USING SPREADSHEETS TO MANAGE
GOVERNANCE, RISK AND COMPLIANCE:
PROS, CONS AND HIDDEN DANGERS
CONTENTS
INTRODUCTION . . . .3
GRC DISCIPLINES REQUIRE PURPOSE-BUILT TECHNOLOGY . . . .3
USING SPREADSHEETS FOR GRC – THE PROS . . . . 4
USING SPREADSHEETS FOR GRC – THE CONS . . . . 4
PURPOSE-BUILT GRC SOFTWARE: THE BETTER ALTERNATIVE . . . . 5
INTRODUCTION
The convergence of factors such as the SEC and PCAOB guideline changes over internal controls for financial reporting, a renewed corporate focus on internal audit, and the never-ending battle to keep up with compliance regulations, has forced organizations to seek more efficient methods to address integrated governance, risk, and compliance business processes . As with all business process automation initiatives, technology plays an important role in streamlining redundant tasks, providing transparency to information, and driving cost out of the process .
For many organizations, the de facto technology solution is to try to automate using standard office productivity tools such as word processing programs and spreadsheets . While it is easy to create some light-weight solutions using these personal productivity tools, many leading organizations have found that, in the long run, spreadsheet-based solutions become part of the problem rather than part of the solution . This whitepaper provides an in-depth look at the pros, cons and hidden dangers of using spreadsheets for integrated GRC processes .
GRC DISCIPLINES REQUIRE PURPOSE-BUILT TECHNOLOGY
Whether implementing integrated governance, risk and compliance or tackling a single
compliance initiative such as Sarbanes-Oxley or internal audit, a combination of methodology, skills and technology is required . Similar to managing the financial accounting, planning, budgeting, consolidation or reporting functions in any major corporation, GRC requires more than an ad hoc approach . For example,
financial management requires clear, consistent accounting policies to determine what gets in the books, as well as sophisticated financial systems to capture, manage, analyze and report on the financial information transactions and reports .
An integrated governance, risk and compliance solution has many of the same requirements . Even small and mid-market companies with less complex processes and organizational
structures have invested in purpose-built software to manage their financial function reporting processes . Although spreadsheets are prevalent and add value to all finance functions, they are seldom the single source of record for managing the entire process .
The increased focus on GRC disciplines such as internal audit, financial controls management, IT governance, operational and enterprise risk management, and broader compliance, have placed these business process disciplines at an equal level of importance to financial accounting . If spreadsheets are not good enough to be used as a general ledger, why would they suffice as the central system for GRC processes?
• Requirements For Effective GRC Technology To successfully implement integrated GRC processes, organizations must focus on several key strategic deliverables: transpar-ency, performance improvement, account-ability and collaboration, and documenta-tion . An effective GRC technology soludocumenta-tion must also support these business require-ments .
• Transparency: GRC implies that the behavior of an enterprise will be driven by rational decisions made in the interest of investors and stakeholders . A GRC technology solution must support the reporting of risk accep-tance decisions and the supporting docu-mentation .
• Performance Improvement: GRC initiatives must produce performance improvement . Whatever the social benefit of GRC, business will demand economic benefit and the promise of improved business performance to ensure that GRC processes are sustained . A GRC technology solution must embrace and support business process performance reporting and business process improvement tools .
manage-ment . In fact, a GRC initiative will include many, if not most of the organization’s key employees regardless of role . Technology for GRC must support work flow and collabora-tion across the organizacollabora-tion and from its highest reaches to its front lines .
• Documentation: Documentation is the transactional information of GRC business processes . Core to financial accounting is the tracking of debits/credits .
USING SPREADSHEETS FOR GRC – THE PROS
Surveys indicate that the majority of companies impacted by the financial controls reporting requirements of Sarbanes-Oxley initially tried to tackle these requirements using a combination of word processing tools and spreadsheets - the “low-tech” solution . Spreadsheets are also a favorite tool of auditors and other assurance specialists working in departmental and organizational silos .
As organizations roll out a more integrated approach to GRC, the natural tendency is to try to integrate this complex web of spreadsheets . The reasons often cited include:
• The company’s external auditors and/or GRC project advisors like using spreadsheets and often recommend they be used for SOX or other GRC assessment work .
• Implementing spreadsheets seems inexpen-sive since most companies already have licenses to use Excel® or equivalent software . • Most GRC process owners and participants
are familiar with spreadsheet packages . • GRC requirements are still evolving and the
regulatory agencies change the rules fre-quently . Spreadsheets allow the user to easily modify “the system” any time .
