Tips For Using Spreadsheets For Business Intelligence, Compliance, And Risk Management

My colleague Boris Evelson, who covers business intelligence for Forrester and serves business process professionals, recently wrote a great post about the use of spreadsheets for business intelligence. He explains that while many BI vendors initially sought to replace spreadsheets in the corporate environment, it's now clear that they are not going anywhere any time soon.

Sound familiar? While many governance, risk, and compliance professionals and GRC vendors continue to work toward helping customers consolidate data and move away from spreadsheets, they are still basically ubiquitous. In fact, several of the top GRC vendors are now working to improve the way their tools interface with Excel... Not just for exporting reports, but for data input and analysis as well.

I recommend reading Boris' post, where he details three best practices regarding the use of spreadsheets for BI:

  1. Create spreadsheet governance policies.
  2. Monitor and enforce compliance with those policies.
  3. Give preference to vendors that work well with spreadsheets.

Creating clear policies for what information will and will not be managed on spreadsheets is critical here, and extremely important for the GRC universe. Unless you have specially-built controls, spreadsheets do not give you the level of security, access control, change control, or audit trail you should have for data related to compliance or risk management. Knowing Office tools are going to be handling substantial amounts of important information for the foreseeable future, so it's worthwhile to review and update your policies and make sure they are being appropriately enforced.


New Guidance on Spreadsheet Audits from IIA

Hi Chris - Thanks for the blog post! Prodiance has been helping companies address spreadsheet risk and control issues for 5 years now. Although this is a problem almost all companies face, many do not realize their risk and exposure until they look under the covers and start analyzing the spreadsheets they use to support financial reporting. Heaven forbid there be errors/honest mistakes, compliance/control gaps, or even fraudulent activity. To this end, the IIA just came out with a brand new guidance doc called the "GTG-14: Auditing User-developed Applications." It is a free download for members ($25 for non-members) and an excellent resource which provides an overview of the risks of uncontrolled spreadsheets, and a roadmap for how to perform an audit.

Forgot to provide the link

Thanks for the link Eric.

Thanks for the link Eric.

Spreadsheet Management

Thanks for highlighting this important issue. At ClusterSeven our clients have also found these publications interesting in this area:

High cost of software

High Cost of Risk Management Software:
As a small business owner I have a major issue with the so-called risk management solution providers. These companies make their products (and services) available but, at a price. In most cases, the software tools that are supposed to assist small and medium sized business are so expensive that they can only (and just only) be afforded by the big league corporates.
In an attempt to find a reasonably priced software tool that will assist me in running and managing my business, I Googled and Yahooed all possible keywords but only found these gluttonous corporate service providers that over the years have gotten used to their overindulged greed for lots of money. Every time you request a quote, the process of selling their over sized and over priced services and product with monthly subscriptions and license fees that are unaffordable.
Then, I came across an online risk management tool at that offered me a fair variety of options to choose from. Riskalyzor offered my an entry level subscription that is affordable without limiting the functionalities within their web services which allows me to manage and analyze my business plan and identify and evaluate the risks linked to my business plan. In addition, Riskalyzor also calculated the Value@Risk of the more imported risks. Now, for the first time I am able to really understand my business and the issues that could impact there on at a fraction of the cost.

Making adoption of controls easier for users

Interesting post. I think it's also worth pointing out that as an organization we have found our customers key concern is managing spreadsheets and putting controls around them without interferring with the daily use of spreadsheets.

Controls work best when they don't interfer or change the user experience, it makes the adoption of compliance much easier if version control and access, as well as audit trails don't involve having to move spreadsheets and so possibly introduce the issue of changing dependencies.