Archiving: The Overlooked Spreadsheet Risk

Archiving: The Over look ed Spread sheet Risk Dr Victo ria Lemeieux 1 Archiv ing: Th e Over look ed Sp readsh eet Risk Dr. Vict oria Lemieux IT Risk & Security Credit Sui sse Firs t Boston One Cabot Square, London, E14 4QJ Vicki.le mieux@csfb.co m ABSTRACT This paper mai ntains t hat archiv ing has bee n overlooke d as a key spr eadsheet internal control. The case of f ailed Ja maican commercial banks demonst rates how poor archivi ng can lead to weaknesses i n spreadshe et contr ol that c ontribut e to operat ional ri sk. In addition, the Sarbanes -0xley Ac t contai ns a number of pr ovisions that requ ire ti ghter control ov er the arc hiving of spreadshe ets. To miti gate opera tional r isks and ac hieve compliance wi th the re cords-re lated prov isions of Sarbanes- Oxley, the a uthor argues that organisati ons shoul d introduc e records manage ment programmes t hat provi de control over the ar chiving of spreadsh eets. At a mi nimum, spreadshee t archiv ing contr ols should identif y and ensure compliance with rete ntion re quirements, s upport document productio n in the ev ent of re gulatory inquiri es or lit igation , and prevent unauthori sed destruct ion of re cords. 1. INTRODUCTION Many companies rely on spre adsheets f or fina ncial r eporting and sup port of ope rating processes . For example, in a f inancia l services firm, spreadshee ts may be used to perf orm reconcil iatio ns by downloading information from two systems into separat e exist ing MS Excel spre adsheets . MS Excel fu nctions a nd pivot table s are the n used to cr eate summary data for each sourc e. When spr eadsheet s are cor e to busine ss process es poor con trol over them can have a significa ntly negative effec t upon companies' bottom line and re putati on. PriceWat erhouseCoope rs repor ts the f ollowing examples of how spr eadsheet risks can impact upon the cor porate b ottom line (PwC, 2005) : -A spreadsheet err or at a maj or financ ial in stitut ion was deemed a signifi cant fa ctor in a major $1bil lion fi nancial statement er ror in t he classi ficat ion of sec uriti es. The e rror resulte d from a flawed cha nge control pr ocess - an unapproved change to t he formula within the spreadsh eet -and other cont rol def icienci es, incl uding lack of techni cal and user documentati on, insuff icient testi ng, and inadequat e backup and recovery procedu res. -A utilities c ompany took a $24m illion do llar ch arge to earnin gs after a sp readsheet error -sim ple mistake in cutt ing and pasti ng - result ed in an err oneous bid in the pur chase of hedging contracts a t a higher pr ice than it wanted t o pay. -A trader at a bank was abl e to perpe trate f raud by manipulating spre adsheet models us ed by the bank's risk control staf f. Because of inadequa te contr ols over spre adsheet t his fra ud continued for months. Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 2 Not surprisi ngly then, being able to demonstrate sound interna l control of crit ical spreadsheet s in compliance with the Sarbanes-Oxley Act (SOX) is as important as being able to demonstrate it in re spect of co re processi ng applications and other critic al systems. With the i ntroducti on of SOX, applying sound inter nal contr ols to spreadsheet s not only makes good business sense but als o becomes a legal requirement. This pape r will ar gue that archiving has been overlooked as a key spreadsheet interna l control. Usin g a case study of fail ed Jamaican commercial banks, it will demonstrate how poor archiving can lead t o weaknesses in sprea dsheet contr ol that c ontribute to operationa l risk. Thi s will be fol lowed by a discussion of SOX archiving requir ements and how to mitigate archiving risks and int roduce into a n organisation bes t spreadsheet archiving practic es for SOX compliance. 2. ARCHIVING: THE OVERLOOKED SPREADSHEET R ISK Discussions of spreadshee t-related risks generall y focus on: - Com plexity of the spreads heet and cal culati ons - Purpose and use of the spre adsheet - Num ber of spreadsheet users - Type of potential inp ut, logic and int erface er rors - Size of the spreadsheet - Deg ree of underst anding and documentation of spr eadsheet r equirements by the Developer - Uses of the spreadsheet 's output - Frequency and extend of changes and modificatio ns to the spr eadsheet - Dev elopment and developer trai ning and testing before t he use of t he spreadshee t (PWC 2005). Equally important, however, are the risks associat ed with fai ling to properl y archive spreadsheet s. Why should spreadshee t archiving be consider ed a crit ical ri sk area? Simple: there are risks to the busi ness when cri tical i nformation is not properly retai ned and acces sible, especiall y in the post-SOX world. 3. A CASE STU DY OF ARCHIVING RISKS A study of the Ja maican banking crisis, in which al l of the co untry's indigenous comm ercial banks fai led, shows how poor cont rol of spre adsheet ar chiving contribut ed to the fl awed decisi on making that, in tur n, fed into t o a fail ure of Jamaican banks (Lemieux, 2002). Like many other firms, the banks relied he avily on spreadsheet s because t heir major t ransacti on processi ng and risk manag ement systems failed t o meet manag ement information and report ing requirements. Interviews with former employees of the failed ban ks reveal that they used spreadsheet s in the f ollowing ways: - Cash m anagem ent - Financial control and budgeting Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 3 - Analy sis of cust omer and product profi tabili ty - Analy sis of the cost of fund s - Currency position managem ent - Credit decision management - I nterest rat e sensiti vity analysis and risk managem ent - Recording of proprietary tradi ng in securiti es. There was an ad hoc approach t o spreadshee t archiving at these banks, character ised by: - I ndividualistic naming of file s. Individuals were allowed to as sign their own names to files . These na mes often gave no clue as to the cont ent of the f ile or i ts rel ation to a business pro cess. Ultimately, individual istic na ming of files was a major fac tor in the inabili ty to locate i mportant spreadshee ts. Once the cre ator of t he spreadshe et left a bank, the spreadsheet was as good as gone with them since the knowledge of its existence and how to retr ieve it vanished with t he individual who named and store d it. Even when the creator was s till a