• Until December 2006, when the SEC re-leased its interpretive guidance for manage-ment’s assessment for internal control effectiveness, SOX compliance involved little methodology or analysis . Bottom-up control documentation and testing worked well . • Many organizations are unaware of a proven
technology alternative that is readily avail-able .
USING SPREADSHEETS FOR GRC – THE CONS
Spreadsheets are user friendly and easy to implement, which are key attributes . However, they fall short in several areas:
• Spreadsheets Block Performance Measure-ment Or Performance ImproveMeasure-ment: Spreadsheets are not well suited to monitor business performance or to support process improvement . Spreadsheets are capable of documenting and reporting simple relation-ships, but they are not designed or intended to integrate with other systems, to serve as dashboards or to identify and support process improvements .
Performance measurement analysis and improvement requires enterprise consolida-tion and the ability to identify and track trends and opportunities . Spreadsheets are unable to support consistent methodologies, consistent consolidation of data or intelligent business analysis .
• Spreadsheets Kill Collaboration, Work Flow And Accountability: A central requirement of integrated GRC is the ability to assign owners to processes, risks, controls, compliance policies and manage the work processes of control testing, verification, audit, and issue and remediation documentation on the GRC data elements . Spreadsheets simply were not designed for and do not succeed in supporting multi-user, process-centric working environments . The lack of multi-user capability leads to a proliferation of spread-sheets for each user group and purpose . Collaboration with spreadsheets is a manual task with multiple iterations .
• Spreadsheets Lack The Ability For Compli-ance Record Retention: A pervasive standard of compliance programs is strict guidelines over records retention . While the flexible nature of spreadsheets allows users to quickly create and modify data and structure, this flexibility does not lend itself well to compliance records retention . In contrast, purpose-built GRC technology that relies on application functionality built on relational databases by design has the capabilities to satisfy the most strict records retention requirements .
• Spreadsheet Costs Are Huge – But Hidden: Spreadsheets, on the surface at least, appear to be a very inexpensive option for SOX and other GRC assessment work . Most compa-nies and their auditors and advisors already have enterprise level licenses . The savings is more illusory than real . In round one, be-cause of the time urgency, few companies tracked the full range of cost drivers includ-ing the time consumed of internal staff, the cost of any external contract staff, and the time charged by the company’s external auditor . After companies address ongoing GRC costs - such as the section 302 require-ments to report on material changes in the control environment, provide updates on progress resolving significant deficiencies and material weaknesses, and quarterly reports on new significant deficiencies and material weaknesses detected to the audit committee and external auditor - the real costs and deficiencies of using spreadsheets for documentation begin to emerge .
PURPOSE-BUILT GRC SOFTWARE: THE BET-TER ALBET-TERNATIVE
An alternative to managing GRC processes with spreadsheets is to adopt a comprehensive GRC solution that supports the multiple disciplines of GRC . Leading GRC solutions provide
functionality for internal audit, financial controls management, enterprise risk management, operational risk management, IT governance and compliance, purpose-built to address integrated governance, risk and compliance
requirements . Compared to spreadsheets, these solutions provide greater efficiency, improved collaboration and reduce the time and resource costs associated with governance, risk and compliance processes .
A well integrated solution provides a common set of functionality for each GRC process owner with shared functionality for common activities such as risk assessment, process documentation and issue tracking . Leveraging a shared data model, a well architected GRC solution enables the consistent sharing of definitions and terms, organizational reporting structures, and relationships between controls and the associated audit results . Eliminating the redundant efforts saves money by minimizing data entry, improving accuracy and enhancing collaboration, efficiency and consistency .
CONCLUSION
Thomson Reuters Governance, Risk & Compliance (GRC) business unit provides comprehensive solutions that connect our customers’ business to the ever-changing regulatory environment . GRC serves audit, compliance, finance, legal, and risk professionals in financial services, law firms, insurance, and other industries impacted by regulatory change .
The Accelus suite of products provides powerful tools and information that enable proactive insights, dynamic connections, and informed choices that drive overall business performance . Accelus is the combination of the market-leading solutions provided by the heritage businesses of Complinet, IntegraScreen™, Northland Solutions, Oden®, Paisley®, West’s Capitol Watch®,
Westlaw® Business, Westlaw Compliance Advisor® and World-Check® .
THOMSON REUTERS ACCELUS™