From Excel to Evidence Vault: Why Manual Compliance Management Is a Ticking Audit Bomb
The Spreadsheet That Ate Compliance
Somewhere in every European bank, an Excel file contains the institution's operational resilience programme. It has 47 tabs, 12 conditional formatting rules that broke during the last edit, three versions saved with "FINAL" in the filename, and no one is entirely sure which version is current. The CISO references it in board reports. The risk team maintains a different copy. The compliance officer has annotated a PDF printout from six months ago.
This is not a caricature. It is the operational reality in a majority of financial institutions, including institutions with billions in assets and thousands of employees. Industry data indicates that 60% of audit findings in financial services relate to missing evidence and untracked corrective actions — not to the absence of controls, but to the inability to prove that controls exist, function, and are maintained.
DORA did not create the evidence management problem. But DORA makes the problem unsustainable. The regulation's requirements for continuous ICT risk management (Art. 5-16), structured incident reporting (Art. 17-23), evidence-based resilience testing (Art. 24-27), and comprehensive third-party governance (Art. 28-44) presuppose an evidence infrastructure that spreadsheets cannot provide.
What DORA Requires That Spreadsheets Cannot Deliver
DORA's evidence requirements are not abstract compliance principles. They are specific, testable, and auditable obligations:
| DORA Requirement | Article | Evidence Characteristics Required | Spreadsheet Capability |
|---|---|---|---|
| ICT risk management framework reviewed annually | Art. 6(5) | Versioned document with approval trail, timestamped review evidence | Cannot prove version history or review dates with integrity |
| Incident classification within hours | Art. 18-19 | Timestamped severity assessment, escalation records, notification evidence | Cannot enforce classification workflow or prove timeline |
| Recovery capability demonstrated | Art. 11(3) | Test execution records, recovery time evidence, findings documentation | Cannot link test evidence to specific recovery objectives |
| Backup restoration validated | Art. 12(2) | Restoration test results, data integrity verification, timestamp evidence | Cannot prove restoration test execution or results |
| Third-party register maintained | Art. 28(3) | Structured data with referential integrity, change history, submission audit trail | Cannot maintain referential integrity or prove change history |
| Testing programme executed annually | Art. 25 | Test plans, execution evidence, findings, remediation tracking | Cannot enforce testing workflow or evidence completeness |
| Board reporting on ICT risk | Art. 5(2) | Structured reports with underlying data, presentation evidence, action tracking | Can produce reports but cannot prove data integrity or decision trail |
The pattern is consistent: DORA requires not just that controls exist, but that their existence, execution, and effectiveness can be demonstrated with verifiable evidence. This evidence must have temporal integrity (provable timestamps), version integrity (provable change history), authorization integrity (provable approvals), and referential integrity (provable links between related artifacts).
Spreadsheets have none of these properties. A cell value in an Excel file can be changed without trace. A file can be copied, renamed, and presented as the original. Formulas can be overwritten with hardcoded values. Conditional formatting can mask data. Shared drive access logs, where they exist, capture file access but not content changes.
The 100-Person-Day Tax
The operational cost of manual compliance management is not principally the risk of audit failure. It is the person-days consumed by manual processes that a platform would automate.
Consider the annual resilience testing cycle under Art. 24-25. In a spreadsheet-based environment, the process looks like this:
- Programme manager creates test plan in Word document (2-3 days)
- Stakeholders review via email; comments consolidated manually (5-7 days)
- Test scenarios documented in separate files per test (1-2 days per test, 20+ tests = 20-40 days)
- Test execution tracked via spreadsheet with manual status updates (10-15 days)
- Evidence collected into shared drive folders, manually linked to test records (5-10 days)
- Findings documented in separate tracker, manually cross-referenced to evidence (5-7 days)
- Remediation actions tracked in yet another spreadsheet (3-5 days)
- Summary report compiled manually for board presentation (5-7 days)
- Audit preparation: locating evidence, verifying completeness, producing export (10-15 days)
Conservative total: 65-109 person-days per annual testing cycle. For institutions with multiple test programmes across business lines, multiply accordingly.
In a platform-based environment with workflow orchestration, evidence management, and automated reporting, the same cycle consumes 20-35 person-days — a 50-70% reduction. The savings come not from eliminating the substantive work (tests still need to be designed, executed, and analyzed) but from eliminating the coordination, tracking, and evidence management overhead that manual processes impose.
