Top 10 Compliance Spreadsheet Risks and How to Avoid Them – PART 1

One of the biggest threats to compliance isnâ??t your employees or hackers, but a trusted tool: the spreadsheet. It is unstructured, untracked, and unsecured.  Learn to recognize top spreadsheet risks and what you can do to reduce them.

Compliance experts estimate that 80 percent of enterprises use spreadsheets to support critical business functions. For example, in one Deloitte survey of 800 financial professionals, 88 percent said their firms “use spreadsheets of material importance in financial reporting.” At the same time, however, research suggests the typical spreadsheet has a 2 to 5 percent error rate.

As a result, spreadsheets are one of the biggest compliance risks facing regulated companies. Indeed, despite their prevalent use, the life of the average spreadsheet is unstructured, untracked, insecure, and potentially just inaccurate. Learn how to pre-emptively control challenges that can run afoul of Sarbanes-Oxley (SOX), Basel II, or numerous other laws which regulate the integrity of financial processes.

Bet on auditors wanting to see all spreadsheets relating to your companyâ??s financial reporting practices. Will your rows and columns pass compliance muster? To help mitigate the regulatory risks posed by spreadsheets, consider these 10 tips.

1: Acknowledge Spreadsheetsâ?? Programming Power

One issue with spreadsheets is theyâ??re simply so powerful.  The spreadsheet problem is largely due to the fact that weâ??ve given a programming language to a non-IT user without any development environment-type oversight or safeguards.  Theyâ??ve become the programmer, tester and the user – so youâ??ve just lost all objectivity. Whoâ??s going to detect the errors in that spreadsheet?

2: Expect Errors

The average spreadsheet contains a substantial number of errors Human error research indicates that for things about as complex as creating a spreadsheet formula, the error rate floor is about 2 percent to 5 percent. The reason: people tend to take shortcuts when doing math, and these shortcuts often produce errors. Regarding automation, please see tip number eight. On a related note, spreadsheet novices are three times as likely as experts to make mistakes.

Few companies, however, test for spreadsheet errors or outright fraud, preferring instead to eyeball resultsâ??often with predictable consequences. For example, one software developer may use two 15,000-cell Excel spreadsheets to project the market for its products, with figures rounded to whole numbers. Yet another user may inadvertently round the modifier for inflation down say from 1.06 to 1, consequently resulting in a market undervaluation. Such an error would obviously qualify as a material weakness.

3: Manage Spreadsheet Changes

One solution: donâ??t prohibit spreadsheet use, but rather identify which spreadsheets handle critical business functions, and then implement controls to ensure their integrity and accuracy, and especially to prevent fraud. For starters, apply change management controls to spreadsheets, including sign-offs, a record of all changes and the rationale for every change, plus rollback capabilities. Each spreadsheetâ??s business logic must also be thoroughly vetted, as with any application which handles complex business functions.

4: Beware the Orphans

When auditing spreadsheets, pay particular attention to the orphans: spreadsheets of unknown provenance which today still drive critical business processes. As Arthur C. Clarke wrote, “any sufficiently advanced technology is indistinguishable from magic,” and as anyone whoâ??s ever inherited a spreadsheet knows, some operate if not by magic, then at least through unintuitive logic that might take a lifetime to unravel.

Certainly, the average business user canâ??t be expected to accurately keep a 50-tab Excel workbook current.

5: Consider Versioning Software

The poster child of the spreadsheet world is Microsoft Excel. Until recently, however, software to manage Excel in regulated environments was scant. Beginning with Excel 2007, though, Microsoft itself began offering businesses a way to enforce change management, audit controls, and versioning for Excel spreadsheets. Together with SharePoint Server 2007, companies can even manage spreadsheets centrally and offer role-based access to HTML versions of spreadsheets.

Avoid Identity Theft with HIPAA Compliant Secure Document Shredding

Identity theft is a major risk these days. Crooks go dumpster diving just to get hold of employee information, payroll records, customer lists, financial records, loan applications and approval, supplier invoices, contracts, project proposals, research and development reports, marketing materials and even medical files to be used in various scams. If your company is handling any of these, you need to shred it. To do this properly, you need professional HIPAA compliant secure document shredding and destruction services.

