SlideShare a Scribd company logo
COMPLIANCE MANAGEMENT
BEST PRACTICES
A Publication of
www.reciprocitylabs.com
WHEN WILL EXCEL CRUSH YOU?
TYPE TO ENTER TEXT
EXCEL: THE FIRST COMPLIANCE TOOL
When companies first determine they need a formal
compliance program, many are unclear if they need a
compliance tool to track and manage their program.
And those that determine they do need a tool, often
wrestle with the myriad of choices available in the
market – many of which are expensive and time-
consuming to implement. Not surprisingly, many
organizations turn to Microsoft Excel as their
compliance tool when first undertaking a GRC
program.
It makes a lot of sense. Microsoft Excel is a widely
used and pervasive spreadsheet tool. Just about
everyone in business is familiar with it and knows how
to use it. In its own way, it’s a flexible and powerful
tool. So it’s natural to look to Excel for help tracking
compliance initiatives. And there’s nothing wrong with
using a spreadsheet to track your governance, risk
and compliance data. When you first undertake a
compliance program, one of the biggest challenges is
communicating what you are doing and what’s
required from others on the team.
Compliance can be complicated – it requires a certain
skill set and you need your organization to buy into the
process for it to work. This is why Excel is such a great
fit. It allows you to communicate your compliance
requirements and timeline in a system that your team
is already comfortable with and can easily
understand.
CHAPTER 1
2
ADVANTAGES AND
DISADVANTAGES OF
EXCEL
Chances are you will be able to track
your compliance progress within Excel
for an initial audit. However, during a
second year audit, things could get a
bit messy. Once you add a second or
third audit domain, you will need to
use multiple sheets within Excel.
However, with your audit data
separated on different sheets, you
don’t have the ability to view and
understand common controls. When
you track each audit domain as a
separate sheet, there is nothing to
connect those controls.
Compliance mapping tools and
frameworks are available to help with
this issue, but you must have a match
to use as a basis for the compliance
mapping translation. Thus begins your
next compliance hurdle.
Compliance mapping enables you to
match controls that are similar or
identical and apply process or policy
to both controls. For example, if one
control asks for a firewall, then that
control should be common across all
domains requiring a firewall.
Unfortunately, this one instance is
hard to isolate in Excel because the
label for the control varies. This is
particularly common if you use a
custom naming convention that the
compliance mapping tool does not
recognize. You are essentially missing
the key to join two separate data sets.
As a fix you can add a custom
translation column, which allows you
to make the conversion.
3
CONTROL MAPPING
WITH EXCEL
With additional revisions to your control
mappings, your existing Excel-based system
will begin to fall apart. The mapping and re-
mapping of compliance data becomes yet
another process to support and an
increasingly complex data manipulation
exercise.
The more you customize your Excel-based
solution, the more idiosyncratic it becomes
and the more work required to maintain it. As
your data sets grow increasingly complex,
this custom model will become unworkable.
44
HAVE YOU OUTGROWN EXCEL?
What are the signs that using Excel has become totally
impractical? And how do you know when you’ve outgrown
Excel? As we noted earlier, in year one when you initially
embark on your compliance journey, Excel will suffice. However,
when you add a second domain in year two, you will likely reach
the maximum useful life for an Excel-based model.
Once you have two or more domains, Excel will begin to crush
you. Maintaining the spreadsheet and the controls within it will
be complex and time-consuming and ultimately, an exercise in
futility. And what if your organization needs to meet more than
two domains in the first year of your compliance program? Excel
can serve as a one-time solution in that scenario. But in
subsequent years, you will need a more sophisticated solution.
5
CHALLENGES OF EXCEL
Here are some of the additional challenges you can expect to
face when using Excel to manage your compliance program:
• You will still need a central repository for evidence. Without a
central repository, your compliance documentation is likely
stored in various Excel files, as well as many other places –
Word files, personal emails, PDFs, phone texts, voice mails.
Most of these are not readily searchable, available anywhere/
anytime, or electronically linked. This puts you in a position of
having to hunt down and verify evidence.
• You will need to track versions of evidence to share with
auditors. This means you need clean records of action and
audit trails. Something Excel can’t provide.
• You will need to provide additional oversight to ensure version
control for the list of controls and their status. This is where
things get tricky with Excel – knowing which version provides a
“single version of the truth” and preventing duplicate
information and entries.
• You will need to communicate a consistent governance process
to your auditors. You’ll need to prove to your auditors that you
have a compliance management process and system in place.
Just having your compliance data in an Excel spreadsheet isn’t
enough.
6
Here’s a simple guide that will help you determine if an Excel-based compliance management