Across all five DORA pillars — risk management, incident reporting, testing, third-party governance, and information sharing — the aggregate manual overhead for a mid-size institution exceeds 100 person-days annually. At a fully loaded cost of EUR 500-800 per person-day, that represents EUR 50,000-80,000 per year in direct cost — and considerably more in delayed timelines, error-prone outputs, and management frustration.
The Audit Bomb: When Spreadsheets Meet Supervisors
The term "audit bomb" is not hyperbole. It describes the moment when a supervisor or external auditor requests evidence of compliance with a specific DORA requirement, and the institution discovers that:
- The evidence exists but cannot be located (scattered across shared drives, email attachments, and personal devices)
- The evidence was created but has since been modified (spreadsheet overwritten, document updated without version control)
- The evidence was collected but cannot be attributed (no record of who collected it, when, or under what authority)
- The evidence appears to exist but is internally inconsistent (the testing report references a test that the execution log does not record)
- The evidence demonstrates a finding that was never tracked to resolution (deviation identified but no corrective action documented)
Each of these scenarios constitutes an audit finding. In aggregate, they indicate a systemic governance failure — not because the institution lacks operational resilience, but because it cannot prove the operational resilience it has.
DORA's Art. 5(2) requires the management body to bear "ultimate responsibility" for the ICT risk management framework. When a supervisor finds that the evidence base is unreliable, the governance failure extends to board level. This is not an IT compliance issue — it is a board governance issue.
The Compliance Maturity Model
The transition from manual to platform-based compliance management is not binary. It follows a maturity progression that institutions can navigate incrementally:
| Maturity Level | Characteristics | DORA Readiness | Typical Institution Profile |
|---|---|---|---|
| Level 1: Ad Hoc | Spreadsheets, email, shared drives. No standardized processes. Evidence scattered. | Non-compliant — cannot demonstrate continuous governance | Smaller institutions, recent DORA awareness |
| Level 2: Documented | Standardized templates and processes. Centralized shared drive. Manual tracking. | Partially compliant — can produce evidence but cannot prove integrity | Mid-size institutions with compliance team but no platform |
| Level 3: Managed | GRC platform for core workflows. Automated evidence collection for some pillars. Basic reporting. | Substantially compliant — can demonstrate governance with manual gaps | Institutions that have procured but not fully deployed platforms |
| Level 4: Measured | Integrated platform across all pillars. Automated evidence lifecycle. KPI dashboards. Audit-ready exports. | Fully compliant — continuous assurance with verifiable evidence chain | Mature institutions with embedded compliance technology |
| Level 5: Optimized | Continuous compliance monitoring. Predictive analytics. Automated deviation detection. Regulatory reporting automation. | Exceeds requirements — proactive resilience posture with minimal manual overhead | Leading institutions that treat compliance as operational capability |
Most European financial institutions are currently at Level 1 or Level 2. The transition to Level 3 — procuring and deploying a GRC platform — is where the majority of institutions are focusing investment in 2025. Gartner's prediction that compliance functions will increase GRC platform spending by 50% by 2026 — driven in part by EBA supervisory expectations — reflects this concentration of demand.
The critical transition is from Level 2 to Level 3. It requires not just technology procurement but process redesign: workflows must be mapped to the platform's capabilities, evidence collection must be integrated into operational processes (not bolted on after the fact), and staff must be trained to operate within a platform-based governance model.
The GRC Market: USD 21 Billion and Doubling
The Governance, Risk, and Compliance technology market reflects the structural demand created by regulations like DORA. At USD 21 billion in 2025, the market is projected to reach USD 42 billion by 2031 — a 12.3% compound annual growth rate. DORA alone is expected to generate USD 3-4 billion in incremental RegTech spending between 2025 and 2028.
The market is segmented across several dimensions relevant to DORA compliance:
Integrated GRC platforms that span multiple DORA pillars from a unified data model. These platforms manage risk registers, testing programmes, incident workflows, third-party governance, and evidence vaults in a single system. The integration value is significant: a finding from a resilience test (Pillar III) that creates a deviation requiring remediation and links to a third-party risk assessment (Pillar IV) flows through a single workflow rather than across three separate tools.
Specialized point solutions that address individual DORA requirements with depth. Incident management platforms, third-party risk management tools, vulnerability scanners, and testing orchestration systems each solve a specific problem well. The integration cost is the trade-off: connecting six point solutions into a coherent compliance workflow requires APIs, data mapping, and ongoing maintenance.