According to RecordShred, a document shredding and information destruction service, dumpster diving is considered legal in the United States. Once any document is in a dumpster, it is free to be taken by anyone for any use whatsoever. Unscrupulous parties can use such data for identity theft, corporate espionage and fraud. RecordShred reports that identity theft occurs every 13 seconds in the United States, and according to the Better Business Bureau, some 80% of such identity thefts come from paper records that have not been properly secured. This has become so rampant that the US Federal Bureau of Investigation considers identity theft and information based fraud as the fastest growing crimes in America, according to the RecordShred website. It further refers to data from the American Society for Industrial Security (ASIS) which values the annual losses of US corporations to trade secrets theft at over $45 billion dollars.

The most important fact for any company to know is that your company can be held liable for the loss of information to identity theft or corporate espionage if the data was taken from your company due to your negligence. Privacy laws such as FACTA, HIPAA, GLB, FERPA and Sarbanes-Oxley ensure this. The trash bin, dumpster and other disposal areas are the primary sources of data for information thieves. If the document, film, cd, dvd, disk or tape originated from your company, then you may have to pay up to millions of dollars in liability. It is your company’s responsibility to ensure that all such information are kept completely secure through the implementation of an internal compliance policy. Afterwards, they should be destroyed in a similarly secure manner.

The best way for a company to ensure safe destruction of information is to get the services of another professional company like RecordShred that has focused its efforts in creating the safest and most efficient system at the right price. In fact, using a professional service will redound to a 25% savings for your company as compared to the use of in-house office shredders. This is because the use of in-house office shredders will require man hours from your existing staff, taking them away from their core duties and responsibilities. It is also an added burden on them, considered drudge work, which may affect their overall morale and productivity. You also have to take into consideration the cost of equipment acquisition, maintenance, repair and replacement. Furthermore, when you do the document shredding yourself in the office, you will not have a written verification of secure destruction which is required by law for your records and auditing.

A professional document shredding and information destruction service like RecordShred not just shreds documents but also destroys other information products such as computer hard drives, cds, dvds, film, tape and all types of imaging. They cover medical files destruction and x-ray film destruction. Secure bins of various sizes and shapes are provided with the service, free of charge, so that employees can conveniently comply with secure disposal of documents and other information media. Such bins can be locked even while in the office for tight security. On scheduled dates, these bins shall be collected for mobile shredding on site. Even documents that are bound with paper clips, staples, binder clips or other binding methods may be disposed of and destroyed without any need for disassembling them. The destruction is secure and monitored. Afterwards, a certificate of destruction is issued to the company and RecordShred provides a witness for legal compliance.

Avoid lawsuits against your company stemming from identity theft or corporate espionage. Make sure you get reliable and professional HIPAA compliant secure document shredding and destruction services.

Avoid Information Based Fraud and Corporate Espionage with Secure Mobile Document Shredding

Yes, your company can be held liable for any information that leaks out from your employee information records, payroll records, financial records, customer lists, supplier invoices, loan applications and approval, project proposals, contracts, research and development reports, marketing materials and even medical files. According to federal privacy laws, you are responsible even if such information was taken through the use of dumpster diving after you have disposed of your office trash. You need to keep your records secure and destroy them through secure mobile document shredding and information destruction services. Any document can be a source of data, so just shred it.

You may be surprised to know that in the United States, dumpster diving is legal. Any document or information media that is in the dumpster is considered fair game for anyone, including thieves whose intention is to use it for information based fraud, corporate espionage and identity theft. RecordShred, a secure document shredding and information destruction service, reports that the Federal Bureau of Investigation has declared information based fraud and identity theft as the fastest growing crimes in America. It seems that every 13 seconds, a case of identity theft happens in the United States. Of such thefts, the Better Business Bureau asserts that about 80% are done from improperly secured paper records. RecordShred cites the American Society for Industrial Security (ASIS) statement that US corporations are losing more than $45 billion dollars every year due to theft of trade secrets.