system will work for you, or if your needs are complex enough that you require a more
sophisticated compliance solution.
7
Is this your
first time
undertaking
compliance?
How many
domains will
be in your
scope?
Already have
a GRC tool
in place?
Microsoft Excel
will suffice
Yes
No, we are in our
second year but our
scope is unlikely
to increase
1-2, but likely
just 1 domain
With only 1 domain,
you can use both
since the level of
effort is minimal
Microsoft Excel will
likely work, but you
will need a better
tool next year
Microsoft Excel will
create inefficiency
in the processes
No, and our scope
continues to expand
3 or more
With 3 or more
domains, it is best to
stay away from Excel
1-2, and we did not
have very many
findings last year
With 1-2 domains,
use Excel to augment
the process but use your
GRC tool to track details
Regardless of whether you use Excel to manage your
compliance program or you’ve graduated to a more
comprehensive compliance solution, we often see common
pitfalls related to compliance and record keeping.
Follow our best practices and avoid these pitfalls and you’ll
have a smoother compliance journey – and a much better
chance of passing your audit.
HOW TO AVOID COMMON
COMPLIANCE PITFALLS
8
CHAPTER 2
Pitfall 1: Ensure everyone is working off the latest version
One of the first jobs for a compliance team is to identify the
controls to test. To test a control you need to provide evidence.
Evidence comes in many forms such as screenshots, archived
emails or system configuration. The list of controls that you
compile for testing will evolve. For example, you may determine
that some controls are “not applicable” and remove those. If you
fail a specific control, you may need to add more controls to
compensate. Control changes and evidence changes will make it
difficult for everyone to stay synchronized.
Pitfall 2: Keep a simple method to track the evidence
Your first audit may lead you to believe that you will provide one
piece of evidence for each control. This is true, but evidence
usually applies to more than one control. For example, your IT
Security Policy very likely applies to many controls. Every
evidence gap carries a potential domino effect. Fail one evidence
request and you may fail more than one control. Not only do you
need to keep track of the evidence and the controls it impacts,
you also need to understand how the evidence maps to the
controls it impacts.
9
Pitfall 3: Document everything
You will have many interviews during the
compliance audit process. These
interviews will review the controls with
the individuals who perform them. For
example, your server administrator will
be interviewed about server security
controls. Onboarding new employees
will include an interview with the Human
Resources team. Each interview will
produce more evidence requests. You
will need to document all of this and be
proactive in tracking down the evidence
that fulfills the auditor’s requests. It’s your
responsibility to check with the auditor to
ensure they receive what was requested.
Your first compliance audit experiences
will be more focused on answering
interview questions. It can be difficult to
also make a list of the evidence
requests. But without the evidence, the
audit will fail. This is why it is important
that you keep detailed notes and track
all requests.
Pitfall 4: Make sure everyone uses the
same process
It’s difficult to force everyone to use the
same process – but it’s essential. Storing
evidence in the same location seems
easy. But if you create a common folder
on the network drive, what do you do
when someone doesn’t use it? What is
your backup plan when individuals email
the auditor directly instead? Enforcing
the process and keeping a paper trail
can be the difference between passing
or failing an audit.
i
10
Management of a risk and compliance program is a journey, not a
“big bang.” Ultimately the compliance management process you
put in place and the systems you use need to be flexible and
resilient to business change – while still providing visibility into
your real risk profile.
Companies just starting their compliance journey often find that
Excel is more than sufficient to help manage the initial steps on
that journey. But compliance is hard and complicated work and
companies are often under intense pressure to demonstrate
control over regulatory complexity. An integrated compliance
program that avoids “silos” is critical. And knowing when you need
to make the leap to a more sophisticated compliance
management process and comprehensive GRC tools can make a
huge difference in terms of audit costs and a pass or fail outcome.
COMPLIANCE AGILITY REQUIRES
AGILE TOOLS.
Are you ready to make the transition from Excel to a more
comprehensive compliance solution? Our GRC experts can help
guide you through that journey and recommend the best solution
for your organization.
Call us at (415) 851-8667 to schedule a consultation, or visit us
online at www.reciprocitylabs.com.
11
CONCLUSION
Reciprocity makes compliance work more engaging and rewarding.
Reciprocity’s mission is to turn corporate compliance from a cost center into a valuable strategic
asset. We make compliance and risk officers more nimble with lightweight software designed
for hot growing companies. Our Governance, Risk, and Compliance (GRC) Software
encourages compliance, risk, and audit managers to act more nimbly and stand toe-to-toe with
the fast paced world of business.
Visit us online at www.reciprocitylabs.com.

