Why are Companies Still Managing Compliance With Spreadsheets?

Coalfire Assessment Team

May 16, 2022
Blog Images 2022 Excel tile 1

As compliance obligations continue to escalate in complexity and cost, managing those demands has become unsustainable with many companies relying on manual methodologies.

Key takeaways:

  • Despite the availability of enhanced solutions, at least half of our customers are managing compliance programs with spreadsheets
  • While automation is a better approach, it is not a standalone solution
  • Coalfire’s Compliance Essentials balances automation with expert guidance
  • In addition to facilitating better compliance outcomes, Compliance Essentials reduces compliance spend by as much as 40%

Coalfire is one of the most experienced advisory and assessment firms in the world. On the compliance side, we’re well seasoned within all major frameworks. We’ve worked through just about every problem/solution imaginable, and almost nothing surprises us. But from a recent survey of our own clients, we were astonished to learn how far compliance programs continue to lag behind today’s rapid adoption of platform-enabled compliance management.

Our data comes from primarily large-scale enterprise programs. These are sophisticated organizations – yet many remain mired in what are essentially manual methodologies:

  • 50% of the clients in our survey have no platform or tool to organize compliance, risk, or governance
  • 60% of the customers we interviewed who manage multi-framework programs and had purchased GRC solutions are still managing their compliance programs out of spreadsheets

Compliance management and automation has come a long way in just the last couple of years, and market demand for cyber assurance is at an all-time high. So why are so many companies still managing their compliance programs with spreadsheets?

The slow adoption of best-practice standards is understandable, but it is becoming more unsustainable as compliance obligations continue to escalate in complexity and cost. Spreadsheets are a throwback to point-in-time compliance, and organizations that haven’t adopted a solution strategy with a focus on continuous management and reporting are faced with an expanding matrix of frameworks, growing unpredictability, and more pain points:

  • The compliance journey should be round-the-clock; multiple point-in-time assessments throughout the year creates chaos, downtime, and inability to scale
  • Status reports that are manually generated fail to deliver real-time visibility or dashboarding
  • Failure to automate evidence collection for multiple frameworks is virtually guaranteed to duplicate processes and introduce errors
  • Vital benefits of coordination across various assessment types and timelines are lost without effective compliance platform integration

Perhaps the most consequential problem for security teams is that executive leadership continues to perceive compliance as a cost center that delays time-to-market, rather than a business enabler that aligns cyber operations with enterprise objectives. Using spreadsheets to manage mission-critical processes may continue to serve start-ups and single-industry mid-market companies, but for enterprise companies with multiple divisions and multi-framework mappings, these traditional methodologies are obsolete. Automation, aggregation, and centralized control have become strategic imperatives.

Automation is the Tip of the Spear

Nevertheless, automation has its limitations. There are too many scope and scale nuances associated with each audit, and too many redundancies between framework processes and controls for a single in-house team or consultant group/organization to effectively get their arms around.

To truly make compliance easier, and give management a greater assurance of compliance outcomes, a hybrid approach is required – one that automates workflows, evidence and validation, but with expert oversight and the intuitive touch of human experience.

This is what we’re bringing to the table with Coalfire’s Compliance Essentials managed service offering, a major upgrade to our legacy assessment hub, CoalfireOne. CE represents the state-of-the-art hybrid of industry-focused, on-the-job experience and platform-enabled functionality. Over a million hours of client assessments and engagements over our 20-year history informs a methodology that reduces compliance program spend by as much as 40%.

We’re living through the last great leap from what is virtually a manual methodology to greater productivity gains through automated efficiencies. What will the future state of compliance management look like? One thing we can be sure of, serious programs won’t be organizing with traditional GRC tools or spreadsheets for much longer.

In the next blog, we’ll talk about the capabilities and competitive advantages of today’s smartest-path compliance platforms.

To learn more about Compliance Essentials, please visit,

# # #