How Spreadsheets Create Compliance Risks: An Auditor's Perspective


As an auditor, it raises a big red flag when I discover that a company uses spreadsheets in regulated environments. That's because spreadsheets are hard to control, can easily be misused, and may not adhere to the requirements necessary to validate computer systems as stipulated in FDA 21 CFR Part 11, as well as predicate rules such as 21 CFR Part 820.70. International standards, such as ISO 13485, also provide guidance on electronic data validation, including spreadsheets.

The point is some regulations and standards become requirements simply because they are referenced and included in an organization's quality management system (QMS). Any spreadsheet that supports a process governed by external regulations and quality standard requirements should be validated.(1) This stipulation is not limited to spreadsheets with formulas; it applies to any record used in the testing and manufacturing processes.

FDA's Suggestions for Validating Spreadsheets Have Limitations

While the FDA does not have specific guidance on spreadsheet validation, the Agency does offer suggestions for minimizing spreadsheet-related risks. One suggestion is to keep a permanent record of all cell formulas once the spreadsheet has been finalized, validated, and is ready for production use. Another is to reevaluate spreadsheets, reverifying cell formulas and calculations periodically.(2) Good ideas, but there are gaps ― the biggest one being a lack of control.

Are individuals downloading and making copies of the spreadsheet? Is the current version being used? Spreadsheets can spread like wildfire, propagating across the organization. People become confused and frustrated, so they download and save local copies. That downloaded copy cannot be controlled ― even in a document management system (DMS), which has limited validation capabilities. Periodic spreadsheet reviews are beneficial but are easy to overlook when done manually.

Overcome These Limitations with Digitization

ValGenesis' validation lifecycle management system (VLMS) solves these perplexing problems by offering increased control and efficiency. Spreadsheets in the ValGenesis VLMS can be validated by the VLMS. Furthermore, they can be executed within the VLMS (which is itself a validated system).

The system's functionality includes version control, de-activation, and even termination. Users can execute formulas within the spreadsheet and import legacy Excel spreadsheets, which saves time and avoids rework.

Set It and Forget It

The ValGenesis system treats spreadsheets as "entities." An entity is anything that can be validated. A spreadsheet is just one example of an entity. Other examples include computer systems, equipment, and even analytical methods. In other words, the ValGenesis VLMS recognizes a spreadsheet as more than a document; it acknowledges it as a system in and of itself.

This distinction allows users to set periodic reviews or revalidation of the spreadsheet entity through the scheduler functionality. The system will remind the user what is required (i.e., periodic review or revalidation) when it is required, so nothing slips through the cracks.

Apply Access Controls at Any Level

Now back to being an auditor. That big red flag mentioned at the beginning of this post would vanish because, when configured and implemented correctly, the technical controls (e.g., versioning, access privileges) would be in place, effective, validated, and possibly qualified for medium-risk or low-risk use based on the organization's risk management process. There would be an assurance that the correct spreadsheet is being used at the correct time and place.

Access controls and role management functionality carries this assurance one step further; qualified individuals can only access and execute the spreadsheet entities they are authorized to access. There is even a hierarchy from site to category to subcategory, then to spreadsheet entity (i.e., system). The access controls can be applied to any of these levels, meaning only authorized individuals authorized to access a site, category, subcategory, or entity could perform tasks within the spreadsheet entity.

Dynamic Trace Matrices Reduce Effort and Error

A dedicated VLMS also frees teams from the tedium of manual tracing and endless updating of spreadsheets. Typically, a validation engineer will write their requirements and tests, execute their tests, and then build the trace matrix in Excel after the tests have already been approved. Next, they’ll load the Excel document into the DMS and route it for review and approval. The process isn’t dynamic; there is no building of relationships between related items or dynamic links. The trace matrix isn’t automatically updated if there is a test failure.

In ValGenesis, traceability matrices can be dynamically created and updated in real time to reflect any changes made to requirements or test functions. Users can map multiple documents against each other, automatically linking individual specifications to test step levels. Users can also view the traceability between documents for completeness before routing them for review and approval in a controlled workflow. This significantly reduces the overall time and effort spent authoring documents. (2)

The Bottom Line

Spreadsheets are a great tool with many benefits, e.g., familiarity (almost everyone uses them) and flexibility (it is easy to add, format, and alter data). However, these benefits introduce inherent risks that concern regulators. Familiarity can lead to complacency, which increases the potential for error. It also encourages people to become dependent on spreadsheets, utilizing them for all tasks without considering more suitable tools like a VLMS. Flexibility without the appropriate controls introduces quality control and data integrity concerns due to the potential to manipulate and falsify data. ValGenesis enables you to herd and harness spreadsheets into the VLMS so they can be used effectively, efficiently, and compliantly with the appropriate controls and standardization.

  1. “Spreadsheet Validation & 21 CFR 820/13485:2016 Regulations”, Accessed on May 11, 2023.
  2. Lisa Weeks, “What’s the Difference Between a VLMS and a DMS?”, Accessed on May 11, 2023.

The opinions, information and conclusions contained within this blog should not be construed as conclusive fact, ValGenesis offering advice, nor as an indication of future results.