USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE:

Transcription

1 USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE: PROS, CONS AND HIDDEN DANGERS MIKE ROST

2 CONTENTS INTRODUCTION... 3 GRC DISCIPLINES REQUIRE PURPOSE-BUILT TECHNOLOGY... 3 USING SPREADSHEETS FOR GRC THE PROS... 4 USING SPREADSHEETS FOR GRC THE CONS... 4 PURPOSE-BUILT GRC SOFTWARE: THE BETTER ALTERNATIVE... 5 CONCLUSION USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE JULY 2012

3 INTRODUCTION The convergence of factors such as the SEC and PCAOB guideline changes over internal controls for financial reporting, a renewed corporate focus on internal audit, and the never-ending battle to keep up with compliance regulations, has forced organizations to seek more efficient methods to address integrated governance, risk, and compliance business processes. As with all business process automation initiatives, technology plays an important role in streamlining redundant tasks, providing transparency to information, and driving cost out of the process. For many organizations, the de facto technology solution is to try to automate using standard office productivity tools such as word processing programs and spreadsheets. While it is easy to create some light-weight solutions using these personal productivity tools, many leading organizations have found that, in the long run, spreadsheet-based solutions become part of the problem rather than part of the solution. This whitepaper provides an in-depth look at the pros, cons and hidden dangers of using spreadsheets for integrated GRC processes. GRC DISCIPLINES REQUIRE PURPOSE-BUILT TECHNOLOGY Whether implementing integrated governance, risk and compliance or tackling a single compliance initiative such as Sarbanes-Oxley or internal audit, a combination of methodology, skills and technology is required. Similar to managing the financial accounting, planning, budgeting, consolidation or reporting functions in any major corporation, GRC requires more than an ad hoc approach. For example, financial management requires clear, consistent accounting policies to determine what gets in the books, as well as sophisticated financial systems to capture, manage, analyze and report on the financial information transactions and reports. An integrated governance, risk and compliance solution has many of the same requirements. Even small and mid-market companies with less complex processes and organizational structures have invested in purpose-built software to manage their financial function reporting processes. Although spreadsheets are prevalent and add value to all finance functions, they are seldom the single source of record for managing the entire process. The increased focus on GRC disciplines such as internal audit, financial controls management, IT governance, operational and enterprise risk management, and broader compliance, have placed these business process disciplines at an equal level of importance to financial accounting. If spreadsheets are not good enough to be used as a general ledger, why would they suffice as the central system for GRC processes? Requirements For Effective GRC Technology To successfully implement integrated GRC processes, organizations must focus on several key strategic deliverables: transparency, performance improvement, accountability and collaboration, and documentation. An effective GRC technology solution must also support these business requirements. Transparency: GRC implies that the behavior of an enterprise will be driven by rational decisions made in the interest of investors and stakeholders. A GRC technology solution must support the reporting of risk acceptance decisions and the supporting documentation. Performance Improvement: GRC initiatives must produce performance improvement. Whatever the social benefit of GRC, business will demand economic benefit and the promise of improved business performance to ensure that GRC processes are sustained. A GRC technology solution must embrace and support business process performance reporting and business process improvement tools. Accountability And Collaboration: An effective GRC process is collaborative and interactive and includes not just management, but also those now functioning in silos of auditing, compliance and risk manage- 3 USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE JULY 2012

4 ment. In fact, a GRC initiative will include many, if not most of the organization s key employees regardless of role. Technology for GRC must support work flow and collaboration across the organization and from its highest reaches to its front lines. Documentation: Documentation is the transactional information of GRC business processes. Core to financial accounting is the tracking of debits/credits. USING SPREADSHEETS FOR GRC THE PROS Surveys indicate that the majority of companies impacted by the financial controls reporting requirements of Sarbanes-Oxley initially tried to tackle these requirements using a combination of word processing tools and spreadsheets - the low-tech solution. Spreadsheets are also a favorite tool of auditors and other assurance specialists working in departmental and organizational silos. As organizations roll out a more integrated approach to GRC, the natural tendency is to try to integrate this complex web of spreadsheets. The reasons often cited include: The company s external auditors and/or GRC project advisors like using spreadsheets and often recommend they be used for SOX or other GRC assessment work. Implementing spreadsheets seems inexpensive since most companies already have licenses to use Excel or equivalent software. Most GRC process owners and participants are familiar with spreadsheet packages. GRC requirements are still evolving and the regulatory agencies change the rules frequently. Spreadsheets allow the user to easily modify the system any time. Until December 2006, when the SEC released its interpretive guidance for management s assessment for internal control effectiveness, SOX compliance involved little methodology or analysis. Bottom-up control documentation and testing worked well. Many organizations are unaware of a proven technology alternative that is readily available. USING SPREADSHEETS FOR GRC THE CONS Spreadsheets are user friendly and easy to implement, which are key attributes. However, they fall short in several areas: Spreadsheets Block Performance Measurement Or Performance Improvement: Spreadsheets are not well suited to monitor business performance or to support process improvement. Spreadsheets are capable of documenting and reporting simple relationships, but they are not designed or intended to integrate with other systems, to serve as dashboards or to identify and support process improvements. Performance measurement analysis and improvement requires enterprise consolidation and the ability to identify and track trends and opportunities. Spreadsheets are unable to support consistent methodologies, consistent consolidation of data or intelligent business analysis. Spreadsheets Kill Collaboration, Work Flow And Accountability: A central requirement of integrated GRC is the ability to assign owners to processes, risks, controls, compliance policies and manage the work processes of control testing, verification, audit, and issue and remediation documentation on the GRC data elements. Spreadsheets simply were not designed for and do not succeed in supporting multi-user, process-centric working environments. The lack of multi-user capability leads to a proliferation of spreadsheets for each user group and purpose. Collaboration with spreadsheets is a manual task with multiple iterations. Spreadsheets Are Inherently Unreliable And Lack Security: Most of the processes in the rows-and-columns grid are overly complex, duplicative and fragmented. For auditors, the implication is that spreadsheets act as end-user computing of high risk manual processes. Version control, change control, auditability and integrity are all well documented issues with spreadsheets. While they can sometimes be overcome, the cost and effort of doing so is huge. 4 USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE JULY 2012

