USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE:



Similar documents
COMPLIANCE MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS COMPLIANCE MANAGEMENT SOLUTIONS

ACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES

building a business case for governance, risk and compliance

ENTERPRISE RISK MANAGEMENT ASSESSMENT GUIDE

THOMSON REUTERS ACCELUS

Accelus Audit Manager THOMSON REUTERS ACCELUS

Foreign business partners under the FCPA

PRACTICAL GUIDANCE: SEVEN STEPS FOR EFFECTIVE ENTERPRISE RISK MANAGEMENT

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

ACCELUS ORG ID KYC MANAGED SERVICE

COMPLIANCE MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS COMPLIANCE MANAGEMENT SOLUTIONS

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

AN INTEGRATED APPROACH TO COMPLIANCE AND RISK MANAGEMENT IS THE BEST WAY FORWARD BY MARTIN WOODS OCTOBER 2011

THE PRACTICE OF PROFILING BY DAVID THOMAS

Advisory Services Oracle Alliance Case Study

Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

The Unintended Effects of

Module 6 Essentials of Enterprise Architecture Tools

Helping Enterprises Succeed: Responsible Corporate Strategy and Intelligent Business Insights

Beyond risk identification Evolving provider ERM programs

Convercent Predictive Analytics

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

How To Improve Your Business

THOMSON REUTERS ACCELUS. Know Your Customer (KYC), Kontrol Your Costs (KYC) and Keep Your Customers (KYC) happy

Governance, Risk, and Compliance (GRC) White Paper

White Paper March Consolidation automation Advancing compliance and performance management

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Auditing Standard 5- Effective and Efficient SOX Compliance

Software Industry KPIs that Matter

ACCELUS RISK MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS ACCELUS RISK MANAGEMENT SOLUTIONS

Simplify And Innovate The Way You Consume Cloud

Digital Customer Experience

SAP Overview Brochure. Confidence Powers Success. SAP Solutions for Governance, Risk, and Compliance.

Paisley Enterprise GRC Audit Profile. Linda Bergs

4th Annual ISACA Kettle Moraine Spring Symposium

Best Practices for Budgeting, Forecasting and Reporting

The Fast Close: Are We There Yet? An Oracle White Paper Updated July 2008

Optimizing government and insurance claims management with IBM Case Manager

Sarbanes-Oxley (SOX) The Migration from Project to Process. Practical Actions for Getting Started. Jim DeLoach, Managing Director.

XBRL & GRC Future opportunities?

Fortune 500 Medical Devices Company Addresses Unique Device Identification

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

KNOW YOUR THIRD PARTY

Strategic Meetings Management Program (SMMP) Implementation and Idea Guide

The effect of dirty data on business

SAP ERP FINANCIALS ENABLING FINANCIAL EXCELLENCE. SAP Solution Overview SAP Business Suite

White Paper The Benefits of Business Intelligence Standardization

Embracing CHANGE as a Competitive Advantage

SAP Thought Leadership Business Intelligence IMPLEMENTING BUSINESS INTELLIGENCE STANDARDS SAVE MONEY AND IMPROVE BUSINESS INSIGHT

IBM Cognos 8 Controller Financial consolidation, reporting and analytics drive performance and compliance

Best practices for planning and budgeting. A white paper prepared by Prophix

How to achieve more timely, accurate and transparent reporting through a smarter close*

Data Quality for BASEL II

<Insert Picture Here> Financial Audit Scoping Tool Blueprint for Oracle GRC Applications

Continuous Auditing / Continuous Monitoring

Outperform Financial Objectives and Enable Regulatory Compliance

EMA Service Catalog Assessment Service

Banking Application Modernization and Portfolio Management

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

KPMG s Financial Management Practice. kpmg.com

Internal Audit Practice Guide

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm

Data2Diamonds Turning Information into a Competitive Asset

RSA ARCHER AUDIT MANAGEMENT

IT Governance: framework and case study. 22 September 2010

Streamlined Planning and Consolidation for Finance Teams in Any Organization

Best Practices for Planning and Budgeting. A white paper prepared by PROPHIX Software October 2006

Big Data Industry Approaches to Operational Excellence

Role of Analytics in Infrastructure Management

White Paper. Trends in Hospital Professional Liability Operations. Macro Trends in Hospital Insurance Operations

Application Control Effectiveness for SAP. December 2007

Streamlined Planning and Consolidation for Finance Teams Running SAP Software

ORACLE HYPERION DATA RELATIONSHIP MANAGEMENT

Risk Considerations for Internal Audit

Portfolio Company Performance Analysis and Reporting Automation

How To Get A Tech Startup To Comply With Regulations

Jabil builds momentum for business analytics

Audit Compliance and Internal Audit Analysis for Dynamics

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Managing the Multi-Company Corporation

Transcription:

USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE: PROS, CONS AND HIDDEN DANGERS MIKE ROST

CONTENTS INTRODUCTION... 3 GRC DISCIPLINES REQUIRE PURPOSE-BUILT TECHNOLOGY... 3 USING SPREADSHEETS FOR GRC THE PROS... 4 USING SPREADSHEETS FOR GRC THE CONS... 4 PURPOSE-BUILT GRC SOFTWARE: THE BETTER ALTERNATIVE... 5 CONCLUSION................................................................... 5 2 USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE JULY 2012

INTRODUCTION The convergence of factors such as the SEC and PCAOB guideline changes over internal controls for financial reporting, a renewed corporate focus on internal audit, and the never-ending battle to keep up with compliance regulations, has forced organizations to seek more efficient methods to address integrated governance, risk, and compliance business processes. As with all business process automation initiatives, technology plays an important role in streamlining redundant tasks, providing transparency to information, and driving cost out of the process. For many organizations, the de facto technology solution is to try to automate using standard office productivity tools such as word processing programs and spreadsheets. While it is easy to create some light-weight solutions using these personal productivity tools, many leading organizations have found that, in the long run, spreadsheet-based solutions become part of the problem rather than part of the solution. This whitepaper provides an in-depth look at the pros, cons and hidden dangers of using spreadsheets for integrated GRC processes. GRC DISCIPLINES REQUIRE PURPOSE-BUILT TECHNOLOGY Whether implementing integrated governance, risk and compliance or tackling a single compliance initiative such as Sarbanes-Oxley or internal audit, a combination of methodology, skills and technology is required. Similar to managing the financial accounting, planning, budgeting, consolidation or reporting functions in any major corporation, GRC requires more than an ad hoc approach. For example, financial management requires clear, consistent accounting policies to determine what gets in the books, as well as sophisticated financial systems to capture, manage, analyze and report on the financial information transactions and reports. An integrated governance, risk and compliance solution has many of the same requirements. Even small and mid-market companies with less complex processes and organizational structures have invested in purpose-built software to manage their financial function reporting processes. Although spreadsheets are prevalent and add value to all finance functions, they are seldom the single source of record for managing the entire process. The increased focus on GRC disciplines such as internal audit, financial controls management, IT governance, operational and enterprise risk management, and broader compliance, have placed these business process disciplines at an equal level of importance to financial accounting. If spreadsheets are not good enough to be used as a general ledger, why would they suffice as the central system for GRC processes? Requirements For Effective GRC Technology To successfully implement integrated GRC processes, organizations must focus on several key strategic deliverables: transparency, performance improvement, accountability and collaboration, and documentation. An effective GRC technology solution must also support these business requirements. Transparency: GRC implies that the behavior of an enterprise will be driven by rational decisions made in the interest of investors and stakeholders. A GRC technology solution must support the reporting of risk acceptance decisions and the supporting documentation. Performance Improvement: GRC initiatives must produce performance improvement. Whatever the social benefit of GRC, business will demand economic benefit and the promise of improved business performance to ensure that GRC processes are sustained. A GRC technology solution must embrace and support business process performance reporting and business process improvement tools. Accountability And Collaboration: An effective GRC process is collaborative and interactive and includes not just management, but also those now functioning in silos of auditing, compliance and risk manage- 3 USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE JULY 2012

ment. In fact, a GRC initiative will include many, if not most of the organization s key employees regardless of role. Technology for GRC must support work flow and collaboration across the organization and from its highest reaches to its front lines. Documentation: Documentation is the transactional information of GRC business processes. Core to financial accounting is the tracking of debits/credits. USING SPREADSHEETS FOR GRC THE PROS Surveys indicate that the majority of companies impacted by the financial controls reporting requirements of Sarbanes-Oxley initially tried to tackle these requirements using a combination of word processing tools and spreadsheets - the low-tech solution. Spreadsheets are also a favorite tool of auditors and other assurance specialists working in departmental and organizational silos. As organizations roll out a more integrated approach to GRC, the natural tendency is to try to integrate this complex web of spreadsheets. The reasons often cited include: The company s external auditors and/or GRC project advisors like using spreadsheets and often recommend they be used for SOX or other GRC assessment work. Implementing spreadsheets seems inexpensive since most companies already have licenses to use Excel or equivalent software. Most GRC process owners and participants are familiar with spreadsheet packages. GRC requirements are still evolving and the regulatory agencies change the rules frequently. Spreadsheets allow the user to easily modify the system any time. Until December 2006, when the SEC released its interpretive guidance for management s assessment for internal control effectiveness, SOX compliance involved little methodology or analysis. Bottom-up control documentation and testing worked well. Many organizations are unaware of a proven technology alternative that is readily available. USING SPREADSHEETS FOR GRC THE CONS Spreadsheets are user friendly and easy to implement, which are key attributes. However, they fall short in several areas: Spreadsheets Block Performance Measurement Or Performance Improvement: Spreadsheets are not well suited to monitor business performance or to support process improvement. Spreadsheets are capable of documenting and reporting simple relationships, but they are not designed or intended to integrate with other systems, to serve as dashboards or to identify and support process improvements. Performance measurement analysis and improvement requires enterprise consolidation and the ability to identify and track trends and opportunities. Spreadsheets are unable to support consistent methodologies, consistent consolidation of data or intelligent business analysis. Spreadsheets Kill Collaboration, Work Flow And Accountability: A central requirement of integrated GRC is the ability to assign owners to processes, risks, controls, compliance policies and manage the work processes of control testing, verification, audit, and issue and remediation documentation on the GRC data elements. Spreadsheets simply were not designed for and do not succeed in supporting multi-user, process-centric working environments. The lack of multi-user capability leads to a proliferation of spreadsheets for each user group and purpose. Collaboration with spreadsheets is a manual task with multiple iterations. Spreadsheets Are Inherently Unreliable And Lack Security: Most of the processes in the rows-and-columns grid are overly complex, duplicative and fragmented. For auditors, the implication is that spreadsheets act as end-user computing of high risk manual processes. Version control, change control, auditability and integrity are all well documented issues with spreadsheets. While they can sometimes be overcome, the cost and effort of doing so is huge. 4 USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE JULY 2012