More Related Content

What's hot

The Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesThe Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesWill Kelly
 
Edge wave 6 Important Steps to Evaluating a Web Filtering Solution
Edge wave 6 Important Steps to Evaluating a Web Filtering SolutionEdge wave 6 Important Steps to Evaluating a Web Filtering Solution
Edge wave 6 Important Steps to Evaluating a Web Filtering Solution
CMR WORLD TECH
 
New Business Models in Behavioral Health IT
New Business Models in Behavioral Health ITNew Business Models in Behavioral Health IT
New Business Models in Behavioral Health IT
Hostway|HOSTING
 
Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate Compliance
Corporater
 
Why project erp is a worthwhile investment for cros: ENSURING ROI.
Why project erp is a worthwhile investment for cros: ENSURING ROI.Why project erp is a worthwhile investment for cros: ENSURING ROI.
Why project erp is a worthwhile investment for cros: ENSURING ROI.
ARITHMOS
 
Allgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance ManagementAllgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance Management
CIO Look Magazine
 
Managed Test Services - Maveric Systems
Managed Test Services - Maveric SystemsManaged Test Services - Maveric Systems
Managed Test Services - Maveric Systems
Maveric Systems
 
It32015 slides
It32015 slidesIt32015 slides
It32015 slides
Jim Kaplan CIA CFE
 
Case Study: How a fortune 500 global security company reduced SoD Auditing by...
Case Study: How a fortune 500 global security company reduced SoD Auditing by...Case Study: How a fortune 500 global security company reduced SoD Auditing by...
Case Study: How a fortune 500 global security company reduced SoD Auditing by...
Maria Wilson
 
ServiceNow Performance Analytics for Security Operations
ServiceNow Performance Analytics for Security OperationsServiceNow Performance Analytics for Security Operations
ServiceNow Performance Analytics for Security Operations
Jade Global
 
Technology ahia 2012 jmk
Technology ahia 2012 jmkTechnology ahia 2012 jmk
Technology ahia 2012 jmk
Jim Kaplan CIA CFE
 
FixNix GRC suite
FixNix GRC suiteFixNix GRC suite
FixNix GRC suite
FixNix Inc.,
 
Erp programme assurance
Erp programme assuranceErp programme assurance
Erp programme assurance
Poonam pandey
 
eBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPPeBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPP
Abhishek Ranjan
 
NEMEA Compliance center
NEMEA Compliance centerNEMEA Compliance center
NEMEA Compliance center
NEMEA Security Services
 
Future of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTFuture of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CAST
CAST
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
FixNix Inc.,
 
7_Steps_to_Regulatory_Data_Compliance_infographic_Final
7_Steps_to_Regulatory_Data_Compliance_infographic_Final7_Steps_to_Regulatory_Data_Compliance_infographic_Final
7_Steps_to_Regulatory_Data_Compliance_infographic_FinalConor Coughlan
 
Optimize Your ERP System: How to Avoid the Implementation Sins
Optimize Your ERP System: How to Avoid the Implementation SinsOptimize Your ERP System: How to Avoid the Implementation Sins
Optimize Your ERP System: How to Avoid the Implementation Sins
BurCom Consulting Ltd.
 
