Comparison
Speculo vs Excel for MCSS and cyber risk assessment
Excel and SharePoint are how most NZ security teams run their first MCSS self-assessment. Speculo is the platform most of them switch to once the spreadsheet stops working. Here is what each approach delivers and where each falls short.
Summary
Excel and SharePoint
Free, familiar, and works for a first MCSS assessment. Breaks down as the programme matures: evidence goes stale, scoring is inconsistent between analysts, the return is a compliance score not a business case, and year-over-year continuity depends entirely on not losing the file. The hidden cost is analyst time — typically two to three weeks per annual cycle.
Best for: First-time MCSS, very small agencies, no budget for tooling.
Speculo
Purpose-built for NZ public sector MCSS and NZISM. Controls are pre-mapped, evidence is held at the control level and reused across cycles, reporting is pre-configured for every audience including the A&R Committee, and the platform generates a prioritised remediation plan that becomes the funding case appendix. Significantly less analyst time per cycle after the first year.
Best for: Established public sector teams running annual MCSS and NZISM cycles.
Side by side
How the two approaches compare.
| Capability | Excel / SharePoint | Speculo |
|---|---|---|
| MCSS framework built in | ||
| NZISM framework built in | ||
| Structured assessment workflow | Self-built, varies by analyst | Seven-stage workflow, standardised |
| Evidence linked to controls | File attachments, manually managed | Control-level evidence with approval workflow |
| Evidence reuse across years | Copy-paste or re-upload each year | Reusable across cycles, updated where changed |
| Board-ready reporting | Manual build in PowerPoint or Word | Pre-configured per audience, export on demand |
| Funded business case output | Separate document, written from scratch | Generated from assessment data, no rework |
| Cross-framework control mapping | ||
| Audit trail for control changes | Version history if maintained | Full audit log across assessments |
| Digital sign-off and recertification | ||
| Year-over-year continuity | Restart from previous spreadsheet | Evidence and history carry forward automatically |
| Data residency (NZ) | Depends on Microsoft tenancy configuration | Azure North (Auckland), always NZ |
| Cost | Free (labour cost is the hidden cost) | Annual subscription — contact for pricing |
Where Excel works for MCSS — and where it breaks down
A spreadsheet-based MCSS programme works when the team is small, the programme is new, and the same analyst runs the assessment every year. The workbook holds the score, the analyst knows where the evidence is, and the return gets filed. That model breaks down in three ways.
First, evidence management. Excel can link to files but cannot hold them, approve them, or track which controls they support. When the assessment closes, the evidence files stay in SharePoint or a shared drive, and the next audit starts with a search exercise. Second, continuity. When the GRC analyst changes — and they change more often than the annual MCSS cycle — the new analyst inherits a spreadsheet with no context. The methodology, the scoring rationale, and the approval history live in that person's head, not the workbook. Third, output. An MCSS spreadsheet produces a compliance score. What the Audit and Risk Committee needs is a funded remediation plan. That document is a separate piece of work that the CISO writes from scratch, disconnected from the assessment data.
What Speculo does differently
Speculo is designed around the way NZ public sector MCSS assessments actually run. The MCSS framework is built into the platform — controls are pre-mapped, scoring uses the CMM 1–4 scale, and the assessment workflow follows the same logical sequence every team already uses. The difference is that evidence is collected at the control level and stored inside the platform, not scattered across SharePoint. When the same control appears in the next year's assessment, the evidence from last year is already there, updated where something has changed.
The reporting layer generates board-ready output from the assessment data without manual reformatting. The CISO view, the Board Summary, and the A&R Committee report are pre-configured. And the platform surfaces a prioritised remediation plan — ordered by risk reduction per effort — that drops into a Better Business Case appendix without a second document.
When to stay with Excel, when to switch
If your agency is running its first MCSS self-assessment and has a single dedicated analyst who will own the process for the next three years, a well-structured spreadsheet is a reasonable starting point. The risk is low when the programme is stable and the team is consistent.
The signal to switch is one of three things: the GRC analyst changes and the new person cannot reconstruct the previous assessment from the workbook; Internal Audit or the A&R Committee asks for evidence the spreadsheet cannot produce; or the CISO is spending more time preparing the funding bid than running the programme. All three are common. Most teams switch after the first one occurs.
Common questions
Speculo vs Excel — frequently asked
Why do NZ government agencies still run MCSS in Excel?
Excel is free, familiar, and requires no procurement. Most agencies built their first MCSS workbook when the standard launched and have iterated on it every year since. The switching cost feels high because of the sunk cost in the existing workbook — not because Excel is the better tool.
What does it cost to run MCSS in a spreadsheet?
The direct software cost is zero. The actual cost is GRC analyst time: typically two to three weeks per annual assessment cycle to gather evidence, score controls, chase approvals, and format the return. That time repeats every year and grows as the team changes or the framework updates.
Can Speculo import existing spreadsheet data?
Yes. Speculo can import existing scores and evidence so the work your team has already done is not lost. The seed data from your last MCSS workbook becomes the starting point for your first Speculo assessment.
What happens to the MCSS spreadsheet after we switch?
Most teams keep their last spreadsheet as a historical record and run forward in Speculo. Because Speculo holds the same data in a more structured form, the transition to new tooling does not require re-doing previous assessment work.
Is Speculo harder to use than Excel?
Speculo is designed so a GRC analyst can start their first MCSS assessment on day one without specialist training. The platform embeds the MCSS framework, the scoring model, and the evidence workflow — so there is less to configure than a spreadsheet that starts blank.
Ready to see how Speculo compares against your actual programme?
Book a 30-minute walkthrough. Show us your MCSS workbook and we will walk through exactly what changes.