round, individuall y named spreadsheets became "information i slands", of ten only available t o the single user responsibl e for thei r creation e ven though the information they contai ned was of benefi t to the de cision- mak ing processes of ot hers. - Ad hoc assignm ent of storage loca tion. Individuals were permitted t o store spreadsheet s in thei r personal drives to which the y alone had access and f or which they alone made decisions abo ut retent ion or dele tion of documents. - Absence of any objective cri teria governing deletion of spreadshee ts from storage. Without an y clear understa nding of the importance of sp readsheet s in the managem ent information and repor ting process, no one s aw any reason to contr ol their del etion. T his resul ted in per iodic purges of i mportant spreadshee ts as stor age locations became full. Since t here was no unders tanding of these s preadsheet s as "records" that nee ded to be kept as evidence of how the bank's financial posit ions were calcul ated, when drives fi lled up and t he notice came round fr om I T to make more space available, ind ividuals purged their drives and wiped out t he evidentiary trail. - Failure to preser ve a link to the busines s context i n which the spre adsheets were created. T his fai lure oft en rendere d spreadsheet s meaningless as background to a particul ar busines s decision . - I nability to guarantee t he authenti city and reli ability of spr eadsheets. Si nce there were no control s over how spreadsheet s were archi ved and no effort was made to "lock" down their content as p art of a f ormal archiving process, if a nyone was lucky enough to actuall y locate one of the se documents after a period of t ime, their inte grity was seriousl y questionable, si nce anyone could have changed the conte nt in the intervening period and a udit tr ail contr ols were weak to non-existent. Former manag ers at the f ailed banks commented on the impact of poor spre adsheet controls on t he banks. One interviewee, f or example, described how t he bank was forced to r ely on competitors' actions to dr ive its asset and liabi lity managem ent (ALM) polici es because t he banks own interest rate sens itivity data, which ha d been recorded in spreadsheet s, could no longer be a ccessed. (Lemieux, 2002, p.258). Poor control over spreadsheets at J amaican indigenous banks contribut ed to managem ent information and exte rnal repor ting problems (i.e., P&L distort ions) t hat Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 4 contribut ed to the banks' manag ement and external re gulators losi ng sight of the banks' true positions and expos ures. Thi s problem fed a downward spir al into liquidit y crisis. As the Ja maican financial crisis unfolded, the governm ent also recognised t hat fra ud and corrupti on had contri buted to t he collapse of indigenous banks. To addr ess these allegations, i t establ ished a te am of foreign and local for ensic audi tors to work with the police fraud squad t o identif y and take action on inst ances of fr aud. Inaccessibili ty of source documents, however, seri ously hampered the auditor s' work. The work of reconstruc ting what in some cases were very convoluted fina ncial tr ansactio ns was made extremely difficult by the fac t that c ritica l records, many in spreadsheet form, were missing. One interviewee said: "I am looking at a particul ar company now where I thought that I w as told t hat all t he servers ther e that I could run off the infor mation. When somebody attempted to do that the y realised that the diskette was bad or contaminated. So you have a whole year's [data] that you cannot ac cess . . . I have tried so a ll I have now left to do is t o utilis e some of the hard copie s. But it is not consistent . You have one month, you can' t find two months and you have another month. So it is going to be very difficult t o trace t hese trans actions." (Lemieux, 2001, p.338). Though the absence o f archival cont rols over sprea dsheets at t he fail ed indigenous banks may have been extreme, similar problems are not unknown in other firms. Though no separate data exis t for spre adsheets, t he aggregated data covering all electroni c records indicate s that very few organisations have establis hed formal programm es to systematically manage the archiving of their el ectronic records (A11M, 2005). Many stil l rely on back up processe s better suited to disaster recovery than to the p reservation of evidence to meet legal and regulator y requirements. 4. WHAT SOX SAYS ABOUT ARCHIVING In the post-SOX world control over the arc hiving of spreadsheets becomes a critica l compliance matter as well a s a business competitiveness issue. T here ar e a number of SOX provisions that impact upon records and information management, som e more relevant to t he matter of archi ving spreadsheets than ot hers. T his secti on will highlight just a few of thes e (a full list of the requir ements will be availabl e in the appendix to t he published versi on of this p aper): 1. SOX 103(aX2)( A)(i) - Audit report s, work papers, and other information rel ated to any audit repor t must be kept for at le ast 7 years; Audit reports must conta in statements about t he testi ng of internal controls and whether those control structur es include maintenance of account ing records. 2. SOX 104(e) - Public account ing firms may be required t o retain r ecords not otherwise r equired under section 103. 3. SOX s. 802, rule 2-06(a) requi res a 7 years af ter concl usion of the audit/r eview retenti on period for accountant s to reta in "recor ds relevant to t he audit or review of issuers ' and registered investment companies' financial sta tements, includin g work papers and other doc uments that form the basis of the audit or review, and mem oranda, correspon dence, communications, other documents and re cords (includi ng electronic r ecords), whic h are creat ed, sent or r eceived in connect ion with the audi t or review." A company, in consultat ion with its legal and accounting advisors, wil l need to det ermine which of its s preadsheet s and other records fa ll withi n the meaning of this provision of the act and related r ules. There i s a 10-year penalty for violating this r ule. Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 5 Given the records and i nformation managem ent requir ements under SOX, express or implied, and the penal ties fo r non-com pliance, poor c ontrol over spre adsheet archiving is a risk that should not be l eft unmitigated. 