Ideagen Pentana BrochureJuly2014
Ideagen Pentana BrochureJuly2014Ideagen Pentana BrochureJuly2014
Ideagen Pentana BrochureJuly2014Prokhor Proshkin
 

What's hot (20)

The Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesThe Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSes
 
Edge wave 6 Important Steps to Evaluating a Web Filtering Solution
Edge wave 6 Important Steps to Evaluating a Web Filtering SolutionEdge wave 6 Important Steps to Evaluating a Web Filtering Solution
Edge wave 6 Important Steps to Evaluating a Web Filtering Solution
 
New Business Models in Behavioral Health IT
New Business Models in Behavioral Health ITNew Business Models in Behavioral Health IT
New Business Models in Behavioral Health IT
 
Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate Compliance
 
Why project erp is a worthwhile investment for cros: ENSURING ROI.
Why project erp is a worthwhile investment for cros: ENSURING ROI.Why project erp is a worthwhile investment for cros: ENSURING ROI.
Why project erp is a worthwhile investment for cros: ENSURING ROI.
 
Allgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance ManagementAllgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance Management
 
Managed Test Services - Maveric Systems
Managed Test Services - Maveric SystemsManaged Test Services - Maveric Systems
Managed Test Services - Maveric Systems
 
It32015 slides
It32015 slidesIt32015 slides
It32015 slides
 
Case Study: How a fortune 500 global security company reduced SoD Auditing by...
Case Study: How a fortune 500 global security company reduced SoD Auditing by...Case Study: How a fortune 500 global security company reduced SoD Auditing by...
Case Study: How a fortune 500 global security company reduced SoD Auditing by...
 
ServiceNow Performance Analytics for Security Operations
ServiceNow Performance Analytics for Security OperationsServiceNow Performance Analytics for Security Operations
ServiceNow Performance Analytics for Security Operations
 
Technology ahia 2012 jmk
Technology ahia 2012 jmkTechnology ahia 2012 jmk
Technology ahia 2012 jmk
 
FixNix GRC suite
FixNix GRC suiteFixNix GRC suite
FixNix GRC suite
 
Erp programme assurance
Erp programme assuranceErp programme assurance
Erp programme assurance
 
eBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPPeBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPP
 
NEMEA Compliance center
NEMEA Compliance centerNEMEA Compliance center
NEMEA Compliance center
 
Future of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTFuture of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CAST
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
7_Steps_to_Regulatory_Data_Compliance_infographic_Final
7_Steps_to_Regulatory_Data_Compliance_infographic_Final7_Steps_to_Regulatory_Data_Compliance_infographic_Final
7_Steps_to_Regulatory_Data_Compliance_infographic_Final
 
Optimize Your ERP System: How to Avoid the Implementation Sins
Optimize Your ERP System: How to Avoid the Implementation SinsOptimize Your ERP System: How to Avoid the Implementation Sins
Optimize Your ERP System: How to Avoid the Implementation Sins
 
Ideagen Pentana BrochureJuly2014
Ideagen Pentana BrochureJuly2014Ideagen Pentana BrochureJuly2014
Ideagen Pentana BrochureJuly2014
 

Similar to Reciprocity-Compliance-Management-Tools-eBook 3.23.16

Testing Data & Data-Centric Applications - Whitepaper
Testing Data & Data-Centric Applications - WhitepaperTesting Data & Data-Centric Applications - Whitepaper
Testing Data & Data-Centric Applications - WhitepaperRyan Dowd
 
Whitepaper: How to perform better test on SAP PI/PO
Whitepaper: How to perform better test on SAP PI/POWhitepaper: How to perform better test on SAP PI/PO
Whitepaper: How to perform better test on SAP PI/PO
Daniel Graversen
 
How To Elminate Errors and Increase Efficiency
How To Elminate Errors and Increase EfficiencyHow To Elminate Errors and Increase Efficiency
How To Elminate Errors and Increase Efficiency
SmartDraw Software
 
A G S010 Taylor 091907
A G S010  Taylor 091907A G S010  Taylor 091907
A G S010 Taylor 091907
Dreamforce07
 
IRJET- Testing Improvement in Business Intelligence Area
IRJET- Testing Improvement in Business Intelligence AreaIRJET- Testing Improvement in Business Intelligence Area
IRJET- Testing Improvement in Business Intelligence Area
IRJET Journal
 
