Spreadsheets are a thorn in the flesh of risk and compliance. I have seen organizations with upwards of 40,000 spreadsheets collected for Sarbanes-Oxley, as control questionnaires are sent to nearly everyone in the organization. The questionnaires come back and the compliance team scratches their heads and says Now what? How do we manage and report on this data?
It gets worse . . . auditors can step in and cry 'foul.' It is difficult to provide non-repudiation within spreadsheets in a scalable context. Basically, one can not go back and truly state that "this person answered this compliance (a legal process) on this date and time, and we know this is the original answer and it has not been modified." Spreadsheets do not have this level of authentication, access control and audit trail. There are spreadsheet management solutions that do provide authentication, access controls and audit trails -- but they are cumbersome to use for broad compliance purposes. Plus, there are technologies with integrated content and workflow that can be more easily managed.
GRC technology for Sarbanes-Oxley compliance
To replace spreadsheets I would look towards governance, risk and compliance (GRC) management platforms. Vendors in this space include Axentis, BWise, MEGA, MetricStream, OpenPages, Paisley and QUMAS. These vendors, and many more, have integrated content and workflow technologies to manage GRC assessment processes. They are a much better choice over the use of spreadsheets for Sarbanes-Oxley compliance.
More information about Sarbanes-Oxley compliance
This was first published in February 2008