5. ADDRESSING SPREADSHEET AR CHIVING RISK - ELEMENTS OF GOOD PRACTICE It is best to addres s spreadshe et archiving as part of setti ng up (if there is no programm e in place), maintai ning, and ensuring compliance with an organisation-wide records management programm e. This approach al so will demonstrate that archiving controls a re part of business as us ual pract ice, not merely a "tick the box” app roach to SOX compliance . It also will ensure t hat SOX contr ols do not work at cross-purposes with ot her organisat ional recor ds requir ements and controls. SOX does not expl icitl y direct any records management activities, so or ganisations cannot simply follow a sta tutory recipe t o achieve good archiving practices . However, the Act demands a number of specifi c outcomes that need t o be underpinne d by effecti ve records and inf ormation managem ent practices . The requ irements of an organisation's records management programm e should be guided by what is needed to meet these outcomes. International s tandards, su ch as ISO 15489, the I nternati onal Records Management Standard, can pr ovide guidance on how to go about establ ishing a compliant records managem ent programm e (ISO , 200 1). At the end of the day, the goal of the recor ds managem ent programm e should be to cre ate the pr ocesses, procedures a nd records nec essary to demonstrate c ompliance with SOX and to repudiate any claims of misfeasance or malfeasanc e (Montana et al., 2003). 6. RETAINING R ECORDS Good records management practice call s for the establis hment of Records Retenti on Schedules. T hese are docu ments that identi fy the records t hat must be create d by law or regulation, a nd the perio d of time for which those records must be ret ained. An organisation shou ld defini tely have one of these documents in pl ace. Often, one find s that an or ganisation's archiving function has establi shed a Records Retention Sched ule, but tha t the scope of its coverage only extends t o paper documents. There i s no question t hat SOX requi rements apply not j ust to paper records, but also to documents in a multitude of elec tronic f orms, including electr onic versions of sprea dsheets. Indeed, ever since el ectronic forms of documents have become ubiquitous, the U.S. cour ts have shown a disti nct favourit ism for the submission of evidence in i ts "nat ive" form (i.e., elect ronic) r ather tha n receiving a paper "copy" (Wa llace, 2001) . Consequently organisati ons should be cl ear that their Records Retenti on Schedules app ly to records i n all forms. In terms of the retention r equirements rel ated to SOX, the re seems to be much debate and confusion i n this ar ea. Recent dis cussions on th e IT Governance listser v led to a wild claim that al l record s had to be ret ained for 7 years. This i s not the ca se. Sections 103(a)(2)( A)(i) and 802( 1)(a) app ly to audit rec ords and audit work papers of publi c accounting fir ms. I ndustry best practi ce has evolved to include internal audit r ecords and work papers as well, t hough there is no exp licit r equirement for r etention of these records in the Act or it s relat ed regulations . Initially, the Act requi red that audit work papers be kept for a period of 7 years under secti on 103 and 5 years under se ction 802. The requi rements under sect ion 802 have subsequentl y been raised via U.S. Securiti es and Exchange Comm ission regulati on to 7 years in orde r to harmonise with Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 6 section 103 of the Act and wit h auditing standa rds (SEC, 2003). However, the Act also says that ( s.802(2)(c )) nothing in it should be ta ken to diminish or reli eve an obligation to c omply w ith the r ecords ret ention re quirements or prohibi tions on document destructi on mandated by other legislati on. This means that if audit records fall wit hin the ret ention re quirements of othe r legislati on and those re tention requirements are longer, the longer of t he require ments would apply. Audit-related recor ds are the beginning and end of explici t retent ion requi rements in SOX, but clear ly the lett er of the Act requires compliance with the re tention requirements of ot her legislat ion (s. 802( 2)(c)above). More over, the requir ements of section 404 a re underpinne d by evidence of the establ ishment and proper ope ration of effecti ve internal c ontrols. T his implies a much wider obli gation on organisati ons to retain r ecords. Many of the se records wi ll be spre adsheets cr eated as par t of SOX-relevant business proce sses. Though the Act focuses on the accuracy of corporate f inancial records, a n organisation woul d be foolish t o stop its records managem ent efforts wit h financi al recor ds. The fa ct is that non-financial rec ords can provide evidence of fi nancial vulnera biliti es. As such they will be deemed relevant to any SOX- related requirements and i nquiries. Another SOX-records rete ntion myth that needs to be e xplored and, i n my view, exploded, is t hat SOX-relevant records must be gathered up and kept in a single, SOX records re pository. Thi s would certa inly be one approach t o ensuring reten tion of the records re quired by SOX. The exp ense, however, could be prohi bitive. Aside f rom the expense of gatheri ng up all SOX-relevant records f or retent ion, there is the quest ion of whether re mov ing the records f rom their business c ontext has t he potenti al to diminish the evidentia ry qualities of the rec ords. Unless car efully procedur ally controll ed, there ea sily could be a danger of reduced recor d integrity. Ther efore, a better app roach is t o identif y the records, prop erly manage and archive them "in situ" (i.e., withi n a producti on environment) or a corporat e archiving environment, and apply appropriat e indexing for re trieval. Having said that Records Rete ntion Schedule s apply to records in all f orms, including spreadsheet s, the tr ick is putting them into eff ect. Most o rganisations r etain el ectronic spreadsheet s, as in the Jamaican case study above, on a variety of servers, and leave control over the life cycle of such documents to the i ndividuals who generated t hem in the firs t place ( i.e., usuall y an end user). In the post-SOX environment, it should be abundantly clear that thi s approach i s no longer advisable. Steps must be taken to ensure that spre adsheet cont