The Ultimate Workflow Management Software Buyers Guide 2023
The Ultimate Workflow Management Software Buyers Guide 2023The Ultimate Workflow Management Software Buyers Guide 2023
The Ultimate Workflow Management Software Buyers Guide 2023
Kashish Trivedi
 
4 Potencially Expensive Mistakes to Avoid When you are Using Excel for Estima...
4 Potencially Expensive Mistakes to Avoid When you are Using Excel for Estima...4 Potencially Expensive Mistakes to Avoid When you are Using Excel for Estima...
4 Potencially Expensive Mistakes to Avoid When you are Using Excel for Estima...
alfredowpjr
 
Erp presentation
Erp presentationErp presentation
Erp presentation
jan aljan
 
Extending Change Auditing to Exchange Server
Extending Change Auditing to Exchange ServerExtending Change Auditing to Exchange Server
Extending Change Auditing to Exchange Server
Netwrix Corporation
 
7 signs that show you need to start using an mrp system
7 signs that show you need to start using an mrp system7 signs that show you need to start using an mrp system
7 signs that show you need to start using an mrp system
MRPeasy
 
Make Continuous Delivery work for middle management
Make Continuous Delivery work for middle managementMake Continuous Delivery work for middle management
Make Continuous Delivery work for middle management
Matteo Emili
 
Lessons Learned from ELN & LIMS Implementations
Lessons Learned from ELN & LIMS ImplementationsLessons Learned from ELN & LIMS Implementations
Lessons Learned from ELN & LIMS Implementations
Mark Fortner
 
Problems in using_spreadsheets_to_collect_clinical
Problems in using_spreadsheets_to_collect_clinicalProblems in using_spreadsheets_to_collect_clinical
Problems in using_spreadsheets_to_collect_clinical
sushant deshmukh
 
3 Approaches for Integrated ALM - A Case for ALM Platform - Whitepaper
3 Approaches for Integrated ALM - A Case for ALM Platform - Whitepaper3 Approaches for Integrated ALM - A Case for ALM Platform - Whitepaper
3 Approaches for Integrated ALM - A Case for ALM Platform - Whitepaper
Kovair
 
10 tips-for-optimizing-sql-server-performance-white-paper-22127
10 tips-for-optimizing-sql-server-performance-white-paper-2212710 tips-for-optimizing-sql-server-performance-white-paper-22127
10 tips-for-optimizing-sql-server-performance-white-paper-22127
Kaizenlogcom
 
Auditing and marketing discussion 7 for profstan only
Auditing and marketing discussion 7 for profstan onlyAuditing and marketing discussion 7 for profstan only
Auditing and marketing discussion 7 for profstan only
allhomeworktutors
 
10 Excel-lent Ideas that will make you more Productive
10 Excel-lent Ideas that will make you more Productive10 Excel-lent Ideas that will make you more Productive
10 Excel-lent Ideas that will make you more Productive
Access Analytic ... providing AMAZING Power BI and Excel solutions
 
Effective Bug Tracking Systems: Theories and Implementation
Effective Bug Tracking Systems: Theories and ImplementationEffective Bug Tracking Systems: Theories and Implementation
Effective Bug Tracking Systems: Theories and Implementation
IOSR Journals
 
54 C o m m u n i C at i o n s o F t h e a C m j u.docx
54    C o m m u n i C at i o n s  o F  t h e  a C m       j u.docx54    C o m m u n i C at i o n s  o F  t h e  a C m       j u.docx
54 C o m m u n i C at i o n s o F t h e a C m j u.docx
evonnehoggarth79783
 
Business Use Case Paper
Business Use Case PaperBusiness Use Case Paper
Business Use Case Paper
Utkarsh Agrawal
 

Similar to Reciprocity-Compliance-Management-Tools-eBook 3.23.16 (20)

Testing Data & Data-Centric Applications - Whitepaper
Testing Data & Data-Centric Applications - WhitepaperTesting Data & Data-Centric Applications - Whitepaper
Testing Data & Data-Centric Applications - Whitepaper
 
Whitepaper: How to perform better test on SAP PI/PO
Whitepaper: How to perform better test on SAP PI/POWhitepaper: How to perform better test on SAP PI/PO
Whitepaper: How to perform better test on SAP PI/PO
 
