• No results found

USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE:

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE:"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

USING SPREADSHEETS TO MANAGE

GOVERNANCE, RISK AND COMPLIANCE:

PROS, CONS AND HIDDEN DANGERS

(2)

CONTENTS

INTRODUCTION . . . .3

GRC DISCIPLINES REQUIRE PURPOSE-BUILT TECHNOLOGY . . . .3

USING SPREADSHEETS FOR GRC – THE PROS . . . . 4

USING SPREADSHEETS FOR GRC – THE CONS . . . . 4

PURPOSE-BUILT GRC SOFTWARE: THE BETTER ALTERNATIVE . . . . 5

(3)

INTRODUCTION

The convergence of factors such as the SEC and PCAOB guideline changes over internal controls for financial reporting, a renewed corporate focus on internal audit, and the never-ending battle to keep up with compliance regulations, has forced organizations to seek more efficient methods to address integrated governance, risk, and compliance business processes . As with all business process automation initiatives, technology plays an important role in streamlining redundant tasks, providing transparency to information, and driving cost out of the process .

For many organizations, the de facto technology solution is to try to automate using standard office productivity tools such as word processing programs and spreadsheets . While it is easy to create some light-weight solutions using these personal productivity tools, many leading organizations have found that, in the long run, spreadsheet-based solutions become part of the problem rather than part of the solution . This whitepaper provides an in-depth look at the pros, cons and hidden dangers of using spreadsheets for integrated GRC processes .

GRC DISCIPLINES REQUIRE PURPOSE-BUILT TECHNOLOGY

Whether implementing integrated governance, risk and compliance or tackling a single

compliance initiative such as Sarbanes-Oxley or internal audit, a combination of methodology, skills and technology is required . Similar to managing the financial accounting, planning, budgeting, consolidation or reporting functions in any major corporation, GRC requires more than an ad hoc approach . For example,

financial management requires clear, consistent accounting policies to determine what gets in the books, as well as sophisticated financial systems to capture, manage, analyze and report on the financial information transactions and reports .

An integrated governance, risk and compliance solution has many of the same requirements . Even small and mid-market companies with less complex processes and organizational

structures have invested in purpose-built software to manage their financial function reporting processes . Although spreadsheets are prevalent and add value to all finance functions, they are seldom the single source of record for managing the entire process .

The increased focus on GRC disciplines such as internal audit, financial controls management, IT governance, operational and enterprise risk management, and broader compliance, have placed these business process disciplines at an equal level of importance to financial accounting . If spreadsheets are not good enough to be used as a general ledger, why would they suffice as the central system for GRC processes?

• Requirements For Effective GRC Technology To successfully implement integrated GRC processes, organizations must focus on several key strategic deliverables: transpar-ency, performance improvement, account-ability and collaboration, and documenta-tion . An effective GRC technology soludocumenta-tion must also support these business require-ments .

• Transparency: GRC implies that the behavior of an enterprise will be driven by rational decisions made in the interest of investors and stakeholders . A GRC technology solution must support the reporting of risk accep-tance decisions and the supporting docu-mentation .

• Performance Improvement: GRC initiatives must produce performance improvement . Whatever the social benefit of GRC, business will demand economic benefit and the promise of improved business performance to ensure that GRC processes are sustained . A GRC technology solution must embrace and support business process performance reporting and business process improvement tools .

(4)

manage-ment . In fact, a GRC initiative will include many, if not most of the organization’s key employees regardless of role . Technology for GRC must support work flow and collabora-tion across the organizacollabora-tion and from its highest reaches to its front lines .

• Documentation: Documentation is the transactional information of GRC business processes . Core to financial accounting is the tracking of debits/credits .

USING SPREADSHEETS FOR GRC – THE PROS

Surveys indicate that the majority of companies impacted by the financial controls reporting requirements of Sarbanes-Oxley initially tried to tackle these requirements using a combination of word processing tools and spreadsheets - the “low-tech” solution . Spreadsheets are also a favorite tool of auditors and other assurance specialists working in departmental and organizational silos .

As organizations roll out a more integrated approach to GRC, the natural tendency is to try to integrate this complex web of spreadsheets . The reasons often cited include:

• The company’s external auditors and/or GRC project advisors like using spreadsheets and often recommend they be used for SOX or other GRC assessment work .

• Implementing spreadsheets seems inexpen-sive since most companies already have licenses to use Excel® or equivalent software . • Most GRC process owners and participants

are familiar with spreadsheet packages . • GRC requirements are still evolving and the

regulatory agencies change the rules fre-quently . Spreadsheets allow the user to easily modify “the system” any time .

• Until December 2006, when the SEC re-leased its interpretive guidance for manage-ment’s assessment for internal control effectiveness, SOX compliance involved little methodology or analysis . Bottom-up control documentation and testing worked well . • Many organizations are unaware of a proven

technology alternative that is readily avail-able .

USING SPREADSHEETS FOR GRC – THE CONS

Spreadsheets are user friendly and easy to implement, which are key attributes . However, they fall short in several areas:

• Spreadsheets Block Performance Measure-ment Or Performance ImproveMeasure-ment: Spreadsheets are not well suited to monitor business performance or to support process improvement . Spreadsheets are capable of documenting and reporting simple relation-ships, but they are not designed or intended to integrate with other systems, to serve as dashboards or to identify and support process improvements .

