Cleanin’ Out My Closet: Software Not Shared Spreadsheets

Written by - January 9, 2017

The devil of compliance is in the details meaning that implementing GRC software might be the perfect way to clean out those proverbial compliance closets. Many of businesses are turning towards automated systems because compliance focused spreadsheets are like the closet that has been accumulating out dated clothing since high school. For Information Security teams, this kind of disorganization means a lack of audit trail and security. The comfort of spreadsheets, like a good bowl of chili during football Sunday, is an old tradition that can go by the wayside.

Michael Rasmussen, a self-proclaimed GRC Pundit, notes that page 124 of the report on JP Morgan’s London Whale incident was related to problems arising out of spreadsheet error, “the model operated through a series of Excel spreadsheets, which had to be completed manually, by a process of copying and pasting data from one spreadsheet to another.” In other words, the messy Excel spreadsheet process did do anyone any good. If JP Morgan’s troubles didn’t convince you, then maybe these other reasons might.

Shared Spreadsheets Are Not A GRC Platform

Many people believe that spreadsheets in shared corporate drives make it easier to coauthor documents thus eliminating the need for GRC software. Even thought cloud storage services are becoming more prevalent, many companies still have that senior executive who has a hard time working in the cloud, and instead choose to download and upload from their desktop instead. This means that even though there may be a shared spreadsheet, version control is still an issue.

A GRC platform eliminates this inconsistency since edits and changes are automatically saved. GRC software also removes the ability for people to download and upload without incorporating the changes to what is documented on the system.

Lack Of History Is Lack of Audit Trail

Spreadsheets fail to provide an audit trail. Again, Google Sheets and other web-based servers seem to solve this by providing the option to view the “history” of the document. While this seems like a decent solution, all the view provides is a notification that someone made an edit. These views do not track the types or content of the edits reliably. GRC software continuously updates and archives documentation with no hassle. 

Shared Spreadsheets Share Security Issues

Moreover, continued issues regarding access and security come with shared drive permissions. Shared drive folders have three settings. A person can view, comment, or edit. These options limit the ability to individualize employee permissions to match job and need. For example, not all individuals involved in a company’s information security protocol creation need to have editing rights. For some employees, viewing alone suffices. You’re probably thinking, “This sounds like a Google Sheet might work.” However, what if a process impacts multiple departments. Determining who in that department should edit, view, or comment may become burdensome since it needs to be done on an individual employee basis. Adding new employees or removing employees can become a full-time job. GRC software permissions allow for individualization of permissions based on job type and employee need for access, on a per user basis, and at scale.

Finally, when it comes to cloud-based servers such as Google Drives, the freedom to add them to private devices incorporates a new level of risk. With employees constantly working at home or on the go, many may connect their personal accounts to their work accounts to work efficiently. Viewed as harmless by the employee, company information may be compromised without their knowledge or intent.  GRC software places greater security over the information with a hosted or on-premise servers.

Shared drive spreadsheets seem to be an innovation to help employees collaborate and keep records. Unfortunately, compliance and audit-related work requires a level of documentation and security that spreadsheets cannot provide. To meet the continued challenges facing the information security community, a GRC tool is the most effective solution.