How To Elminate Errors and Increase Efficiency
How To Elminate Errors and Increase EfficiencyHow To Elminate Errors and Increase Efficiency
How To Elminate Errors and Increase Efficiency
 
A G S010 Taylor 091907
A G S010  Taylor 091907A G S010  Taylor 091907
A G S010 Taylor 091907
 
IRJET- Testing Improvement in Business Intelligence Area
IRJET- Testing Improvement in Business Intelligence AreaIRJET- Testing Improvement in Business Intelligence Area
IRJET- Testing Improvement in Business Intelligence Area
 
The Ultimate Workflow Management Software Buyers Guide 2023
The Ultimate Workflow Management Software Buyers Guide 2023The Ultimate Workflow Management Software Buyers Guide 2023
The Ultimate Workflow Management Software Buyers Guide 2023
 
4 Potencially Expensive Mistakes to Avoid When you are Using Excel for Estima...
4 Potencially Expensive Mistakes to Avoid When you are Using Excel for Estima...4 Potencially Expensive Mistakes to Avoid When you are Using Excel for Estima...
4 Potencially Expensive Mistakes to Avoid When you are Using Excel for Estima...
 
Erp presentation
Erp presentationErp presentation
Erp presentation
 
Extending Change Auditing to Exchange Server
Extending Change Auditing to Exchange ServerExtending Change Auditing to Exchange Server
Extending Change Auditing to Exchange Server
 
7 signs that show you need to start using an mrp system
7 signs that show you need to start using an mrp system7 signs that show you need to start using an mrp system
7 signs that show you need to start using an mrp system
 
Make Continuous Delivery work for middle management
Make Continuous Delivery work for middle managementMake Continuous Delivery work for middle management
Make Continuous Delivery work for middle management
 
Lessons Learned from ELN & LIMS Implementations
Lessons Learned from ELN & LIMS ImplementationsLessons Learned from ELN & LIMS Implementations
Lessons Learned from ELN & LIMS Implementations
 
Problems in using_spreadsheets_to_collect_clinical
Problems in using_spreadsheets_to_collect_clinicalProblems in using_spreadsheets_to_collect_clinical
Problems in using_spreadsheets_to_collect_clinical
 
3 Approaches for Integrated ALM - A Case for ALM Platform - Whitepaper
3 Approaches for Integrated ALM - A Case for ALM Platform - Whitepaper3 Approaches for Integrated ALM - A Case for ALM Platform - Whitepaper
3 Approaches for Integrated ALM - A Case for ALM Platform - Whitepaper
 
10 tips-for-optimizing-sql-server-performance-white-paper-22127
10 tips-for-optimizing-sql-server-performance-white-paper-2212710 tips-for-optimizing-sql-server-performance-white-paper-22127
10 tips-for-optimizing-sql-server-performance-white-paper-22127
 
Auditing and marketing discussion 7 for profstan only
Auditing and marketing discussion 7 for profstan onlyAuditing and marketing discussion 7 for profstan only
Auditing and marketing discussion 7 for profstan only
 
10 Excel-lent Ideas that will make you more Productive
10 Excel-lent Ideas that will make you more Productive10 Excel-lent Ideas that will make you more Productive
10 Excel-lent Ideas that will make you more Productive
 
Effective Bug Tracking Systems: Theories and Implementation
Effective Bug Tracking Systems: Theories and ImplementationEffective Bug Tracking Systems: Theories and Implementation
Effective Bug Tracking Systems: Theories and Implementation
 
54 C o m m u n i C at i o n s o F t h e a C m j u.docx
54    C o m m u n i C at i o n s  o F  t h e  a C m       j u.docx54    C o m m u n i C at i o n s  o F  t h e  a C m       j u.docx
54 C o m m u n i C at i o n s o F t h e a C m j u.docx
 
Business Use Case Paper
Business Use Case PaperBusiness Use Case Paper
Business Use Case Paper
 