ent, struc ture and cont ext, that is the links to th e business t ransacti ons that t hey were created t o support, are retaine d for their re quired peri od of time in a for m acceptable to regulat ors, investigators and the courts. T his paper wil l retur n in a lat er secti on to the implementation of Records Retention Sched ule; but f or now, suffic e it to sa y, regulators have shown a definit e impatience with organisa tions tha t are not a ble to produce r equested doc umentation. For example, in 2002 the U.S. Securi ties and Exc hange Com mission levied fines against five investment banks for fai lure to pr eserve emails (SEC, 2002). Records Retenti on Schedules must not onl y be implem ented, they must be regularly reviewed. A regular review will ens ure that t he Records Retent ion Schedule remains consistent with legal and r egulatory requirements, complete (i .e., incorpora tes the records generat ed from new business funct ions), and appr opriate to the busi ness environment. When reviewing Records Retenti on Schedules, ther efore, or ganisations should look at the c urrency of its retenti on periods, re cords seri es, nomenclature, indexing and struc ture and overall compliance. A regularly reviewed Records Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 7 Retention Sched ule will be a good defence stra tegy in the event of the kind of scrut iny that recor ds managem ent programm es can now come under in the event of SOX-related investigation or litigati on. 7. RETRIEVING RECORDS Documentation must be capable of be ing accuratel y and quickly retrieved in the event of an investigation, r egulatory inquiry or li tigation. Even the most complete documentation loses value if it ca nnot be ret rieved. Given the climate of suspi cion that was the i mpetus of the Act, del ays in the producti on of legiti mately requested records and i nformation can be ext remely damag ing, Opponents and, it should be added, the publi c, are will ing to assume bad motive and push for sanctio ns. For example, recently, a Flori da court pena lised t he investment bank Morgan Stanley for "bad fait h" acti ons in respec t to handin g over backup tapes containing emails relevant to the Perel man litigation against Sunb eam. The judge told t he jur y it should simply assume that Morgan Stanley helpe d defraud Mr . Perelman (Craig, 2005). Even without regulato ry sanction or cour t-imposed penalties, the re putationa l damage can be significant . The abil ity to accurat ely and quickly retrieve documentation wil l be assi sted by setting up stand ardized file structur es, implementing file naming conventions, and indexing spreadshee ts. Personnel must also be suffi cientl y well trained t o carry out document requests ef ficient ly and in the ti me frame dem anded, as well as t o understand t he need to prot ect the i ntegrity of the documents thr oughout the retr ieval process. File naming conventions deserve specia l attent ion because one o f the most comm on failings of r etrieval systems is due t o poor nomenclature. Under t he best of circumstances, poor n omenclature impedes the abi lity of users t o retri eve information effici ently. Under the worse c ase scenar io, it can be i nterpre ted more siniste rly. Poor naming conv entions may be taken as an attempt to conceal information or, a s in the recent Cit igroup European Bond Tr ading Scandal wherein t he bank's highly contentious bond tradin g m ove was rather ominously and unfortunat ely named "Dr. Evil" (Wall Street J ournal , 2005), arm opponents and cause damage to a Firm' s reputati on. Clarity and tr ansparency should be key g oals in the development of fi le naming conv entions and i ndexing plans. Many organisations fa il to pre serve the links between i ndividual documents and the business cont ext to which t hey relate. T his can be a mistake as i t can render a document difficul t to locat e, open the meaning of the document up to "c reative" interpre tation by adversari es, and render it diff icult t o determine whether a d ocument legitimately falls wit hin the sc ope of a document producti on order or l egal discovery exercise. Cl assifi cation of doc uments according to corporat e records taxonomy can serve as a vehicle for preserving contextua l links in documents. Another means of achieving this goal is to capture cont extual metadata, suc h as the name of the busi ness process or t ransacti on for which t he document is being create d, which is eit her stor ed in a databas e or embedded in the document its elf. Business process fl ows can be another very useful way of captur ing information about how spre adsheets f it int o the overall busines s context. Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 8 8. DESTROYING RECORDS One might think, g iven the harsh penal ties as sociated wit h records des tructi on, that, record management program me or no records managem ent programm e, any records destruct ion should be hal ted. Quite t o the contr ary, records dest ruction s hould stil l take place in keeping with best practi ce, but it must be as par t of the no rmal and ordinary course of business. T he best way to demonstrate that legiti mate destructi on is for recor ds disposal s to take place i n the conte xt of an esta blished re cords managem ent programm e and with full audi t trai ls of dispos al acti ons. 1n contras t, for any organisation undergoing Sarbanes-Oxley scrutiny, ad hoc destr uction of r ecords in the absenc e of a formal programme, no m atter how innocent the motive, invites the most damning inference s as to rea sons." (Mont ana et al., 20 03). ISO 15489, the Internationa l Records Mana gem ent Standard, e stablis hes the following princi ples governing records dispos al (ISO, 200l): - Disposition authori ties th at govern the removal of records from operati onal systems should be appli ed to recor ds on a systematic and rout ine basis i n the cours e of normal business act ivity. - No disposition acti on should take place without the as surance tha t the rec ord is no longer required, that no work is outst anding and that no l itigation or investigation is current or pending (or even reasonabl y foreseeable) which would involve relying on the records as evidence. - Destruction should al ways be authorised. - Records pertaining to pendi ng or actual li tigation should not be destro yed. - Records destruction s hould be carr ied out in a way that preserves the c onfidenti ality of