5 Spreadsheets Lack The Ability For Compliance Record Retention: A pervasive standard of compliance programs is strict guidelines over records retention. While the flexible nature of spreadsheets allows users to quickly create and modify data and structure, this flexibility does not lend itself well to compliance records retention. In contrast, purpose-built GRC technology that relies on application functionality built on relational databases by design has the capabilities to satisfy the most strict records retention requirements. Spreadsheet Costs Are Huge But Hidden: Spreadsheets, on the surface at least, appear to be a very inexpensive option for SOX and other GRC assessment work. Most companies and their auditors and advisors already have enterprise level licenses. The savings is more illusory than real. In round one, because of the time urgency, few companies tracked the full range of cost drivers including the time consumed of internal staff, the cost of any external contract staff, and the time charged by the company s external auditor. After companies address ongoing GRC costs - such as the section 302 requirements to report on material changes in the control environment, provide updates on progress resolving significant deficiencies and material weaknesses, and quarterly reports on new significant deficiencies and material weaknesses detected to the audit committee and external auditor - the real costs and deficiencies of using spreadsheets for documentation begin to emerge. PURPOSE-BUILT GRC SOFTWARE: THE BET- TER ALTERNATIVE An alternative to managing GRC processes with spreadsheets is to adopt a comprehensive GRC solution that supports the multiple disciplines of GRC. Leading GRC solutions provide functionality for internal audit, financial controls management, enterprise risk management, operational risk management, IT governance and compliance, purpose-built to address integrated governance, risk and compliance requirements. Compared to spreadsheets, these solutions provide greater efficiency, improved collaboration and reduce the time and resource costs associated with governance, risk and compliance processes. A well integrated solution provides a common set of functionality for each GRC process owner with shared functionality for common activities such as risk assessment, process documentation and issue tracking. Leveraging a shared data model, a well architected GRC solution enables the consistent sharing of definitions and terms, organizational reporting structures, and relationships between controls and the associated audit results. Eliminating the redundant efforts saves money by minimizing data entry, improving accuracy and enhancing collaboration, efficiency and consistency. CONCLUSION Regardless of the business process, the temptation for a quick-fix technology solution using spreadsheets is always there. However, as your business processes mature, requirements become more complex, and the need to scale across multiple users and departments increases, the true cost of spreadsheets become a significant liability. As leading organizations mature their integrated governance, risk and compliance processes, the investment in GRC solutions to support, automate, and drive efficiencies in the process grows. Similar to the evolution of general ledger, accounts payable, and budgeting and planning business processes, GRC has now reached the maturity stage where investment in purpose-built technology is considered to be a best practice. 5 USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE JULY 2012

6 THOMSON REUTERS ACCELUS Thomson Reuters Governance, Risk & Compliance (GRC) business unit provides comprehensive solutions that connect our customers business to the ever-changing regulatory environment. GRC serves audit, compliance, finance, legal, and risk professionals in financial services, law firms, insurance, and other industries impacted by regulatory change. The Accelus suite of products provides powerful tools and information that enable proactive insights, dynamic connections, and informed choices that drive overall business performance. Accelus is the combination of the market-leading solutions provided by the heritage businesses of Complinet, IntegraScreen, Northland Solutions, Oden, Paisley, West s Capitol Watch, Westlaw Business, Westlaw Compliance Advisor and World-Check. For more information, visit accelus.thomsonreuters.com 2012 Thomson Reuters W /7-12