Excel for compliance: Yay or nay? (Survey results)
In a recent poll in the Governance, Risk and Compliance Management (GRC) group on LinkedIn, we asked what the perception of security was with the use of Excel for compliance purposes. In this blog, we share the results of the poll and discuss some of the risks and downsides of using Excel in compliance and risk management.
As cliché as it may sound, the use of Excel is still the gold standard for internal audit and compliance management in most organisations around the world. Launched in 1985, the powerful MS Office tool has become the most popular computer software for business applications, providing a wide range of data handling and problem-solving functionalities and use cases - from managing controls and large operational databases to implementing complex financial modelling and forecasting.
Whilst nobody can deny the power of Excel and its extensive business usability, there’s been increasing debates about its accuracy and suitability for compliance and risk management, especially in the strictly-regulated financial sector.
According to the results of a recent poll, we ran in the Governance, Risk and Compliance Management (GRC) group on LinkedIn, nearly 80% of people confirmed that Excel does not meet their security expectations.
What are the risks and downsides of using Excel for compliance?
Over the past two decades, regulatory compliance has become top of mind issue for organisations worldwide. A particular area that has been subject to some major criticism and scrutiny is financial compliance. Following a series of large corporate frauds and scandals in global capital markets, there have been continuously-increasing regulatory efforts and measures in aim to enhance the transparency and accuracy within organisations’ financial analysis and reporting processes. Among the most prominent examples of regulations are the US Sarbanes-Oxley Act (2002), the EU Data Protection Act (1998) and the Basel Capital Accord (2006).
Being the most used business software, it’s no surprise that Excel was the go-to solution that organisations first turned to for meeting their new compliance obligations. Fast forward to 2022, Excel remains a favourite among many Governance, Risk and Compliance (GRC) units. Despite its convenience, flexibility and power, the use of Excel for compliance and risk management purposes carries a number of risks and downsides for organisations. Below, we’ve listed the most common ones:
Excel is prone to errors
There are countless examples of failed Excel uses, but probably the most prominent ones are:
JPMorgan’s derivatives scandal known as the “London Whale” - due to several faulty equations in an Excel spreadsheet used to model risk and a process that required the copy/paste of a large number of cells, the bank significantly underestimated the downside of its synthetic credit portfolio which led to ca. $6.5 billion in losses & fines.
Barclays / Lehman assets saga – the UK bank unintentionally bought 179 assets from Lehman Brothers as a result of a formatting error - the unwanted assets were hidden (rather than deleted) in an Excel file and eventually appeared in the final PDF version of the document.
Fidelity Investment’s missing minus gaffe – the US investment giant was forced to cancel a year-end dividend distribution due to a single missing minus sign. The sign was omitted when transcribed from the financial record to a spreadsheet. This turned the net capital loss of $1.3 bn into a gain, causing the dividend estimate to be off by $2.6 billion.
Copying and pasting, wrong data and incorrect formulas are just a few of the many technical issues that organisations can face while using Excel, especially in financial reporting and analysis.
What is Authorised Signatory Management?
Find out in our latest special report where we discuss the fundamentals of Authorised Signatory Management. Download
Tracking change and the lack of audit trail
Currently, Excel doesn’t provide a clear visual trail of file updates and users need to save multiple versions of a file to keep track of any changes. Organisations then end up with a myriad of documents to remain compliant which means a lot of duplicate efforts, time wasted on figuring out the latest version, and a high risk of loss of data. With regulators demanding complete audit trails and transparency, Excel is certainly not capable to meet this requirement.
Access control
Excel was not designed to function as a database and handle multiple users working simultaneously on a sheet. Even the latest cloud versions of the software are failing to deliver on this functionality. The tracking of who has access to a file is also extremely difficult. Therefore, it’s very easy for a spreadsheet to end up in the wrong hands, become corrupt, or even get deleted entirely.
Security issues
In addition to the above-mentioned access control issue, Excel and Excel Macros bring a long list of potential security vulnerabilities. The fact that spreadsheet documents can also be easily leaked outside of an organisation via email, external drive, or a malicious website, means an even higher risk of sensitive data exposure.
Inefficiency
Managing Excel sheets is a manual, time-consuming and extremely inefficient process. With labour costs constantly on the rise, organisations are starting to realise that increasing employee productivity by using efficient software solutions can significantly impact their bottom line. Also, what happens when key personnel who manage the Excel calculations and processes leave the business without providing any proper instructions?
Summary
To recap, Excel is undoubtedly one of the most powerful business software applications out there. But unfortunately, there are multiple cases that prove that Excel is not the right solution to meet the ever-increasing compliance and regulatory management requirements for organisations, especially in the financial sector.
At Cygnetise, we help organisations eliminate the burden of manually managing authorised signatories / signers, bank mandates and insider lists (e.g in Excel or PDF) whilst contributing to their ESG goals and minimising the risk of fraud. Get in touch below to learn more and request a demo of the Cygnetise digital signatory management application.