Embed Size (px)
Citation preview
COMPLIANCE MANAGEMENT BEST PRACTICES
A Publication of
www.reciprocitylabs.com
WHEN WILL EXCEL CRUSH YOU?
TYPE TO ENTER TEXT
EXCEL: THE FIRST COMPLIANCE TOOL
When companies first determine they need a formal compliance program, many are unclear if they need a compliance tool to track and manage their program. And those that determine they do need a tool, often wrestle with the myriad of choices available in the market – many of which are expensive and time-consuming to implement. Not surprisingly, many organizations turn to Microsoft Excel as their compliance tool when first undertaking a GRC program.
It makes a lot of sense. Microsoft Excel is a widely used and pervasive spreadsheet tool. Just about everyone in business is familiar with it and knows how to use it. In its own way, it’s a flexible and powerful
tool. So it’s natural to look to Excel for help tracking compliance initiatives. And there’s nothing wrong with using a spreadsheet to track your governance, risk and compliance data. When you first undertake a compliance program, one of the biggest challenges is communicating what you are doing and what’s required from others on the team.
Compliance can be complicated – it requires a certain skill set and you need your organization to buy into the process for it to work. This is why Excel is such a great fit. It allows you to communicate your compliance requirements and timeline in a system that your team is already comfortable with and can easily understand.
CHAPTER 1
2
ADVANTAGES AND DISADVANTAGES OF EXCEL
Chances are you will be able to track your compliance progress within Excel for an initial audit. However, during a second year audit, things could get a bit messy. Once you add a second or third audit domain, you will need to use multiple sheets within Excel.
However, with your audit data separated on different sheets, you don’t have the ability to view and understand common controls. When you track each audit domain as a separate sheet, there is nothing to connect those controls.
Compliance mapping tools and frameworks are available to help with this issue, but you must have a match to use as a basis for the compliance
mapping translation. Thus begins your next compliance hurdle.
Compliance mapping enables you to match controls that are similar or identical and apply process or policy to both controls. For example, if one control asks for a firewall, then that control should be common across all domains requiring a firewall.
Unfortunately, this one instance is hard to isolate in Excel because the label for the control varies. This is particularly common if you use a custom naming convention that the compliance mapping tool does not recognize. You are essentially missing the key to join two separate data sets. As a fix you can add a custom translation column, which allows you to make the conversion.
3
CONTROL MAPPING WITH EXCEL
With additional revisions to your control mappings, your existing Excel-based system will begin to fall apart. The mapping and re-mapping of compliance data becomes yet another process to support and an
increasingly complex data manipulation exercise.
The more you customize your Excel-based solution, the more idiosyncratic it becomes and the more work required to maintain it. As your data sets grow increasingly complex, this custom model will become unworkable.
44
HAVE YOU OUTGROWN EXCEL?What are the signs that using Excel has become totally impractical? And how do you know when you’ve outgrown Excel? As we noted earlier, in year one when you initially embark on your compliance journey, Excel will suffice. However, when you add a second domain in year two, you will likely reach the maximum useful life for an Excel-based model.
Once you have two or more domains, Excel will begin to crush you. Maintaining the spreadsheet and the controls within it will be complex and time-consuming and ultimately, an exercise in futility. And what if your organization needs to meet more than two domains in the first year of your compliance program? Excel can serve as a one-time solution in that scenario. But in subsequent years, you will need a more sophisticated solution.
5
CHALLENGES OF EXCELHere are some of the additional challenges you can expect to face when using Excel to manage your compliance program:
• You will still need a central repository for evidence. Without a central repository, your compliance documentation is likely stored in various Excel files, as well as many other places – Word files, personal emails, PDFs, phone texts, voice mails. Most of these are not readily searchable, available anywhere/anytime, or electronically linked. This puts you in a position of having to hunt down and verify evidence.
• You will need to track versions of evidence to share with auditors. This means you need clean records of action and audit trails. Something Excel can’t provide.
• You will need to provide additional oversight to ensure version control for the list of controls and their status. This is where things get tricky with Excel – knowing which version provides a “single version of the truth” and preventing duplicate information and entries.
• You will need to communicate a consistent governance process to your auditors. You’ll need to prove to your auditors that you have a compliance management process and system in place. Just having your compliance data in an Excel spreadsheet isn’t enough.