Consulting-delivered solutions where advisory firms build custom frameworks on productivity tools (SharePoint, Confluence, Jira). These are fast to deploy and familiar to users but lack the evidence integrity, workflow enforcement, and audit export capabilities that DORA's requirements demand.
The market dynamics favor integrated platforms for institutions managing DORA at scale. The cost of integrating point solutions — technically and organizationally — often exceeds the cost of adopting a platform purpose-built for multi-pillar regulatory compliance.
The ROI Framework: Quantifying the Transition
For institutions evaluating the business case for transitioning from manual to platform-based compliance management, the ROI calculation has four components:
Direct cost savings. The 100+ person-days eliminated from manual tracking, coordination, and evidence management translate to EUR 50,000-80,000 annually for a mid-size institution — more for larger or more complex organizations.
Audit risk reduction. The 60% audit finding rate for evidence and tracking deficiencies translates to remediation costs, supervisory attention, and potential sanctions. A platform that reduces audit findings from systemic to incidental eliminates the remediation cost and, more importantly, the management distraction.
Regulatory penalty avoidance. DORA's penalty framework allows fines up to 2% of annual worldwide turnover for institutional breaches and EUR 1,000,000 for individual liability. While penalties are a last resort, the ability to demonstrate a governed, evidenced compliance posture is the primary defense against supervisory escalation.
Operational resilience improvement. A platform that enforces testing workflows, tracks deviations to resolution, and monitors third-party risk continuously does not just prove compliance — it improves actual resilience. The institution that discovers a recovery gap through its testing programme before a real incident occurs avoids the incident's cost.
The combined ROI — cost savings plus risk reduction plus penalty avoidance plus resilience improvement — typically justifies platform investment within 12-18 months for a mid-size institution. For larger institutions, the payback period is shorter because the manual overhead scales with complexity while platform costs are largely fixed.
What Good Looks Like
Institutions that have successfully transitioned from spreadsheet-based to platform-based compliance share five characteristics:
1. Evidence is a workflow byproduct, not a separate collection exercise. When a resilience test is executed through the platform, the evidence is generated automatically: who approved the test, when it was executed, what the results were, what findings emerged, and what remediation actions were created. Evidence is not collected after the fact — it is produced as a natural output of the governed process.
2. Audit readiness is continuous, not periodic. The institution can produce an audit-ready evidence package at any time, not just during the annual audit preparation period. When a supervisor requests evidence of the last three resilience tests, the response time is measured in minutes (export and send) rather than days (locate, compile, verify, format).
3. Deviations are tracked to resolution with enforced accountability. A finding from a resilience test creates a deviation record with an assigned owner, a remediation timeline, and an evidence requirement for closure. The deviation cannot be closed without evidence that the remediation was completed. The platform enforces what spreadsheets suggest.
4. The management body receives structured, data-driven reports. Board reporting on ICT risk (Art. 5(2)) draws from the same data that drives operational compliance. The board sees the same risk register, testing results, incident trends, and third-party exposure that the operational teams manage — not a manually prepared summary that may diverge from operational reality.
5. Regulatory changes are absorbed into existing workflows. When a new RTS is published or a supervisory expectation is clarified, the platform's configuration is updated to reflect the new requirement. The institution's compliance posture adapts to regulatory change through platform configuration — not through the creation of yet another spreadsheet.
The Clock Is Running
DORA's application date was January 17, 2025. The first Register of Information submissions began in April 2025. The first supervisory assessments of resilience testing programmes are underway. The regulatory timeline does not accommodate a multi-year platform procurement and implementation cycle.
The institutions that moved early — procuring platforms in 2024, deploying in early 2025, and operating with evidence integrity by mid-2025 — have a structural advantage. They can demonstrate compliance with confidence. They can respond to supervisory inquiries with data rather than promises. They can focus management attention on improving resilience rather than on proving that they tried.
The institutions still operating on spreadsheets face a compounding problem: every month that passes without governed evidence management is a month of compliance activity that cannot be retrospectively documented with integrity. The audit trail for January 2025 activities, if it was not captured in a governed system at the time, cannot be reconstructed credibly in December.
The compliance management tooling decision is not a technology choice. It is a governance choice. And under DORA, it is a board-level governance choice with personal liability implications (Art. 5(2), penalties up to EUR 1,000,000 for individuals).
This analysis reflects DORA evidence and governance requirements as applicable from January 17, 2025. GRC market data from Mordor Intelligence and Gartner (2024-2025). Audit finding statistics from industry surveys.