it has massive consequences on
procedures and makes the report itself unreliable, because
you aren't comparing similar data from period to period.)
<< #2 Essential data (GxP in Pharma terms!) is often
separated from non-essential data but this is not a
mandatory requirement. What is mandatory (and difficult
to implement in Excel) is that all data entry should be
audited - ie you must have a record of who entered the
data and when. An additional requirement is that ALL
changes to data must be audited and a record maintained of
who, why, when together with old + new data values. The
validation effort would be expected to demonstrate the
security of the system and to ensure that the audit trail
cannot be altered. >>
This is exactly one point that sticks out like a sore
thumb in my SOX analysis. How CAN we "force" people who
change reports to document their changes? For me, this is
a huge Excel weakness that's got to be addressed, and if
SOX forces the change, bless SOX.
I have to generate an enormous monthly report -- 22 MB,
can't be emailed even zipped. The manager I generate the
report for changes it every month, and "forgets" to save
the changed report to the central file. It's a report that
is built on top of the prior month's report, so it's
critical that any changes made be identified as to who
made them and why, and that the changes be carried forward
into the next month. I have tried all kinds of nice
wheedling and cannot get her to understand why it's
critical to preserve data integrity. SOX was created
precisely for managers like her. Now it's a matter of
getting Excel to help me make "her" SOX compliant.
<< As far as approving data goes, using the example
quoted, its probably only necessary to approve the three
pricing worksheets - the rational being that the interface
workbook would be fully audited (ie traceable) and the
Validation has proved that the financials are all
correctly transferred/calculated. >>
But isn't that a dangerous assumption? Just asking.
<< #3 If you see some of the print-outs from Pharma, there
is no such thing as "too big to print". What you must
ensure though is that the print-out will pass the 'drop'
test - every page must have a unique document number, be
labeled 'Page x of y' and preferably include the time of
print-out.
An acceptable alternative (from a legal point of view!) is
to electronically sign the spreadsheet, in Pharma this is
governed by 21 CFR Part 11, which specifies an array of
technical and procedural controls on the application of
the ES.
More information can be found at
http://www.spreadsheetvalidation.com/, this site also
details a commercial add-in to put all the necessary
security and audit trails around Excel. I'm sure you will
also be able to find external help to implement the
necessary procedural controls to meet the regulatory
demands (these will probably require much more effort than
the technical side!) >>
Dave, EXTREMELY helpful. Thanks!
For the record, I am one person who fully believes that
SOX was long overdue. I don't think it's a negative thing
at all. I see it as imposing standards that should have
been put into place voluntarily. I see it as a speed limit
law. If every driver drove responsibly, we would not need
speed limits. But since we don't live in a perfect world,
we do need speed limits.
Best regards,
Denise.