6
Here’s a simple guide that will help you determine if an Excel-based compliance management system will work for you, or if your needs are complex enough that you require a more sophisticated compliance solution.
7
Is this yourfirst time
undertakingcompliance?
How manydomains will
be in yourscope?
Already havea GRC toolin place?
Microsoft Excelwill suffice
Yes
No, we are in our second year but our
scope is unlikely to increase
1-2, but likely just 1 domain
With only 1 domain,you can use both since the level of effort is minimal
Microsoft Excel willlikely work, but you will need a bettertool next year
Microsoft Excel willcreate inefficiencyin the processes
No, and our scopecontinues to expand 3 or more
With 3 or more domains, it is best to stay away from Excel
1-2, and we did nothave very manyfindings last year
With 1-2 domains,use Excel to augment
the process but use your GRC tool to track details
Regardless of whether you use Excel to manage your compliance program or you’ve graduated to a more comprehensive compliance solution, we often see common pitfalls related to compliance and record keeping.
Follow our best practices and avoid these pitfalls and you’ll have a smoother compliance journey – and a much better chance of passing your audit.
HOW TO AVOID COMMON COMPLIANCE PITFALLS
8
CHAPTER 2
Pitfall 1: Ensure everyone is working off the latest version
One of the first jobs for a compliance team is to identify the controls to test. To test a control you need to provide evidence. Evidence comes in many forms such as screenshots, archived emails or system configuration. The list of controls that you compile for testing will evolve. For example, you may determine that some controls are “not applicable” and remove those. If you fail a specific control, you may need to add more controls to compensate. Control changes and evidence changes will make it difficult for everyone to stay synchronized.
Pitfall 2: Keep a simple method to track the evidence
Your first audit may lead you to believe that you will provide one piece of evidence for each control. This is true, but evidence usually applies to more than one control. For example, your IT Security Policy very likely applies to many controls. Every evidence gap carries a potential domino effect. Fail one evidence request and you may fail more than one control. Not only do you need to keep track of the evidence and the controls it impacts, you also need to understand how the evidence maps to the controls it impacts.
9
Pitfall 3: Document everything
You will have many interviews during the compliance audit process. These interviews will review the controls with the individuals who perform them. For example, your server administrator will be interviewed about server security controls. Onboarding new employees will include an interview with the Human Resources team. Each interview will produce more evidence requests. You will need to document all of this and be proactive in tracking down the evidence that fulfills the auditor’s requests. It’s your responsibility to check with the auditor to ensure they receive what was requested. Your first compliance audit experiences will be more focused on answering interview questions. It can be difficult to also make a list of the evidence requests. But without the evidence, the audit will fail. This is why it is important that you keep detailed notes and track all requests.
Pitfall 4: Make sure everyone uses the same process
It’s difficult to force everyone to use the same process – but it’s essential. Storing evidence in the same location seems easy. But if you create a common folder on the network drive, what do you do when someone doesn’t use it? What is your backup plan when individuals email the auditor directly instead? Enforcing the process and keeping a paper trail can be the difference between passing or failing an audit.
i
10
Management of a risk and compliance program is a journey, not a “big bang.” Ultimately the compliance management process you put in place and the systems you use need to be flexible and resilient to business change – while still providing visibility into your real risk profile.
Companies just starting their compliance journey often find that Excel is more than sufficient to help manage the initial steps on that journey. But compliance is hard and complicated work and companies are often under intense pressure to demonstrate control over regulatory complexity. An integrated compliance program that avoids “silos” is critical. And knowing when you need to make the leap to a more sophisticated compliance management process and comprehensive GRC tools can make a huge difference in terms of audit costs and a pass or fail outcome.
COMPLIANCE AGILITY REQUIRES AGILE TOOLS.Are you ready to make the transition from Excel to a more comprehensive compliance solution? Our GRC experts can help guide you through that journey and recommend the best solution for your organization.
Call us at (415) 851-8667 to schedule a consultation, or visit us online at www.reciprocitylabs.com.
11
CONCLUSION
Reciprocity makes compliance work more engaging and rewarding.
Reciprocity’s mission is to turn corporate compliance from a cost center into a valuable strategic asset. We make compliance and risk officers more nimble with lightweight software designed for hot growing companies. Our Governance, Risk, and Compliance (GRC) Software encourages compliance, risk, and audit managers to act more nimbly and stand toe-to-toe with the fast paced world of business.
Visit us online at www.reciprocitylabs.com.