Performance measurement analysis and improvement requires enterprise consolida-tion and the ability to identify and track trends and opportunities . Spreadsheets are unable to support consistent methodologies, consistent consolidation of data or intelligent business analysis .

• Spreadsheets Kill Collaboration, Work Flow And Accountability: A central requirement of integrated GRC is the ability to assign owners to processes, risks, controls, compliance policies and manage the work processes of control testing, verification, audit, and issue and remediation documentation on the GRC data elements . Spreadsheets simply were not designed for and do not succeed in supporting multi-user, process-centric working environments . The lack of multi-user capability leads to a proliferation of spread-sheets for each user group and purpose . Collaboration with spreadsheets is a manual task with multiple iterations .

(5)

• Spreadsheets Lack The Ability For Compli-ance Record Retention: A pervasive standard of compliance programs is strict guidelines over records retention . While the flexible nature of spreadsheets allows users to quickly create and modify data and structure, this flexibility does not lend itself well to compliance records retention . In contrast, purpose-built GRC technology that relies on application functionality built on relational databases by design has the capabilities to satisfy the most strict records retention requirements .

• Spreadsheet Costs Are Huge – But Hidden: Spreadsheets, on the surface at least, appear to be a very inexpensive option for SOX and other GRC assessment work . Most compa-nies and their auditors and advisors already have enterprise level licenses . The savings is more illusory than real . In round one, be-cause of the time urgency, few companies tracked the full range of cost drivers includ-ing the time consumed of internal staff, the cost of any external contract staff, and the time charged by the company’s external auditor . After companies address ongoing GRC costs - such as the section 302 require-ments to report on material changes in the control environment, provide updates on progress resolving significant deficiencies and material weaknesses, and quarterly reports on new significant deficiencies and material weaknesses detected to the audit committee and external auditor - the real costs and deficiencies of using spreadsheets for documentation begin to emerge .

PURPOSE-BUILT GRC SOFTWARE: THE BET-TER ALBET-TERNATIVE

An alternative to managing GRC processes with spreadsheets is to adopt a comprehensive GRC solution that supports the multiple disciplines of GRC . Leading GRC solutions provide

functionality for internal audit, financial controls management, enterprise risk management, operational risk management, IT governance and compliance, purpose-built to address integrated governance, risk and compliance

requirements . Compared to spreadsheets, these solutions provide greater efficiency, improved collaboration and reduce the time and resource costs associated with governance, risk and compliance processes .

A well integrated solution provides a common set of functionality for each GRC process owner with shared functionality for common activities such as risk assessment, process documentation and issue tracking . Leveraging a shared data model, a well architected GRC solution enables the consistent sharing of definitions and terms, organizational reporting structures, and relationships between controls and the associated audit results . Eliminating the redundant efforts saves money by minimizing data entry, improving accuracy and enhancing collaboration, efficiency and consistency .

CONCLUSION

(6)

Thomson Reuters Governance, Risk & Compliance (GRC) business unit provides comprehensive solutions that connect our customers’ business to the ever-changing regulatory environment . GRC serves audit, compliance, finance, legal, and risk professionals in financial services, law firms, insurance, and other industries impacted by regulatory change .

The Accelus suite of products provides powerful tools and information that enable proactive insights, dynamic connections, and informed choices that drive overall business performance . Accelus is the combination of the market-leading solutions provided by the heritage businesses of Complinet, IntegraScreen™, Northland Solutions, Oden®, Paisley®, West’s Capitol Watch®,

Westlaw® Business, Westlaw Compliance Advisor® and World-Check® .

THOMSON REUTERS ACCELUS™

References

Download now ( PDF - 6 Page - 1.68 MB )

Related documents

The Governance Portal Minimize Risk. Maximize Performance.

“We selected Protiviti because of the full range of Governance Portal risk and compliance solutions, including controls management, risk management, assessment management,

Corporate Governance, Compliance, and Risk Management

Personnel Advisory Committee This committee, chaired by an outside director, sets election standards for directors, corporate auditors, and executive officers, selects candidates,

Depression in Older Adults in Nursing Homes: A Review of the Literature

Studies showed that interventions involving reminiscing on meaning of life, music and dance therapy, increasing pleasant events in the nursing home, and demonstrating

Residential Demand Response strategies

One of examples is presented in [11] and includes: the setback strategy (only during peak hours), the preheat strategy (o - peak hours) and the power limitation strategy. All

Mania SCX500. user manual

To start in hard boot mode, hold both the Mode button and the X100 button pressed in while powering on the fixture.. When the Mania SCX500 is in hard boot mode, the data

Chronic Care Management Model

coordination of medical, mental health and chemical dependency services, and other community services based on the needs of the individual enrollee.. The How’s

Solar Photovoltaic Financing: Deployment on Public Property by State and Local Governments

For state and local governments, several methods of financing the production of these goods are available, including systems benefit charge (SBC) funds, issuance of energy

Reducing Risks and Costs in Legal Governance & Compliance. 2012, TERIS,

Records Retention IT Governance Financial Reporting Compliance Workforce Governance Data Privacy Audit Management Credit Risk Mgmt Market Risk Mgmt Operational Risk Mgmt