Reciprocity-Compliance-Management-Tools-eBook 3.23.16

  • 1. COMPLIANCE MANAGEMENT BEST PRACTICES A Publication of www.reciprocitylabs.com WHEN WILL EXCEL CRUSH YOU?
  • 2. TYPE TO ENTER TEXT EXCEL: THE FIRST COMPLIANCE TOOL When companies first determine they need a formal compliance program, many are unclear if they need a compliance tool to track and manage their program. And those that determine they do need a tool, often wrestle with the myriad of choices available in the market – many of which are expensive and time- consuming to implement. Not surprisingly, many organizations turn to Microsoft Excel as their compliance tool when first undertaking a GRC program. It makes a lot of sense. Microsoft Excel is a widely used and pervasive spreadsheet tool. Just about everyone in business is familiar with it and knows how to use it. In its own way, it’s a flexible and powerful tool. So it’s natural to look to Excel for help tracking compliance initiatives. And there’s nothing wrong with using a spreadsheet to track your governance, risk and compliance data. When you first undertake a compliance program, one of the biggest challenges is communicating what you are doing and what’s required from others on the team. Compliance can be complicated – it requires a certain skill set and you need your organization to buy into the process for it to work. This is why Excel is such a great fit. It allows you to communicate your compliance requirements and timeline in a system that your team is already comfortable with and can easily understand. CHAPTER 1 2
  • 3. ADVANTAGES AND DISADVANTAGES OF EXCEL Chances are you will be able to track your compliance progress within Excel for an initial audit. However, during a second year audit, things could get a bit messy. Once you add a second or third audit domain, you will need to use multiple sheets within Excel. However, with your audit data separated on different sheets, you don’t have the ability to view and understand common controls. When you track each audit domain as a separate sheet, there is nothing to connect those controls. Compliance mapping tools and frameworks are available to help with this issue, but you must have a match to use as a basis for the compliance mapping translation. Thus begins your next compliance hurdle. Compliance mapping enables you to match controls that are similar or identical and apply process or policy to both controls. For example, if one control asks for a firewall, then that control should be common across all domains requiring a firewall. Unfortunately, this one instance is hard to isolate in Excel because the label for the control varies. This is particularly common if you use a custom naming convention that the compliance mapping tool does not recognize. You are essentially missing the key to join two separate data sets. As a fix you can add a custom translation column, which allows you to make the conversion. 3
  • 4. CONTROL MAPPING WITH EXCEL With additional revisions to your control mappings, your existing Excel-based system will begin to fall apart. The mapping and re- mapping of compliance data becomes yet another process to support and an increasingly complex data manipulation exercise. The more you customize your Excel-based solution, the more idiosyncratic it becomes and the more work required to maintain it. As your data sets grow increasingly complex, this custom model will become unworkable. 44
  • 5. HAVE YOU OUTGROWN EXCEL? What are the signs that using Excel has become totally impractical? And how do you know when you’ve outgrown Excel? As we noted earlier, in year one when you initially embark on your compliance journey, Excel will suffice. However, when you add a second domain in year two, you will likely reach the maximum useful life for an Excel-based model. Once you have two or more domains, Excel will begin to crush you. Maintaining the spreadsheet and the controls within it will be complex and time-consuming and ultimately, an exercise in futility. And what if your organization needs to meet more than two domains in the first year of your compliance program? Excel can serve as a one-time solution in that scenario. But in subsequent years, you will need a more sophisticated solution. 5
  • 6. CHALLENGES OF EXCEL Here are some of the additional challenges you can expect to face when using Excel to manage your compliance program: • You will still need a central repository for evidence. Without a central repository, your compliance documentation is likely stored in various Excel files, as well as many other places – Word files, personal emails, PDFs, phone texts, voice mails. Most of these are not readily searchable, available anywhere/ anytime, or electronically linked. This puts you in a position of having to hunt down and verify evidence. • You will need to track versions of evidence to share with auditors. This means you need clean records of action and audit trails. Something Excel can’t provide. • You will need to provide additional oversight to ensure version control for the list of controls and their status. This is where things get tricky with Excel – knowing which version provides a “single version of the truth” and preventing duplicate information and entries. • You will need to communicate a consistent governance process to your auditors. You’ll need to prove to your auditors that you have a compliance management process and system in place. Just having your compliance data in an Excel spreadsheet isn’t enough. 6
