Secure Knowledge Capital, Information Security Due Diligence, and Regulatory Compliance

CentraLytics has engineered and deployed a Microsoft Excel-based Sarbanes-Oxley-compliant reporting tool for a Global 1000 tax department.

CentraLytics' Client, a Global 1000 consulting Firm, uses Microsoft Excel as a design template to craft a portfolio of data-entry templates and efficiency tools for periodic and interim regulatory reporting. The templates are distributed throughout the Global enterprise to local controllers and tax professionals in the many local jurisdictions in which the Firm does business. The Excel model is populated for local financial results by the respective controllers, who have traditionally transmitted the Workbook back to Headquarters through a variety of means such as electronic mail, shared network directory, or CD-ROM via overnight shipping.

The Excel models typically contain financial constants that change for a variety of reasons. Perhaps the Firm's legal or tax departments negotiate a treaty for Value Added Tax (VAT) in one or more jurisdictions. Interest and discount rates change, sometimes daily or weekly, as the Firm's cost of capital is adjusted for market conditions.

Additionally, federal, state, provincial, and local income and transactional tax rules can change, sometimes being enacted through a complex phase-in or phase-out rule that spans several reporting periods.

Historically, it has been a challenge --sometimes an intractable one-- to synchronize the model's versioning across 150 operating entities in 130 countries. From an information security perspective, distributed Excel models raise many concerns, especially in the current regulatory environment dominated by Sarbanes-Oxley. The substance of the models comprises material, non-public financial and non-financial information for the Firm, which is listed on the New York Stock Exchange.

Michael Izatt, CentraLytics' chief solutions architect and principal cryptography officer, says, "The act of transmitting an Excel model across the internet can raise significant infosec issues. Excel's native password protection feature is not necessarily secure. Excel security can be breached under a very common scenario -- namely when a subsequent version of the Workbook is 'File | Save[d]' under the same filename and with the same password, and transmitted over a non-secure channel such as unencrypted email. In that scenario, Excel suboptimally uses the same initialization vector, which exposes the Excel workbook to differential cryptanalysis by a malicious agent on the internet. Think of it: The simple act of opening a password-protected Excel workbook, editing it, and saving the updated version under the same filename and password exposes your work product to attack. If the Workbook never leaves the local-area- or virtual-private network, you may be secure, but the moment it is on the savannah that is the internet, predators abound, and your information cannot be considered secure."

Paul Asplund, CentraLytics' director of software engineering, says, "it is difficult (perhaps impossible) to deploy standard encryption protocols across an enterprise computing platform. Local country laws vary, and we cannot always control the local technology desktop in a foreign jurisdiction. Furthermore, Excel models can be distributed by local controllers to junior analysts who may not have an appreciation early in their careers for information and operational security. Our judgment, in consultation with our Client's executive sponsors, was to pull information security (infosec) into the Excel model rather than omit it and rely on overall enterprise network security."

Added Izatt, "Additionally, the Sarbanes-Oxley audit board impressed upon the executive sponsor that the world-wide VPN may well protect the Firm from outside malicious attackers, but did nothing to secure the information on the wire from potential malicious insiders! The Board expected the information to be secure on the wire from both inside and outside prying eyes. When architecting the application, we asked whether we could deem it reliable that local controllers and administrative personnel would avail themselves of third-party encryption tools such as digital certificates or PGP encryption. We were directed to assume that such a protocol would be sometimes neglected, and to therefore assure security from within the application."

Asplund said, "The primary requirement for this project was that the tool set be Excel-spreadsheet based. A Web application with a grid was not sufficient since that type of engineering would pull the financial model into the overall enterprise computing harness and away from the stakeholders who were frontline accounting, tax, and financial professionals. Central information technology required budget that was entirely too high for this functionality, and the Tax Director was adamant that her people already had encapsulated the business analysis into the Excel model. She wasn't about to pay IT to have them tell her something that she already knew."

The key to the project was CentraLytics' trade-secreted integration toolset that can mount an Excel model into the Enterprise IT harness seamlessly, and provide a robust information security and maintenance harness at the same time. Using .Net Web services, Izatt's Excel cryptography team and Asplund's engineering team crafted a cryptographically-secure capability within the Firm's Excel model, and linked it to a central Web service that received the many Excel transmissions, decrypted them, and communicated with the central Microsoft SQL Server operational data store. The result was a secure transmission over a potentially-insecure communication channel, all within the Group's existing Excel financial model that was deployed globally.

Furthermore, CentraLytics interfaced the model with the Firm's ERP software so that the Excel platform received batch enterprise data with which to undertake ad-hoc analysis. Izatt's team crafted an online analytical processing (OLAP) ad-hoc query capability so that the tax director could have daily business intelligence on the Firm's transactional tax profile. CentraLytics calls this architecture its Closed Loop Executive Analytical Reporting (CLEAR) architecture, and has deployed several tools with this protocol.

The result? The Excel model, which previously sat on approximately 200 personal computers in 24 time zones, was now securely linked to a central database which received and transmitted updates throughout the day. Client, engagement, and tax analysis that was previously hidden from the tax director was now available at the touch of a button at any time. Therefore the progress of a particular piece of business could be monitored for updates and changes, and potential pitfalls could be identified and remedied in situ before an adverse financial or tax position could develop.

CentraLytics succeeded in delivering a world-class, secure, robust application to this Global 1000 Client using the Group's native Excel model.

About CentraLytics

CentraLytics is a professional services firm that provides technology, consulting, and process engineering to Global 1000 business firms in the fields of manufacturing, financial services, banking, law, government and education.