Spreadsheets Lack The Ability For Compliance Record Retention: A pervasive standard of compliance programs is strict guidelines over records retention. While the flexible nature of spreadsheets allows users to quickly create and modify data and structure, this flexibility does not lend itself well to compliance records retention. In contrast, purpose-built GRC technology that relies on application functionality built on relational databases by design has the capabilities to satisfy the most strict records retention requirements. Spreadsheet Costs Are Huge But Hidden: Spreadsheets, on the surface at least, appear to be a very inexpensive option for SOX and other GRC assessment work. Most companies and their auditors and advisors already have enterprise level licenses. The savings is more illusory than real. In round one, because of the time urgency, few companies tracked the full range of cost drivers including the time consumed of internal staff, the cost of any external contract staff, and the time charged by the company s external auditor. After companies address ongoing GRC costs - such as the section 302 requirements to report on material changes in the control environment, provide updates on progress resolving significant deficiencies and material weaknesses, and quarterly reports on new significant deficiencies and material weaknesses detected to the audit committee and external auditor - the real costs and deficiencies of using spreadsheets for documentation begin to emerge. PURPOSE-BUILT GRC SOFTWARE: THE BET- TER ALTERNATIVE An alternative to managing GRC processes with spreadsheets is to adopt a comprehensive GRC solution that supports the multiple disciplines of GRC. Leading GRC solutions provide functionality for internal audit, financial controls management, enterprise risk management, operational risk management, IT governance and compliance, purpose-built to address integrated governance, risk and compliance requirements. Compared to spreadsheets, these solutions provide greater efficiency, improved collaboration and reduce the time and resource costs associated with governance, risk and compliance processes. A well integrated solution provides a common set of functionality for each GRC process owner with shared functionality for common activities such as risk assessment, process documentation and issue tracking. Leveraging a shared data model, a well architected GRC solution enables the consistent sharing of definitions and terms, organizational reporting structures, and relationships between controls and the associated audit results. Eliminating the redundant efforts saves money by minimizing data entry, improving accuracy and enhancing collaboration, efficiency and consistency. CONCLUSION Regardless of the business process, the temptation for a quick-fix technology solution using spreadsheets is always there. However, as your business processes mature, requirements become more complex, and the need to scale across multiple users and departments increases, the true cost of spreadsheets become a significant liability. As leading organizations mature their integrated governance, risk and compliance processes, the investment in GRC solutions to support, automate, and drive efficiencies in the process grows. Similar to the evolution of general ledger, accounts payable, and budgeting and planning business processes, GRC has now reached the maturity stage where investment in purpose-built technology is considered to be a best practice. 5 USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE JULY 2012

THOMSON REUTERS ACCELUS Thomson Reuters Governance, Risk & Compliance (GRC) business unit provides comprehensive solutions that connect our customers business to the ever-changing regulatory environment. GRC serves audit, compliance, finance, legal, and risk professionals in financial services, law firms, insurance, and other industries impacted by regulatory change. The Accelus suite of products provides powerful tools and information that enable proactive insights, dynamic connections, and informed choices that drive overall business performance. Accelus is the combination of the market-leading solutions provided by the heritage businesses of Complinet, IntegraScreen, Northland Solutions, Oden, Paisley, West s Capitol Watch, Westlaw Business, Westlaw Compliance Advisor and World-Check. For more information, visit accelus.thomsonreuters.com 2012 Thomson Reuters W-310614/7-12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information