any information they contai n. - All copies of records that are authorise d for destr uction, inc luding securit y copies, preservation cop ies and backup copies , should be dest royed. - Records systems should be capable of fac ilita ting and implementing decisions on retenti on or disposi tion of r ecords - I t should be possibl e for thes e decision s to be made at any time in the exist ence of the records including durin g the design stage of the recor ds systems. - I t should also be poss ible, where a ppropriat e, for dispos ition to be activated automatically. - Sy stems should provide audit t rails or other methods to tr ack completed dispositi on actions. Given the penalti es in the Act associate d with destruc tion of re cords, it is worth focusing some detailed at tention o n the subj ect of des tructi on bans and legal holds on records dest ruction . The Act has e stablis hed a Public Company Accounting Oversight Board (PCAOB). The PCAOB is vested with broad power to oversee publi c Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 9 accountancy, set standards f or the conduct of audit s and maintenance of re cords by public accou ntants, and general ly to oversee and enforc e standards of public accounting. The part ies most direct ly affected by the PCA013 are publ ic account ants and audi tors, but the PCA013 also has investigative authori ty over the auditing of publi c companies. In g eneral, the PCAOB is empow ered to reque st and/or s ubpoena documents in the posses sion of any person, i ncluding a client of a registe red public accounting fir m, which the Board considers relevant or material to an investigati on. A publicly trade d company, thus, m ay find itself required t o respond to a n investigation by the PCAOB by the producti on of documents and infor mation related t o an audit. It is theref ore imperative for or ganisations t o have in place poli cies, proce dures and systems for handling information produc tion demands arisin g out of governm ent investigations, li tigation, and ot her legal and adversar ial sit uations. Even for organisations t hat alr eady have such policies, pr ocedures and systems in plac e, the Act stipula tes requi rements that shoul d encourage a check for eff icacy in rela tion to the foll owing (Montana, et al , p. 18): - The Act grants authorit y to demand production of tes timony or documents well in advance of any formal proceeding such as l itigation. Are pr ocedures suf ficient to ensure that documents are safeguarded f rom the mom ent such proceedi ngs are reasonably fores eeable? - Are existing procedures sound a nd foolproof ? For example, once a document destruct ion hold order has been iss ued, is the or ganisation conf ident that no documents will be dest royed. In m any circumstances, implem entation of a document destruct ion hold is t he responsi bilit y of the employee and there are very few controls in place t o ensure thi s responsi bility will be carried ou t. - I s staff tra ining and awareness su fficie nt to provide documents in t he timeframe and with the accur acy required? 9. ARCHIVING STRA TEGIES: SOME PROPOSALS Having discussed general good practic e in respect to archi ving, this paper will now turn to dis cussing the speci fics of how these pract ices might be applied to spreadsheet archiving. SOX essentia lly requires that spre adsheets be dealt with as any other record that would be requir ed as evidence to sub stantia te an organisati on's financial st atements. All records have a life cycle cons isting of the f ollowing phases: 1. Creation and/ or recei pt 2. Active use 3. Semi- active use, during which rec ords are r eferred l ess often be cause the business tr ansacti on for which the y were created or r eceived has been completed. 4. Inactive use, during which records ar e rarel y referred to but must be retained for legal/r egulatory or business r easons. It is during the i nactive period t hat records general ly are migrated from production environments to an arc hive and/or dele ted from production e nvironments. Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 10 The recor ds life cycle roughly parallels the software life cycle. As wit h other types of records, ef fective sprea dsheet arc hiving will begin at the point of spreads heet crea tion and end only when the sprea dsheet has met all retenti on requirements. Like Word documents or MS Access dat abases, spr eadsheets ar e creat ed using end-user processing technol ogy readily available on the desktop. As such, spreadsheet s are oft en create d and managed by the end-user, who may be very unfamiliar with t he princi ples of managing the software or r ecords li fe cycle. In some cases, however, because t he spreadshe et perfor ms quite complex processing functi ons and forms a criti cal bridge between applicat ions in key business proces ses, an organisation's IT department may becom e involved in the design of the spre adsheet or aspects of its management. For this reason, it can be helpf ul to clas sify spreadshee ts into two broad c ategories as f ollows so tha t the archi ving strategy can be tailore d to the level of end-user contr ol and proce ssing complexity associated wit h the spreadsheet . The fol lowing two categories ar e recommended: 1. Spreadsheets that do not, or only minimally, process data and which are created and maintained by end users, and 2. Spreadsheets that do more complex processi ng of data in order t o perform or support cri tical processes a nd in which the IT depart ment may have m ore involvem ent in the design and managem ent. Some exam ples based on t he reconcil iation of trading trans actions wil l serve to illust rate what t ypes of spreadsheet s would fall into thes e two categories. Spreadsheets not used to pr ocess data include spr eadsheets i n which an individual compares reports f rom two system s and records any breaks as the list of excepti ons for a part icular da y. Also included in t his category would be a sprea dsheet in whic h information is downl oaded from a system and in which a pivot table i s then used t o create summary data. On the other had, spr eadsheets t hat are us ed to process data would include a s cenario i n which information i s downloaded from two systems into two separate MS Excel sprea dsheets. MS Exce l functions and pivot table s are then used to crea te summary data for ea ch source. T he data is t hen manually reconciled . It is recomm ended that the archiving of spreadshe ets that f all int o the fi rst cate gory be dealt with i n the same manner as the archi ving of other unstruct ured content (e.g., Word fil es, some MS Access database s). Spreadshee ts that pe rform more com plex processing funct ions, on the ot her hand, are better handl ed as mini applic ations in which their a rchiving is dealt wi th in the c ontext of managing the applicati on life cycle. 10. ARCHIVING SPREADSHEET S AS UNSTR UCTURED CONTENT Although , spreadsheet s that fa ll into t he firs t category of spreadshe et do not per form complex functions, th ey still do for m an important part of the t rail of evidence that SOX requires . For this r eason, it i s risky simply to rely on archiving the source data and recreat ing the spreadsh eet in the event of a request for documentation, as investigators will be looking for evidence with i ntegrity and authenti city (i.e., documentation produced c ontemporaneously in the normal and ordi nary course of business). As s uch, it is a much less risky strategy to preserve, and be in a position t o present, t he entire evidentiary trai l - source data and spre adsheet. Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 11 Generally speaking the creat ion and managem ent of sprea dsheets, tha t fall in the fi rst category falls to t he end user. T o ensure t hat an organisat ion does not de velop the problems experience d by the failed J amaican banks, an organisatio n should estab lish some controls over how end users c reate and s tore sprea dsheets. T he followi ng offers some examples of scaleable ar chiving strategies th at an organization can pur sue to implement spreadsheet arc hiving controls for s preadsheets that do not p erform complex data processi ng: 1. Low critical ity/small scale operations - designate folder on server as ar chival folder and pl ace all spreadsheet s in folde r in P1317 or PDFIA format to lock down content. Naming of files in the folder should be sta ndardised, an d documented controls sh ould be estab lished over who does the archiving, who has access t o the folde r, who can delet e, etc. Ensure no de letions of files that fall wit hin business criti cal/SOX re levant categories bef ore thei r require d retenti on period has b een fully met or of any files i f relevant t o an ongoing or reasonably anti cipated i nvestigation, etc. K eep all f iles in onl ine stor age until retenti on period is expired, or if using removable storage media such as tape, establi sh a formalised programme to regularly review its integrit y and refresh the medium or m igrate content as necessar y. Note: virus check before you put anything into your archival stor e to prote ct your archival recor ds. 2. High critical ity/large scale operations . Introduce an electron ic document managem ent system with WORM storage. Institute Information Life Cycle Management (ILM) processes. The pr oper operat ion of EDRMS depends upon having a well-thought out and constructed c orporate t axonomy, as it is the taxonomy which identifi es the cat egories of busines s records t hat that the organisation cr eates and r eceived, and the r etention r equirements that apply to each type. Organisations may want to look at taxonomy m anagement software to support t his, as ta xonomy development and manag ement can consume a large amount of resource. W hen an EDRM system is used to support spreadsheet archiving, end users ( or the system if using an auto-classif ication feature) will assoc iate the spreadsheet to an appropr iate cat egory in the taxonomy thereby ensuring that the spr eadsheet wil l be retai ned for the period of time indicate d by its associa tion with a pa rticula r category. 3. . Med. Criti cality/med scale oper ations. Mi x of 1 and 3 11. ARCHIVING SPREADSHEET S AS SOFTWARE ASSETS Spreadsheets that fal l into t he second cat egory of spreadsheet (i .e., those th at perfor m more complex processing) may or may not be developed and/or supporte d by an IT department, depending on the or ganisational c ontext. Regardless, given the fun ction they perform, these sprea dsheets may be treated more suitabl y as mini applicati ons and their a rchiving dealt with i n the contex t of managing the software life cycle. Paying attention to dat a archiving requir ements at the time at which a s preadsheet is created ca n make the process of archi ving m uch easier and more effec tive in the lon g run. This is much easier to do i f one appli es a system development life cycle approach to the development of complex spreadsh eets. It can be very useful to inse rt a rec ords retenti on checkpoint at t he system developm ent proj ect ini tiati on phase. For example, Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 12 Spreadsheet de signers could be a sked whether they have identifi ed the ret ention requirements for the spreads heet and to out line how those retenti on require ments will be met. This will alert s preadsheet designers to the n ecessity of cons idering retent ion requirements and hel p them plan for data archiving. Spreadsheet de signers will be supported i n their ef forts if they can refer to organisation wide Records Retenti on Schedules t hat identi fy the retent ion requirements for given types of data and if th e organisation has establi shed standar d data archi ving solutions. 12. MIGRATING SPREAD SHEETS OUT OF A PRODUCTION ENVIRONMENT TO AN ARCHIVE It was once the case that organisations relied on ba ckup tapes for both disaster recovery and retenti on purposes. It is now generally agreed that relianc e on backup processes i s no longer a suit able data archiving strategy. The probl em with a reliance on backup processes, acc ording to a Robert Fr ances Group rese arch note i s that administrators spend up to si x hours per week recovering old messages for users , and responding to legal di scovery can cost hundreds of thousands of poun ds (RFG, 2005). Since the need to catal ogue, locate and ret rieve information in a timely manner has become m ore urgent in la rge part due to r egulatory pressure, organisa tions have begun to embrace information li fe cycle managem ent (ILM) in order to b e able to f ree space for mission-critical data and provide an i ndex and audit t rail of archived infor mation to support co rporate governance. This has given risen to a need for archiving tools tha t perform a long-term information and preservation access func tion; ar e able to keep up with st eady input