Audit day arrives and you open the spreadsheet you spent all year preparing. Courses assigned, courses completed, a column in green and a total that puts you at ease. You slide it across the table hoping the number will speak for itself.
But the person who came to audit barely looks at the total. An aggregate percentage tells them little, because their job isn’t to confirm that you complied, it’s to understand how you know. To do that they ask specific questions, one after another, about the people behind that number. There are four, and the spreadsheet answers none of them with the solidity an audit needs.
Who were you supposed to train?
The first question goes to the denominator: is this list your whole organization, or just the part someone loaded? A spreadsheet holds whoever was decided to be included at some point, and that decision almost never matches the company as it is today. Left out are those who joined later, the areas less visible to security, contractors with access, people who changed roles.
There’s a nuance that makes it harder still: the universe isn’t a single one, it depends on what you’re proving. A rule that requires technical training defines a narrow universe, say the systems and security staff. An internal policy everyone must read and accept defines another, the whole company. Several denominators coexist over the same organization depending on the obligation, and a single spreadsheet rarely tells them apart.
That’s why an auditor won’t accept the list as if it were the universe. They ask you to show how it’s defined: where it comes from, how often it’s reviewed, what happens when someone new joins. And there the spreadsheet runs out of answers, because it knows its own list, not your organization. It’s the same mechanism by which your compliance percentage can read 100% while training only ten of two hundred: the number is exact over the wrong universe.
Since when has each person been covered?
The second question shifts scale. It doesn’t ask about the group, it asks about the individual: since what date has each person on this list been trained? A spreadsheet usually stores a single period, that of the annual campaign, as if everyone had joined the same day and stayed there unchanged.
Organizations don’t work that way. One person completed their training in February and another joined in September. A third changed areas in May and now handles data their earlier training never covered. The auditor wants to see that timeline per person, not a year label stuck to the whole group. The spreadsheet offers a photo taken once; the question demands a film that updates itself as people join, leave and move around.
Is that training still valid today?
The third question is the most uncomfortable, because it touches something the spreadsheet never records: training expires. A course completed fourteen months ago shows up as done forever in the completed column, even if its content no longer reflects current threats or current policies.
The auditor knows this and asks directly: does what this person learned still count today? It isn’t enough that they once did it. This is exactly the compliance that collapses in March without anyone noticing: the spreadsheet stays green while real coverage expires in silence. Answering this question well forces you to treat every piece of training with a start date and an expiry date, and to have expiration reopen the task rather than leave it closed out of habit.
Where is each person’s evidence?
The fourth question is the one that separates a report from proof. The auditor picks a name from the list, any one, and asks to see what that person completed, when, and with what record that they actually did it. A percentage won’t do, because a percentage is a conclusion, not evidence.
The scene gets uncomfortable when the record has to be hunted down. Someone opens the spreadsheet, cross-checks the training provider’s emails, digs through a shared folder and tries to reconstruct in minutes what should have been stored from the start. Evidence lives at the person level: who, what content, on what date, with what record of reading and acceptance. A spreadsheet can hold a total, but it rarely holds that detail unless someone assembles it by hand, and a last-minute reconstruction is exactly what an audit doesn’t want to see. The solid answer is the opposite: that per-user evidence already exists, stored alongside the program and ready to export when someone asks, not built on demand.
Your spreadsheet answers the question nobody asks
The four questions share a root. The spreadsheet is designed to answer how many, and the auditor asks who, since when, whether it still counts, and show me person by person. These are different dimensions, and none of them is solved by adding columns to an Excel: they’re solved by changing where the data comes from.
Awareness compliance stops being fragile when it’s read as a living state rather than an annual document. The universe is derived from the directory you already use and updates on its own; every piece of training carries its own date and validity; and evidence is recorded per person from day one. That’s how we understand it at SMARTFENSE, as part of the human risk measured across the whole organization, not over a hand-picked sample.
If you want to see your program’s compliance answering these four questions over your real universe, you can explore the platform or write to us for a demo on your own data.
Leave a Reply