Spreadsheets are inadequate for risk and compliance assessment questionaires

My two cents – if you are relying on spreadsheets (or for that matter word processing documents) to survey and gather risk and compliance information you have a problem. This in and of itself is a control issue that should be flagged.

Spreadsheets are a thorn in the flesh of risk and compliance. I have seen organizations with upwards of 40,000 spreadsheets collected for different risk and compliance issues (e.g., SOX, Basel II, Ethics), as control questionnaires are sent to nearly everyone in the organization. The questionnaires come back and the compliance team scratches their heads and says Now what? How do we manage and report on this data?

It gets worse . . . auditors and legal can step in and cry ‘foul.’ It is difficult to provide non-repudiation within spreadsheets in a scalable context. Basically, one can not go back and truly state that “this person answered this compliance (a legal process) on this date and time, and we know this is the original answer and it has not been modified.” Spreadsheets do not have this level of authentication, access control and audit trail. GRC processes require a robust audit trail so that you know who answered a question and if that answer was modified – spreadsheets do not provide the functionality to cover this.

There are spreadsheet management solutions that do provide authentication, access controls and audit trails — but they are cumbersome to use for broad compliance purposes. Anyways, there are technologies with integrated content and workflow that can be more easily managed.

To replace spreadsheets I would look towards governance, risk, and compliance (GRC) management platforms. Vendors in this space include Archer Technologies, Axentis, BWise, MEGA, MetricStream, OpenPages, Paisley, and QUMAS. These vendors, and many more, have integrated content and workflow technologies to manage GRC assessment processes. They are a much better choice over the use of spreadsheets for GRC processes.

NOTE: a variation of this post can be found on my Ask the Experts post on SearchDataManagement.com.

No comments yet.

Leave a Reply