- Corporate Security
- Governance, Risk & Compliance
- Information Security
Since the Sarbanes Oxley Act was first introduced in 2002, organizations have been lured by the relative ease of use and low cost of a nearly ubiquitous data management tool—the
Microsoft Excel spreadsheet. And why not? For many reasons, using spreadsheets might initially seem to make sense:
More and more companies, though, are finding out the hard way that they’re outgrowing their hundreds (or even thousands) of cobbled-together spreadsheets—and they’ve begun searching for something better.
Are you starting to feel like the spreadsheets you use to manage SOX compliance are part of the problem? Here are four signs you’ve outgrown your SOX.
Organizing data. Storing it. Analyzing it. These are the functions for which spreadsheets were built—and at which, if you’ll forgive the pun, they excel.
What a spreadsheet is less good at, however, is precisely the type of work that SOX compliance demands. A spreadsheet makes a poor dashboard—you can’t use Excel to track issues, for example, or gauge progress toward 302 and 404 sign-off.
To properly measure performance and track improvements, you need enterprise software that supports robust business analysis.
One of the greatest drawbacks of maintaining multiple spreadsheets? It’s simply too easy to make mistakes. One survey of several studies found errors in 94% of the spreadsheets that had been examined; the same investigation estimated that a typical large spreadsheet contains dozens or even hundreds of errors.
Those numbers are the stuff of nightmares—because as you’re well aware, if even a single one of your spreadsheets creates the risk of a material financial error, your organization’s entire reporting system must be considered flawed.
Without automated tools to check for and stamp out errors, the time, effort and cost required to ensure the integrity of hundreds of spreadsheets can become simply overwhelming.
In any large organization, there exists the need to share the “compliance burden;” processes such as risk assessment, control testing and issue management necessarily require input from many different business areas.
Unfortunately, spreadsheets just don’t support these kinds of multi-user workflows. Collaboration becomes an exercise in tortuous version control and painstaking error correction, rather than anything approaching true productivity.
It’s simple—if you’re responsible for using spreadsheets to manage SOX compliance, expect many more documents than you ever thought you’d see… and much more work than you ever thought you’d do.
Dedicated GRC software makes all the ways you’ve been managing SOX compliance more efficient and effective. Compared to spreadsheets, software can offer a host of advantages.
When you can use advanced analytics and reporting to gain the visibility you need to track progress, you’ll be able to more confidently sign off on 302 and 404 certifications. Look for software that lets you build rich, interactive dashboards and drill-down reports with just a few simple clicks. Remember—if you can see the root causes of deficiencies early in the process, you can better plan for success.
Software can help define issue-tracking accountabilities, scope, follow-up actions and more. If you’re considering moving away from spreadsheets, look for workflow tools and comprehensive dashboards that make it easy to review and approve changes, ensure the right people are doing the right work, and track issues through to closure. The result will be increased confidence in your data and progress.
The right software will help you reduce your total testing time with a fully integrated risk- based approach. Move from hours per control—multiplied by hundreds or thousands of controls across multiple processes—to quick, easy testing of controls that address multiple risks.
And if you’re still attached to spreadsheets, some software suites let you use them if you still want to. Look for an application that lets you create Excel files (as well as Word, PowerPoint, and Visio documents, if desired) then attach them to items or reports, upload them to the cloud, or edit them directly in the software. Bonus: if the software you’re considering takes care of version control for you, you’ll never again have to worry if you’re using the most up-to- date document.
That sinking feeling that you’ve outgrown your SOX spreadsheets doesn’t have an official name, but that doesn’t mean it’s not real. There’s no need for frustration or regret; your organization’s initial decision to use spreadsheets was very likely the best one at the time.
But as your business needs change, continuing with spreadsheets can present significant risk. An investment in dedicated GRC software is one way to mitigate that risk—and one that merits further investigation.