str eams as well as that that have peri od inputs; allow a wide variety of organisa tional arrangements (i.e., loca l implementations covering inputs fr om one production system or a centra l archives covering inputs from several production s ystems). I n response, software vendors have begun to offe r archiving tools t hat can be used to handle t he archiving of more complex and critical spreadshee ts. These archiving tools are designed to take data f rom a production environment and migrate it to off -line storage for rete ntion unti l that dat a is no longer nee ded. Compliance oriented a rchiving tools supply comprehensive storage, storage managem ent, and securi ty offerings to addr ess data rete ntion needs. In additi on, a number of third-party archiving providers have emerged, so an organisation need not maintain its own archi ve. When archiving spreadshe ets to off -line and less expensi ve storage, the sprea dsheet can be retai ned in it s producti on format (e.g., an MS Excel fil e) or it can be converted to and reta ined in an open s tandard fo rmat such as PDF/A or WL to prote ct against technological c hange. The decisi on about the best format in which t o retain t he file should be in pr oportion t o the expect ed length of time for which t he spreadshe et must be retain ed, that is , the longer the r etenti on, the better it will be to ret ain in an open format. In terms of m anaging the m igration of spr eadsheet dat a from a production environment to a data arc hive environment, I SO 14721, the Open Archival Inform ation System Standard, prese nts a refe rence model for the pr eservation of data that provides very useful guidance . It should be noted that the migration of data i nto archival systems needs to be t ightly controlled i n order to en sure that data is not lost and that dat a authenti city and integrit y is maintained. For the same reason, c ontrol Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 13 must be maintained over the managem ent of the ar chival reposit ory at all ti mes. Here again, ISO 14721 is very instruct ive on this point . 12. CONCLUSION Most discus sions of spr eadsheet r isk focus on the f actors cont ributi ng to accuracy and reliabi lity of sprea dsheet dat a content. Archi ving, howev er, is oft en overlooked. But, as argued in this paper, it i s crit ical for full SOX compliance. While SOX does not provide detail ed guidance on corpora te record keeping, the absence of such guidance should not be t aken to mean that an organisati on's leadership would not b e expected to assess whet her they have potentia l vulnerabili ties and l iabili ties as a result o f poor spreadsheet archiving practic es and to ta ke step to mitigate these. In their publ icati on on the recor ds managem ent of Sarbanes-Oxley, authors J ohn Montana, J . Edwin Dietal and Chri stine Ma rtins wri te: ". All corporat e recordkeeping is going to be under much closer and intens e scruti ny in the future ... One must be able to show that a n aggressive, thoughtful, innovative corporat e records and i nformation managem ent program is in place and cont inually being improved to ensure that individuals t hat might allege failure to c omply w ith Sarbane s-Oxley are not succ essful." (Montana, et al., 2003) REFERENC ES AI I M, "Struggle Continu es betwe en how Organizations Use Ele ctronic Commun icati ons Technology and how they are Managed", www .aiim.orglartiele.j2r-asp?I D=29428 11:46am 1 1/03 /200 5. "Citigroup Bond Case May Cause New Rules" The Wall Stre et Jou rnal, 9 February, 2005. Craig, Susann e. "The A ge of Discove ry : How Morgan Stanley Botched a Big Case by Fumbling Emails --- In Perel man Suit, Judge Says Firm A cted in 'Bad Faith'; It Blames Honest Effor ts - A Tro ve of T apes in Brooklyn." The Wall Stre et Journal, 16 Ma y 2005, Al. I nternational Stan dards Organizati on (2001 ), "Info rmation and documentat ion - Records management - Part 1: Gene ral." Le mieux, Victoria L (2002). "Competiti ve Viability, Accountability and R ecord Ke eping: A T heoretical and Empiric al Exploration Using a Case Stu dy of Jamaican Commercial Bank Failures," PhD Thesis, University Colle ge L ondon. Montana , John C., Dietal, J. Edwin, M artins, C hristine S. (2 003), S arban es-0xley Act: Implic ation s for Re cords Manag ement ARMA Inter nationa l. New York District Court, "Zubulake v. UBS Warburg" ww w.Msd.uscourts.goy/rulings/02cvl234 belmy 05 1 80 3.pd 12:16pm 11/0 3.200 5. PriceWaterbouse Coopers, "The Use of Spreadsheets: Considerations for Section 404 of th e Sarbanes Oxley A cf' (July 2004 ) ww w.j2wc.com/ex tweb/serv i",nsf/docid /CD287 E403COAEB718 5256 F08007F8 CAA 11:33am 11/0 3/200 5. Robert Frances G roup, "Archiving and the Enterprise: The L atest State of Affairs," w ww .rf2online.com 22/02/ 2005 . U.S. Securities and Exchange Commission (20 02), "Administrat ive Procee ding File No. 3-10957 ww w.sce.g ov/liti2ation/ admin/ 34-469 37.h tm 10/ 01/2 003. U.S. Securities and Exchange Commission (20 03), "Final Rule: Retention of Records Related to Audits and Reviews, RN3235 -AI 74,"ww w .sec.eov/rule s/final/33-8 180.h tm 2:00p m7/01 1200 5. Wallace , David A (2001). "Electronic Records Management Defined by Court Case and Policy," I nform ation Management Journal Janu ary 200 1, Vol. 3 5, No. 1. Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 14 APPENDI X A RECORDS- RELA TED REQUI REMENTS IN THE SA RBANES- OXLEY ACT 4. SOX 102(e) - Registration appl icatio ns and annual re ports must be available for public insp ection subj ect to rules of the Board or Commission and applicab le confidenti ality laws. 5. SOX 103(a)(2) (A)(i) - The Board sha ll esta blish qual ity control and ethical standards f or register ed public acc ounting firms in the prep aration a nd issuance of audit r eports; Audi t report s, work papers, and other i nformation rel ated to any audit repor t must be kept for at l east 7 years; Audit reports must cont ain statements about t he testi ng of internal controls and whether those control structur es include maintenance of account ing records. 6. SOX 104(e) - Public account ing firms may be required t o retain r ecords not otherwise r equired under section 103. SOX 105(b)(2)( B)(C) & (D) - The Board may require producti on of audit work papers or any other documents in the posses sion of a re gistered publi c accounti ng firm or any other person, i ncluding any client of the firm. 8. SOX 105(b)(5)( A) - All documents and information prepare d by or given to the Board, relat ed to an investi gation under sect ion 104, includi ng Board deliberat ions, are confidenti al. (Wi th certa in enumerated excepti ons under paragraph (B).) 