What many companies are not aware of is the fact that you can be held liable for the theft of any information from your safekeeping. Yes, that is even after you have disposed of the information in the trash. There are several privacy laws, including but not limited to Sarbanes-Oxley, Gramm-Leach-Bliley, Fair Credit Reporting, FERPA, GLB, FACTA and HIPAA, which require all companies to keep all information and data completely private and secure, and to dispose of them by completely destroying them in a properly secure manner. In fact, compliance needs to be backed up by a written verification of secure destruction with a witness. This has to be filed on record and be readily available for auditing purposes. Failure to comply can lead to liability that may amount to millions of dollars.

Any company has to have internal compliance procedures and a professional document shredding and information destruction service that is Sarbanes-Oxley, Gramm-Leach-Bliley, Fair Credit Reporting, FERPA, GLB, FACTA and HIPAA compliant. The service should be able to shred documents – even those that are bound with staples, binder clips or other binding materials. It should include medical files destruction and x-ray film destruction, and also destroy other information media including computer hard drives, disks, cds, dvds, tape, film and all manner of imaging.

A company like RecordShred can provide locked disposal bins of various sizes for all your documents and data media in the office. These are collected according to a certain schedule and destruction is done securely on site. Your company is then provided with a certificate of destruction complete with a witness to ensure your legal compliance with federal laws.

Getting professional services not only gets you the necessary certification requirements but also saves you a lot in costs. In fact, you save as much as 25% as compared to using in house office shredders. In house shredding will eat up precious time and effort from the core responsibilities of your staff; will mean equipment acquisition, maintenance, repair and replacement; and will not cover all types of information media.

Why not avoid information based fraud, corporate espionage and identity theft, as well as all types of liabilities associated with them, through the more convenient and cost-effective professional secure mobile document shredding services.

Avoid the Outosurcing Pitfalls

TABLE OF CONTENTS
? Ignoring the risks
? Communication is crucial
? Adopt a flexible management
? Good quality versus good price
? Donâ??t forget security
? Keep in mind the geopolitical and economic issues

Ignoring the risks
In stead of introduction, ignoring the risks and pitfalls is actually the first and most common mistake in outsourcing. Ignoring to prepare for outsourcing, failing to consider and understand the full impact of outsourcing on your company results and the actual expectations and goals in this project is the major pitfall before even engaging into outsourcing.
Tips that may help:
? Set objectives and strategies for outsourcing
? Find support and build commitment from within your own company for the outsourcing project; make sure you have the right people to drive the outsourcing effort
? Define the requirements, set realistic expectations, make sure your organization understands them
? Estimate risks, costs, and changes from current business model or be prepared to take them into account
? Thoroughly evaluate vendors
? Have an exit plan before you enter the outsourcing deal. Donâ??t try to micromanage the outsourcing provider, let him choose the resources, manage the output, not the input. Set targets and measure results. If you are asking for CVs, people and generally input, you are not managing the right thing.

Communication is crucial

Care for diversity and culture
One of the most common pitfalls that you will meet in outsourcing is the poor level of communication. Bad communication between parties is surely a success-killer for your outsourced business.
Often, this is related to the cultural differences that appear in an outsourcing process since the inner nature of this process implies working with people from various countries and different cultural and professional backgrounds.
While cultural gaps may seem a soft science, dramatic differences can quickly erode an otherwise successful offshore outsourcing relationship. Assuming the cultural differences do not exist in the business community and that all professionals are the same around the globe is a crucial mistake. This can lead to misunderstanding of commitments, plans, schedules or status reports or even soft and sensitive issues like tensions in the outsourced team inflicted through culturally insensitive comments or actions. Explain the requirements and then ask questions that would prove that the requirements have been properly understood. Refrain using more colloquial English, use simple, business English. Put in charge of the outsourced project someone that has multicultural experience, someone that has successfully worked with people remotely.
DOâ??s
? Make sure that, when you start the outsourcing relationship, you dedicate the right people and resources on both ends
? Make sure your contact person has very good communication skills ? Define as much as possible the expectations, document them and set clear performance metrics, set clear targets.
? Be prepared to change, allow flexibility to your contract. Be prepared to renegotiate the outsourcing contract once the outsourcer partner better understands your business.

Outsourcing introduces misunderstandings during communications and translations between languages, and varied cultures and contract structures. Company executives must see these implications and consciously evaluate mitigation strategies.
Setting the scene
Derived from communication is also setting the expectations. Setting the expectations is one of the most important steps to undertake at the beginning of the outsourcing relationship. If the goals are not mutually understood and shared, both parties will demand something else from one another and therefore success can fade between different expectations. This can be mitigated by explaining as much as possible the expectations, documenting them and measuring some clear targets.
Tips that may help
? Use a single communications channel. Itâ??s important to establish change information with the provider via one-to-one channel, between the project manager from their side and your dedicated person from your side. Initial specifications are never perfect and you can overcome the problem with continuous feedback.
? Listen to them. If you hire them for expertise you lack, donâ??t pretend you know it all. Listen to what they say.
? Share your knowledge. Send over one or two members of your staff to join the development team for a while. This will help everyone better understand your corporate structure and standards.
? Know the project manager. The project manager in charge with the outsourced project has to have a very clear understanding of cultural differences. Ideally, he has travelled widely and lived in several countries so he knows why people act as they do.
? Treat your partner as long-term partner. If you plan to address an outsourced team, plan a long-term relationship.
You will need to closely review the project and monitor progress often.

Adopt a flexible management

DONâ??Ts
? Not considering the full impact of an outsourcing agreement on a company’s financial condition.
? Lack of incentives for provider continuous improvement.
? Lack of a contingency plan for major disruptions at the service provider.
? Expecting too much from a provider in the early months after go-live.
? Neglecting to “flex” the outsource relationship as outsource requirements evolve.
DONâ??Ts
? Disregard the full impact of an outsourcing agreement on your company’s financial condition.
? Lack of incentives for provider continuous improvement.
? Lack of a contingency plan for major disruptions at the service provider.
? Expecting too much from a provider in the early stages of the outsourcing go-live.
? Neglecting to “flex” the outsource relationship as outsource requirements evolve.
The outsourcing relation does not manage by itself. It must be managed permanently, adjusted and evaluated regularly. Changes must be applied; contracting terms must be reviewed, etc. And, most important, these activities will carry added costs on your end.
Make sure you avoid this compelling issue: being rigid in scope of work. Especially when dealing with a project that involves R&D, flexibility is an imperative. You must be ready to change and adjust according to the findings in the process.
You might need extra resources to dedicate to your project, so make sure you have provisions in your budget for this. A way out is available on both ends. Businesses are constantly identifying new strategic initiatives. If a third-party IT provider can’t accommodate new goals, the customer company might want out of the contract.
However, be prepared to have an exit plan; it might cost more than you estimate, but less than proceeding with an unsuccessful partnership.
When implementing outsourcing, make sure youâ??re establishing a relationship that has sufficient flexibility to deal with business fluctuations. You must have a realistic timeline for the outsource process and estimate correctly the time required to negotiate a service agreement.
Remember to get the operational issues resolved in the service agreement before moving into legal aspects and financial terms of agreement.

Good quality versus good price
It is well known that one of the benefits of outsourcing are cost savings. But more important than these, are the benefits related to improved quality and operational expertise.
This is directly connected to the contracting the service with a Service Level Agreement (SLA). In poorly defined contracts there is no measure of quality or SLA defined. Even when an SLA exists it may not be to the same level as previously enjoyed. This may be due to the process of implementing proper objective measurement and reporting which is being done for the first time. But it may also be lower quality through design to match the lower price.
Therefore, if you want good quality don’t negotiate on price but make sure that quality can be provided given the price. In any moment in time, from price, quality and development time, you can only have two of them.
Even though the price for good quality and rapid development might be lower by outsourcing than the price on your local market, it will still be higher than the price you would get from comparable outsourcers playing on the same market.
Make sure you send the right signals, if you want to squeeze the maximum out of your outsourcing partner donâ??t nickel and dime him, reward the right behavior. Rewarding the right behavior is very important as it will align your goals with the goals of the outsourcing partner. If the ultimate goal is to keep the costs low, then reward the partner for not going over the budget and coming up with more cost effective solutions. If your ultimate goal is quality, the set a maximum number of defects that the final product should have and reward the partner based on this goalâ??s achievement. On the other hand if you want speed, then make sure you reward the completion of tasks in time and bonuses for delivering them ahead of time, know that your outsourcing partner will have to motivate itâ??s employees and push them to the max, so make sure you reward him as well.
Do not consider outsourcing only for labor arbitrage. On the long run, greater benefits of outsourcing reside on economies of scale and specialization beyond cost savings with the right mature partner for outsourcing.