  • 7. Here’s a simple guide that will help you determine if an Excel-based compliance management system will work for you, or if your needs are complex enough that you require a more sophisticated compliance solution. 7 Is this your first time undertaking compliance? How many domains will be in your scope? Already have a GRC tool in place? Microsoft Excel will suffice Yes No, we are in our second year but our scope is unlikely to increase 1-2, but likely just 1 domain With only 1 domain, you can use both since the level of effort is minimal Microsoft Excel will likely work, but you will need a better tool next year Microsoft Excel will create inefficiency in the processes No, and our scope continues to expand 3 or more With 3 or more domains, it is best to stay away from Excel 1-2, and we did not have very many findings last year With 1-2 domains, use Excel to augment the process but use your GRC tool to track details
  • 8. Regardless of whether you use Excel to manage your compliance program or you’ve graduated to a more comprehensive compliance solution, we often see common pitfalls related to compliance and record keeping. Follow our best practices and avoid these pitfalls and you’ll have a smoother compliance journey – and a much better chance of passing your audit. HOW TO AVOID COMMON COMPLIANCE PITFALLS 8 CHAPTER 2
  • 9. Pitfall 1: Ensure everyone is working off the latest version One of the first jobs for a compliance team is to identify the controls to test. To test a control you need to provide evidence. Evidence comes in many forms such as screenshots, archived emails or system configuration. The list of controls that you compile for testing will evolve. For example, you may determine that some controls are “not applicable” and remove those. If you fail a specific control, you may need to add more controls to compensate. Control changes and evidence changes will make it difficult for everyone to stay synchronized. Pitfall 2: Keep a simple method to track the evidence Your first audit may lead you to believe that you will provide one piece of evidence for each control. This is true, but evidence usually applies to more than one control. For example, your IT Security Policy very likely applies to many controls. Every evidence gap carries a potential domino effect. Fail one evidence request and you may fail more than one control. Not only do you need to keep track of the evidence and the controls it impacts, you also need to understand how the evidence maps to the controls it impacts. 9
  • 10. Pitfall 3: Document everything You will have many interviews during the compliance audit process. These interviews will review the controls with the individuals who perform them. For example, your server administrator will be interviewed about server security controls. Onboarding new employees will include an interview with the Human Resources team. Each interview will produce more evidence requests. You will need to document all of this and be proactive in tracking down the evidence that fulfills the auditor’s requests. It’s your responsibility to check with the auditor to ensure they receive what was requested. Your first compliance audit experiences will be more focused on answering interview questions. It can be difficult to also make a list of the evidence requests. But without the evidence, the audit will fail. This is why it is important that you keep detailed notes and track all requests. Pitfall 4: Make sure everyone uses the same process It’s difficult to force everyone to use the same process – but it’s essential. Storing evidence in the same location seems easy. But if you create a common folder on the network drive, what do you do when someone doesn’t use it? What is your backup plan when individuals email the auditor directly instead? Enforcing the process and keeping a paper trail can be the difference between passing or failing an audit. i 10
  • 11. Management of a risk and compliance program is a journey, not a “big bang.” Ultimately the compliance management process you put in place and the systems you use need to be flexible and resilient to business change – while still providing visibility into your real risk profile. Companies just starting their compliance journey often find that Excel is more than sufficient to help manage the initial steps on that journey. But compliance is hard and complicated work and companies are often under intense pressure to demonstrate control over regulatory complexity. An integrated compliance program that avoids “silos” is critical. And knowing when you need to make the leap to a more sophisticated compliance management process and comprehensive GRC tools can make a huge difference in terms of audit costs and a pass or fail outcome. COMPLIANCE AGILITY REQUIRES AGILE TOOLS. Are you ready to make the transition from Excel to a more comprehensive compliance solution? Our GRC experts can help guide you through that journey and recommend the best solution for your organization. Call us at (415) 851-8667 to schedule a consultation, or visit us online at www.reciprocitylabs.com. 11 CONCLUSION
  • 12. Reciprocity makes compliance work more engaging and rewarding. Reciprocity’s mission is to turn corporate compliance from a cost center into a valuable strategic asset. We make compliance and risk officers more nimble with lightweight software designed for hot growing companies. Our Governance, Risk, and Compliance (GRC) Software encourages compliance, risk, and audit managers to act more nimbly and stand toe-to-toe with the fast paced world of business. Visit us online at www.reciprocitylabs.com.