9. SOX 105 (c)(1) - The Board must keep a record of its p roceedings. 10. SOX 105(c )(5) (A) & (B) - Applies sanction s to both int entional and negligent conduct. 11. SOX 106 - Foreign accounting firms that iss ue opinions or otherwise per form material services f or a US company m ust supply audit work papers to t he Board or Comm ission in conne ction with a ny investigation and be subj ect to t he juri sdicti on of US courts. 12. SOX 201 - Am ends section 1 OA of the Securiti es Exchange Act of 193 4 t prohibit r egistered publ ic account ing firms from providing book keeping or other services rel ated to acc ounting records or financia l statements cont emporaneously with audit s ervices. It also preclu des them from designing or implem enting financial information systems at the s ame time, as well as performing other enumerated services cont emporaneous with an audit . 13. SOX 202 - Am ends section I OA of the Securit ies Exchange Act of 1934 t o require Audit Comm ittees to pr eapproval all audit and nonaudi t services wit h certain e numerated exception s. 14. SOX 204 - Am ends section 1 OA of the Securiti es Exchange Act of 193 4 to require ac counting firms to repor t to Audit Committees all cr itical accounting policies and practi ces to be sue d, all alt ernati ve treatments of financ ial information that have been discussed and other "materia l writte n comm unications" between the ac counting firm and the managem ent of the company. Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 15 15. SOX 3 01 - Am ends section 1 OA of the Securiti es Exchange Act of 1934 to mak e Audit Comm ittees e stablis h procedures for the rec eipt, ret ention, and treatment of complaints regarding accounting, inter nal accounti ng controls, or auditing matters. Does not list a pe riod of years for retenti on. Audit Committees to establ ish rete ntion condit ions. 16. SOX 306 - Prohibits any director or executi ve officer f rom purchasing, selling, or otherwise ac quiring or tra nsferri ng nay equity security of the issue r during a blackout period i f he/she a cquires i t in connect ion with his/ her service or employm ent as a direct or or execut ive officer . Any profit reali zed by him /her will be rec overable by the issuer . Action to re cover profits must be brought within 2 years of t he date on which t he profit was realized. 17. SOX 404 - Managem ent Assessment of Internal Control s - m any spreadsheets, will form a key com ponent of bei ng able to substant iate a company's financial statements and must theref ore be availabl e to the re gulators if a company' s statements are que stioned. As not ed by the U.S. Securities and Exchange Comm ission, 1ncrease d retenti on of ident ified re cords also may provide critic al evidence of finan cial repo rting impropriety or defic iencies i n the audit process." (SEC, 2003). Veri ficati on of a company' s financia l statements for a given period may take place a number of years aft er rele ase, so a company should be prepared to produce suppor ting documents until ce rtain t he verificati on process i s complete. There a re seriou s penalti es for making a false declarat ion - up to 10 years - so com pany directors and s enior managers will want to be sure they can substanti ate thei r financi als. 18. SOX s. 802, rule 2-06(a) requi res a 7 years af ter concl usion of the audit/r eview retenti on period for accountant s to reta in "recor ds relevant to t he audit or review of issuers ' and registered investment companies' financial sta tements, includin g workpapers and other doc uments that form the basis of the audit or review, and mem oranda, correspon dence, communications, other documents and re cords (includi ng electronic r ecords), whic h are creat ed, sent or r eceived in connect ion with the audi t or review." A company, in consultat ion with its legal and accounting advisors, wil l need to det ermine which of its s preadsheet s and other records fa ll withi n the meaning of this provision of the act and related r ules. There i s a 10 year penalty for viola ting this rul e. 19. SOX 802a - criminal penalties and their i mplications. "W hoever knowingly alters, d estroys, mutilates, con ceals, or makes a false ent ry in any record, document or tangible obj ect with the intent to impede, obstruct, or influe nce the investigation or pr oper administrat ion of any matter within t he jur isdict ion of any department or agency of the United St ates or a ny case filed under title 11, or in relati on to or conte mplation of any such matter or case , shall be f ined under t his title, imprisoned not more than 20 years, or bot h." Thi s establi shes the nee d for a legal hold regime so as to halt the delet ion of any spreadshe et or other document that may be needed in case of l itigation o r investigation, even if onl y at the point of being antici pated. 20. SOX 906 - Requires written st atements from CE0s and CF0s in annual r eports to certif y that the infor mation is in compliance wit h the Securit ies Exchange Act of 1934 and that t he report f airly repre sents the f inancial condition a nd result s of operations of the iss uer. "Criminal pena lties of not more than $5,000,000, or Archiving: The O verlook ed Spr eadsh eet Risk Dr Victoria Lemeieux 16 imprisonment of not more than 20 years, or both f or wilfull y certifying any statement, knowing that it does no t comport with all t he require ments set forth." 21. SOX 1102 - Which says that "Whoever cor ruptly (1) al ters, dest roys, mutilates, or conceals a record, document, or ot her obj ect, or at tempts to do so, with t he intent t o impair an obj ect's integrity or availabili ty for use in an officia l proceeding; or ( 2) otherwise obstructs , influenc es, or impedes any officia l proceeding, or att empts to do so, shall be fined under this ti tle, or i mprisoned for not more than 20 years, or both. 22. SOX 1106 - Am ends section 32(a ) of the Secur ities Exchange Act of 193 4 to increase t he penalt ies of sect ion 78ff( a) 23. SOX 1107 - Am ends section 1513 of the tit le 18 United Sta tes Code to puni sh retali ation against informants by fines or i mprisonment of not more than 10 years, or both. T he amount of possible f ines is not stated i n the Act.