Ask the Expert

Sarbanes-Oxley compliance: GRC technology vs. spreadsheets

My company has been meeting Sarbanes-Oxley (SOX) requirements through manual spreadsheet-based processes. This year, we hope to automate these processes. What kind of technology is out there now to help with SOX compliance?

    Requires Free Membership to View

Why spreadsheets are not great for Sarbanes-Oxley (SOX) compliance

Spreadsheets are a thorn in the flesh of risk and compliance. I have seen organizations with upwards of 40,000 spreadsheets collected for Sarbanes-Oxley, as control questionnaires are sent to nearly everyone in the organization. The questionnaires come back and the compliance team scratches their heads and says Now what? How do we manage and report on this data?

It gets worse . . . auditors can step in and cry 'foul.' It is difficult to provide non-repudiation within spreadsheets in a scalable context. Basically, one can not go back and truly state that "this person answered this compliance (a legal process) on this date and time, and we know this is the original answer and it has not been modified." Spreadsheets do not have this level of authentication, access control and audit trail. There are spreadsheet management solutions that do provide authentication, access controls and audit trails -- but they are cumbersome to use for broad compliance purposes. Plus, there are technologies with integrated content and workflow that can be more easily managed.

GRC technology for Sarbanes-Oxley compliance

To replace spreadsheets I would look towards governance, risk and compliance (GRC) management platforms. Vendors in this space include Axentis, BWise, MEGA, MetricStream, OpenPages, Paisley and QUMAS. These vendors, and many more, have integrated content and workflow technologies to manage GRC assessment processes. They are a much better choice over the use of spreadsheets for Sarbanes-Oxley compliance.

More information about Sarbanes-Oxley compliance

  • Sarbanes-Oxley compliance software essentials: Build a technology toolbox
  • Defining SOX security controls
  • Database activity monitoring helps USEC with SOX compliance
  • This was first published in February 2008

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: