Compliance

Management
Best Practices
WHEN WILL YOU OUTGROW
EXCEL & SPREADSHEETS?

www.reciprocitylabs.com
1
CHAPTER 1

Excel:
The First
Compliance Tool

2
CHAPTER 1: Excel: The First Compliance Tool

When companies first determine they need a formal compliance program, many
are unclear if they need a compliance tool to track and manage their program. And
those that determine they do need a tool often wrestle with the myriad of choices
available in the market—many of which are expensive and time consuming to
implement. Not surprisingly, many organizations turn to Microsoft Excel as their
compliance tool when first undertaking a GRC program.

Initially, this makes a lot of sense. Microsoft Excel

is a widely used and pervasive spreadsheet tool.
Just about everyone in business is familiar with
it and knows how to use it. In its own way, it’s a
flexible and powerful tool. So it’s natural to look
to Excel for help tracking compliance initiatives.
And out of the gate, there’s nothing wrong with
using a spreadsheet to track your governance, risk
and compliance data. When you first undertake a
compliance program, one of the biggest challenges
is communicating what you are doing and what’s
required from others on the team.

Compliance can be complicated—it requires a

certain skill set and you need your organization to
buy into the process for it to work. This is why Excel
is such a great fit. It allows you to communicate
your compliance requirements and timeline in a
system that your team is already comfortable with
and can easily understand.

3
CHAPTER 1: Excel: The First Compliance Tool
ADVANTAGES AND
DISADVANTAGES OF EXCEL
Chances are you will be able to track
your compliance progress within Excel
for an initial audit. However, during a
second year audit, things could get a
bit messy. Once you add a second or
third audit domain, you will need to use
multiple sheets within Excel.
However, with your audit data
separated on different sheets, you don’t
have the ability to view and understand
common controls. When you track each
audit domain as a separate sheet, there
is nothing to connect those controls.
Compliance mapping tools and
frameworks are available to help with
this issue, but you must have a match
to use as a basis for the compliance
mapping translation. Thus begins your
next compliance hurdle.
Compliance mapping enables you
to match controls that are similar or
identical and apply process or policy
to both controls. For example, if one
control asks for a firewall, then that
control should be common across all
domains requiring a firewall.
Unfortunately, this one instance is
difficult to isolate in Excel because
the label for the control varies. This
is particularly common if you use a
custom naming convention that the
compliance mapping tool does not
recognize. You are essentially missing
the key to join two separate data
sets. As a fix, you can add a custom
translation column, which allows you to
make the conversion.
4
CHAPTER 1: Excel: The First Compliance Tool

CONTROL MAPPING WITH EXCEL

With additional revisions to

your control mappings, your
existing Excel-based system
will begin to fall apart.
The mapping and remapping of compliance data becomes
yet another process to support and an increasingly
complex data manipulation exercise.

The more you customize your Excel-based solution, the

more distinctive it becomes and the more work required
to maintain it. As your data sets grow increasingly
complex, this custom model will become unworkable.

5
CHAPTER 1: Excel: The First Compliance Tool

HAVE YOU OUTGROWN EXCEL?

What are the signs that using Excel has become totally impractical?
And how do you know when you’ve outgrown Excel? As we noted
earlier, in year one when you initially embark on your compliance
journey, Excel will suffice. However, when you add a second domain
in year two, you will likely reach the maximum useful life for an Excel-
based model.

Once you have two or more domains, maintaining the spreadsheet

and the controls within it will be complex and time-consuming and
ultimately, an exercise in futility. And what if your organization needs
to meet more than two domains or regulatory standards in the first
year of your compliance program? Excel can serve as a one-time
solution in that scenario. But in subsequent years, you will need a more
sophisticated solution.

6
CHAPTER 1: Excel: The First Compliance Tool

CHALLENGES OF EXCEL

Here are some of the additional challenges you can

expect to face when using Excel to manage your
compliance program:

›  You will still need a central repository for evidence. Without

a central repository, your compliance documentation is likely
stored in various Excel files, as well as many other places—Word
files, individual emails, PDFs, phone texts, voice mails. Most of
these are not readily searchable, available anywhere/anytime, or
electronically linked. This puts you in a position of having to hunt
down and verify evidence.
›  You will need to track versions of evidence to share with
auditors. This means you need clean records of action and audit
trails, something Excel can’t provide.
›  You will need to provide additional oversight to ensure everyone
is working from the same list of controls and that the control
status is current. version control for the list of controls and
their status. This is where things get tricky with Excel—knowing
which fileversion provides a “single source of the truth” and
preventing duplicate information and entries.
›  You will need to communicate a consistent governance process
to your auditors. You’ll need to prove to your auditors that you
have a compliance management process and system in place. Just
having your compliance data in an Excel spreadsheet isn’t enough.

7
CHAPTER 1: Excel: The First Compliance Tool

Here’s a simple guide that will help you determine if an Excel-

based compliance management system will work for you, or
if your needs are complex enough that you require a more
sophisticated compliance solution.

IS THIS YOUR FIRST HOW MANY DOMAINS ALREADY HAVE

TIME UNDERTAKING WILL BE IN YOUR A GRC TOOL IN
COMPLIANCE? SCOPE? PLACE?

With only 1 domain

Microsoft Excel 1 -2, but likely just you can use both
Yes
will suffice 1 domain since the level of
effort is minimal

With 1-2 domains

Microsoft Excel will No, we are in our 1 -2, and we did
use Excel to augment
likely work, but you second year but not have very
the process but use
will need a better our scope is unlikely many findings
your GRC tool to
tool next year to increase last year
track details

Microsoft Excel will No, and our With 3 or more

create inefficiency in scope continues 3 or more domains, it is best to
the processes to expand stay away from Excel

8
CHAPTER 2

How to Avoid
Common
Compliance
Pitfalls

9
CHAPTER 2: How to Avoid Common Compliance Pitfalls

Regardless of whether you use Excel to manage your compliance program or

you’ve graduated to a more comprehensive compliance solution, we often see
common pitfalls related to compliance and record keeping.

Follow our best practices and avoid these pitfalls and you’ll have a
smoother compliance journey—and a much better chance of passing
your audit.

Pitfall 1: Ensure everyone is working off the latest version

One of the first jobs for a compliance team is to identify

the controls to test and provide accompanying evidence.
Evidence comes in many forms such as screenshots, archived
emails or system configuration. Additionally, the list of
controls that you compile for testing will evolve. For example,
you may determine that some controls are “not applicable”
and remove those, or deem them as “out of scope”. If you
fail a specific control, you may need to add more controls
to compensate. Control changes and evidence changes will
make it difficult for everyone to stay synchronized without a
centralized platform to reference as a single source of truth.

Pitfall 2: Keep a simple method to track the evidence

Your first audit may lead you to believe that you will provide
one piece of evidence for each control. This may be true,
but evidence usually applies to more than one control. For
example, your IT Security Policy very likely applies to many
controls. Every evidence gap carries a potential domino effect.
Fail one evidence request and you may fail more than one
control. Not only do you need to keep track of the evidence
and the controls it impacts, you also need to understand how
the evidence maps to the controls it impacts.

10
CHAPTER 2: How to Avoid Common Compliance Pitfalls

Pitfall 3: Document everything

You will have many interviews during the compliance audit

process. These interviews will review the controls with the
individuals who perform them. For example, your server
administrator will be interviewed about server security
controls. Onboarding new employees will include an
interview with the Human Resources team. Each interview
will produce more evidence requests. You will need to
document all of this and be proactive in tracking down
the evidence that fulfills the auditor’s requests. It’s your
responsibility to check with the auditor to ensure they
receive what was requested. Your first compliance audit
experiences will be more focused on answering interview
questions. It can be difficult to also make a list of the
evidence requests. But without the evidence, the audit will
fail. This is why it is important that you keep detailed notes
and track all requests.

Pitfall 4: Make sure everyone uses the same process

It’s difficult to force everyone to use the same process—but

it’s essential. Storing evidence in the same location seems
easy. But if you create a common folder on the network
drive, what do you do when someone doesn’t use it? What
is your backup plan when individuals email the auditor
directly instead? Enforcing the process and keeping a
paper trail can be the difference between passing or failing
an audit.

11
Conclusion
Management of a risk and compliance program is a journey, not
a “big bang.” Ultimately the compliance management process
you put in place and the systems you use need to be flexible and
resilient to business change—while still providing visibility into
your real risk profile.

Companies just starting their compliance journey often find that

Excel is more than sufficient to help manage the initial steps on
that journey. But compliance is demanding and complicated work
and companies are often under intense pressure to demonstrate
control over regulatory complexity. An integrated compliance
program that avoids “silos” is critical. And knowing when you
need to make the leap to a more sophisticated compliance
management process and comprehensive GRC tools can make a
huge difference in terms of audit costs and a pass or fail outcome.

12
 About Reciprocity
Reciprocity provides ZenGRC to the world’s leading
companies. Our cloud-based solution with fast, easy
deployment, unified controls management, and a
centralized dashboard offers simple, streamlined
compliance and risk management, including self-audits,
without the hassle and confusion of spreadsheets.

Contact a Reciprocity expert today to request your

free demo, and embark on the worry-free path to
regulatory compliance—the Zen way.

www.reciprocitylabs.com/resources
engage@reciprocitylabs.com
(877) 440-7971 13