Spreadsheet Management is Key to GRC Success in Organisations
By Tony Bethell, VP Strategic Alliances
Most large organisations have deployed one or more GRC systems to provide visibility across areas such as Operational Risk, IT Risk and Model Risk Governance; in support of the company’s policies and risk profiles. GRC solutions are designed to ensure that organisations are able to effectively monitor and control their underlying business processes to ensure that the business is aligned with the organisation’s desired risk profile.
Today, spreadsheets are an integral part of any organisation’s business processes. These Excel files are critical to some of the GRC controls – either as evidence in support of the controls or as the controls themselves. As such, the spreadsheets need to be monitored and managed for change. Historically, one of the control questions may have been as simple as “do you ensure that any changes to the spreadsheet are reviewed and approved?” The answer may be “yes”, but would not have necessarily been supported by any evidence or audit trail.
Spreadsheets are notoriously difficult to manage for change. Excel does not a have redline function like Word, so in order to provide evidence that the spreadsheets have been reviewed and approved when changed, either the spreadsheet is designed to only allow change within narrow parameters or significant human resources are deployed to check for all changes made. In a complex multi-row, multi-worksheet file, this task is very labour intensive and since organisations have typically, 10s, if not 100s or 1000s of such business-critical spreadsheets, this labour overhead should not be under estimated if the reviews are to be carried out effectively.
Recognising the role that spreadsheets play in GRC initiatives, regulators have become wise to the simple “yes” answer described above. They are now demanding that organisations demonstrate more detailed evidence of spreadsheet management and control. For example, for Sarbanes-Oxley compliance, the Public Company Accounting Oversight Board (PCAOB) is impelling auditors to ensure organisations are suitably monitoring and controlling their critical spreadsheets in order to demonstrate that their spreadsheet management is accurate, transparent and immediate. The concept is equally applicable to other regulations such as CCAR, DFAST, Solvency II, BCBS 239, IFRS9, GDPR, IFRS9, SR 11-7 and so on, where appropriate controls are being sought by regulators as they recognise that poor spreadsheet management could result in control breaks.
But worry not – there is technology available to help organisations deliver controls in a cost efficient, transparent and timely manner. ClusterSeven’s solution allows organisations to measure, monitor, and manage every time a change is made to a business-critical spreadsheet. Example of changes may be a simple as a value threshold being exceeded, a change in the code of a macro or an external data feed to the Excel file failing to function. The GRC process manager is alerted to this control break and can kick-off a remediation process to be undertaken by the Excel owner. This remediation procedure is a closed loop and auditable process, which circles back to the GRC Control owner that the Excel owner has reviewed and approved any updates and alternations in detail.
ClusterSeven’s spreadsheet management solution supplements traditional GRC systems with evidence and functionality that is accurate, transparent, auditable and cost-effective. If spreadsheet management for GRC is an area that you are exploring, please get in touch with us.