Donâ??t forget security
Before outsourcing, an organization is responsible for the actions of all their staff and liable for their actions.
When these same people are transferred to an outsourcer they may not change desk but their legal status has changed. They no-longer are directly employed or responsible to the organization. This causes legal, security and compliance issues that need to be addressed through the contract between the client and the suppliers. This is one of the most complex areas of outsourcing and usually requires a specialist third party adviser. One of the first things you have to make sure of is whether the employees of the outsourcer have a non compete, non disclosure agreement signed with the outsourcer.
For instance, standards of privacy are often looser in some countries than in others. This more relaxed attitude toward privacy could have serious consequences when it comes to protecting corporate data, experts on the panel warned.
Companies that outsource operations overseas are advised to train local staff to adhere to the company’s global privacy standards and to check into the risk of government interception of sensitive confidential information. There are a few questions you should ask in order to evaluate the risks in terms of security, such as: What is the infrastructure for security of the outsourcer? Do they have an admins/security specialist? Are they PCI compatible? Maybe? The outsourcer can be the weakest link if you need to be either PCI or SOX compliant. How is your (your customersâ??) data protected?
You must put security issues at the top of the talking points list when you begin negotiating with offshore outsourcers. This might even require information security staff to be at the table in both operations and strategic planning functions. The most significant security issues revolve around the protection of data in one manner or another.
Tips that may help
1. Get Your House in Order – Before going outside, make sure your own house is in order. Have a realistic security policy that includes data classification and that distinguishes common from sensitive data, as well as how each type of data should be handled.
2. Choose Vendors Carefully – Make sure the service provider you use has strict security policies too, starting with the hiring process. This rule applies to all types of vendors, but especially to offshore companies.
3. Understand the Privacy and Intellectual Property Mindset – Many countries have very lax
intellectual property protection laws. Make sure that the vendor you chose is willing to abide by your privacy and intellectual property policies since a misunderstanding can be costly.
DOâ??s
? Initiate an agreement with a service provider that allows flexibility for the future
? Have a realistic timeline for any of the steps of the outsource process, including start-up
? Fully define an employee transition plan
? Do proper planning concerning information systems and interfacing with the service provider
? Do enough technology development before implementation
4. Use Protection – You can address the two issues above with a combination of database monitoring gateways and application layer firewalls. These devices have the ability to enforce usage policies as well as prevent privilege abuse and vulnerability exploitation.
5. Monitor Traffic – Make sure the service provider monitors outbound Internet traffic and emails for potential information leaks.
Keep in mind the geopolitical and economic issues In connection with the previous mentioned cultural gap and security factors, there are some other few risks you should observe before getting into an outsourcing business relation.

Geopolitical risks
It is related to the host country. Most important factor is political stability and legal environment. Managers should carefully examine the latest political situation of the host country before making their decision. The political situation of most of the host countries is stable nowadays. That is why pre-outsourcing analysis first includes the legal factor. Here the main factors that have to be evaluated are intellectual assets privileges enforcement, industry laws, customs regime, license and “trade exit” conditions.. While analyzing geopolitical risk one should remember such things as â?? level of political stability in the host country, legal environment, level of government regulations and support, requirements for vendors etc.
Intellectual Property Protect ion (IPP)
A very important question as offshore outsourcing almost always means the creation and/or maintenance of intellectual property. Often, developing countries do not have the best reputation to protect intellectual property.
It is very important to learn about the IPP law in the target country before the start of an offshore outsourcing operation.

Conclusion
The majority of problems with outsourcing deals are caused by poor communication and lack of effort early in the process.
As with any relationship, communication and understanding of mutual expectations is key to the ongoing health of the relationship.
Customer executives considering an outsourcing need to understand what they are trying to achieve and be willing to put the effort in up front to increase the likelihood of getting what they want.