The Business Controls Caddy

Lotus Notes, Spreadsheets and Compliance Frameworks

An article entitled "Conquering the Spreadsheet Compliance Nightmare" from the Information Technology Compliance Institute (ITCI) came across my RSS Feed today. As I had recently written an article on spreadsheet risk for Corporate Compliance Solutions Advisor Magazine, I decided to read it. Needless to say I was quite surprised on two counts. The first that it was written by fellow Athenian Stephen Swoyer, a prolific technical writer I have not met. The second surprise was this section of the article:

For example, companies that use the Lotus Notes and Domino e-mail and collaboration environment could easily build compliance-ready budgeting, planning, or reporting tools on top of the Domino application server. Domino provides integrated security, workflow (which can double as an audit trail), and a host of other compliance-friendly features. But there’s a good reason they shouldn’t do so, Kugel stresses. “There no reason why somebody can’t spend 18 months developing some Lotus Notes application that’s horribly clunky that nobody wants to use to replace a spreadsheet,” he says. “But it wouldn’t be a good idea. There’s a reason spreadsheets have stuck around for so long. Users like them.”

So why was this latter item a surprise to me?

First, let me say that I think it is probably totally coincidental that Lotus Notes and Domino was singled out, seemingly out of left field, in this article and the fact that I had raised the use of Lotus Notes/Domino as a tool to help manage spreadsheet risks in a critique I had written about PricewaterhouseCoopers White Paper entitled "The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act" published on this blog and on a couple of Sarbanes-Oxley and IT Governance ListServs. So I can look at this excerpt in two ways. It was not coincidental and what I wrote was taken entirely out of context or it was coincidental and represents a total lack of understanding of the power Lotus Notes and Domino can bring to compliance efforts on the part of both the author and Robert Kugel, a vice-president and research director with consultancy Ventana Research. I do have an e-mail into the author to ask him about this (and I really do think it is coincidental as he has written about IBM and Lotus technologies in the past).

What I Wrote

Back in the October piece, I wrote

And this is why the white paper, in this writer's opinion, makes a strong "between the lines" case to use Lotus Notes & Domino to manage controls over spreadsheets for Sarbanes-Oxley Section 404 Compliance. What levels of controls need to be assessed according to PwC?:

Change Control
Version Control
Input Control
Security and Integrity of Data
Documentation
Development Lifecycle
Back-Ups
Archiving
Logic Inspection
Segregation of Duties/Roles and Procedures
Overall Analytics

If you look at this list, the first thing that may jump out at you, much as it did for me, was the out-of-the-box Document Management template. With minor modification, each of these control objectives can easily be handled and accounted for. Given that Lotus Notes & Domino is designed to work very well in a dispersed organization/environment with an exceptionally strong security model, you are then providing a strong control environment for spreadsheets and their use. Notes & Domino Applications do not need to be complex to provide immediate value to an organization and this would be a good example of that in action.

The Problem With The Krugel Assessment

This is very different than what Krugel has stated. First of all, no responsible Lotus Notes/Domino architect and/or developer would replace a complex spreadsheet wit a Notes/Domino application, nor would they spend 18 months developing it. In one project I have referenced before, we built an application that used eSuite as a Java Spreadsheet interface in a notes form and it was far from "horribly clunky". If an application in Lotus Notes/Domino, or any other application for that matter, is "horribly clunky", that is probably the result of force fitting the tool to do what it is not designed for or just plain poor architecture. I, and others I am sure, have seen "horribly clunky" and unusable spreadsheets.

Why Lotus Notes & Domino Is A Good Tool To Manage Spreadsheet Risk

I have also worked on an internal IBM/Lotus project to handle policy compliance issues that used a programmatic interface between Notes and an Excel Spreadsheet. Why was this a good approach? Because there was a need to manage access to the spreadsheet data, a need to validate the spreadsheet data against prescribed business rules, a need to define workflow based on spreadsheet values, a need to apply security to approval sections, a need for an audit trail, and a need to process the workflow.

It had nothing to do with building the spreadsheet model or keeping users from using the spreadsheet. It was designed to allow the continued use of spreadsheets, apply a disciplined rules-based approach to the processing of the spreadsheet for approvals, and to store the approved (and rejected) documents in a Lotus Domino Document Manager (nee Dom.Doc) back-end store.

My Challenge to the Author and Mr. Krugel

If you are going to bring a discussion of a technology out of left field, make sure what you write or say about reflects a basic understanding of the strengths and weakness of that technology. Making bold statements as was done in this article does nobody any good. There is good information in the article, but it loses credibility when one technology is criticized without understanding and the article turns into an advertorial for other products.

Related Links

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act (PwC White Paper)
Spreadsheet, Audits and SOX Oh My! (Business Controls Caddy, October 11, 2004)
Defusing the Spreadsheet Time Bomb (Corporate Compliance Solutions Advisor, Jan/Feb 2005)
Spreadsheet Horror Stories and a Blog on Spreadsheet/Information Risks (Business Controls Caddy, November 20, 2005)
Conquering the Spreadsheet Compliance Nightmare (IT Compliance Institute)