People & Accounts Register vs HRIS, MDM, and Spreadsheets: What Each One Is Actually For

A people & accounts register, an HRIS, an MDM, and a spreadsheet solve four different problems — they are complementary, not competing. An HRIS is your HR system of record (who is employed, on what terms). An MDM manages devices and can enforce controls on them. A spreadsheet is a flexible scratchpad for anything. A people & accounts register is a lightweight, customer-maintained record of who holds which system accounts, kept as governance evidence. Most teams already own the first three and still cannot answer "who has access to what, and who owns it?" — which is the specific gap the register fills.

This article is about that division of labor: what each tool is genuinely good at, what it is not, and why having an HRIS or a spreadsheet does not mean account governance is covered.

Why Teams Confuse These Tools

The confusion is reasonable: all four touch "people" and "accounts" from some angle. An HRIS has a list of people. An MDM has a list of devices tied to people. A spreadsheet can hold anything. So "we already track people somewhere" feels like "access is handled."

It is not, because each system was built to answer a different question. The HRIS answers "is this person employed?" The MDM answers "is this device managed?" The spreadsheet answers "whatever I typed into it." None is built to answer, on demand and with dates, "which accounts does this person hold, who owns each, and were they handled when the person left?" That is the register's job — and mistaking adjacent data for it is how account governance quietly goes unowned.

What an HRIS Is For

An HRIS (Human Resources Information System) is the system of record for employment: hiring, job titles, compensation, time off, performance, and termination. When someone is hired or leaves, the HRIS is the authoritative source for that they are employed and on what terms.

What it is not is an account inventory. An HRIS knows a person exists; it does not know they hold an admin login on a niche SaaS tool IT set up outside any HR process. It records a termination date, but not that the same person still holds five live accounts across systems it has never heard of. The HRIS is upstream of access — it tells you who is on staff — but the mapping of people to accounts lives outside it, and that mapping is what a review needs.

What an MDM Is For

An MDM (Mobile Device Management) manages devices: enrolling laptops and phones, pushing configuration and policy, and — importantly — enforcing controls, such as remotely wiping a lost device. For the device layer, an MDM acts; a register only records.

But device management is not account ownership. An MDM can wipe a departing employee's laptop and still tell you nothing about the cloud accounts that person could log into from any other machine. Managing the endpoint and tracking who owns which accounts are different problems — one is about hardware and policy, the other about access and accountability. The register does not manage, monitor, or wipe devices; that is the MDM's job, and CertPilot does not do it.

What Spreadsheets Are Good For

A spreadsheet is the most flexible tool you own, and for getting started it is excellent: it costs nothing, everyone can use it, and a first account list almost always begins as one. Nothing here is anti-spreadsheet — a register is CSV-friendly precisely so you can import what you already have.

Where a loose spreadsheet falls down is as governance evidence. It is rarely owned, rarely dated, and it drifts: a column no one fills in, two names for the same system, a leaver never marked. With no status discipline and no record of when anything was last checked, it proves little to a reviewer or a manager — the deeper version of which is covered in evidence reports vs dashboards vs spreadsheets and in proving control without another pile of spreadsheets. The spreadsheet is a fine starting point and a poor finish line.

What a People & Accounts Register Is For

A people & accounts register has one narrow job: keep a current, owned, dated record of which system accounts each person holds, as governance evidence. It links each account to a responsible person — making account ownership explicit — tracks status so leavers and stale accounts are visible, and stays close to the fields that make a row reviewable (covered in what to track in a manual accounts register).

It fills the gap the other three leave: the HRIS has people but not their accounts, the MDM has devices but not access, and the spreadsheet has data but not discipline. The register is the internal-register half of the checks + registers → evidence reports model — the place the people-to-access mapping becomes something you can review and report on.

Side by Side

| Tool | Primary job | Best for | Weak for governance evidence | How it fits with a People & Accounts register | |---|---|---|---|---| | HRIS | HR system of record | Employment, payroll, termination dates | Has no account-level access mapping | Upstream source of who is employed; the register adds their accounts | | MDM | Manage and enforce on devices | Endpoint config, policy, remote wipe | Tracks devices, not account ownership | Handles the device; the register tracks the access | | Spreadsheet | Flexible, ad-hoc data | Quick starts, one-off lists | Undated, unowned, drifts over time | A fine starting point; import it into the register | | Directory / IdP | Authenticate and authorize logins | SSO, account provisioning for connected apps | Not a maintained evidence record across all systems | Covers connected apps; the register covers the full, manually-tracked picture | | People & Accounts register | Record account ownership as evidence | "Who has access, who owns it, when reviewed" | — (this is its job) | The governance-evidence layer the others don't provide |

Where Access Reviews Fit

None of these tools, on its own, runs an access review — the periodic check that everyone who has access still needs it. The register is the input to that review, and the Access Reviews module is where the keep-or-remove decisions get made and recorded; the connection is covered in how the register supports access reviews. An HRIS can tell the review who left; an MDM can confirm a device was wiped; but the review itself works from the register's people-to-account mapping. This is also how a team shows management that access is under control — with a routine the other tools feed but do not replace.

Picture the same departing employee in three systems. The HRIS holds the termination record (no longer employed). The MDM shows the wiped laptop (device handled). The register holds the account dispositions (each login disabled or removed, with dates) — the artifact behind the employee offboarding evidence checklist. Three systems, three answers — and only the third proves the access was dealt with.

What CertPilot Does Not Replace

This is the part that keeps the comparison honest. CertPilot's register does not replace:

• An HRIS — it does not run payroll, hold HR records of record, or manage employment processes.
• An MDM — it does not manage, configure, monitor, or wipe devices.
• A directory or identity provider — it does not authenticate users, provision logins, or sync accounts from connected apps.
• A spreadsheet, for every use case — for ad-hoc, throwaway data, a spreadsheet is still the right tool.

If you need any of those jobs done, you need that category of tool. The register sits alongside them, not on top of them. The full canonical boundary list lives in what CertPilot is and is not.

How CertPilot Fits — With Strict Boundaries

CertPilot's People & Accounts register records operational governance evidence — the people-to-account mapping — and feeds it into Access Reviews and the cross-module evidence reports. What it deliberately does not do defines its place next to your other tools:

• It does not replace an HRIS, an MDM, a directory or identity provider, or a spreadsheet for every use case.
• It does not discover accounts automatically or sync with Google Workspace or Microsoft 365 today. The records are customer-maintained.
• It does not remove, revoke, or deprovision access; those actions happen in each system, and the register records that they were done.
• It does not monitor employee activity or scan email, documents, chats, or files.
• It is not a certification or an audit guarantee. It supports internal governance routines and evidence preparation.

A Practical First Version for a Lean IT Team

You do not have to choose between these tools — you layer the register on top of what you have:

1. Keep your HRIS as the people source. Start the register from your employee list rather than reinventing it.
2. Add the accounts your HRIS and MDM cannot see — the SaaS logins and admin consoles that live outside both.
3. Import the spreadsheet you already keep by CSV, then add the discipline it lacks: an owner and a status per account.
4. Run a first access review against that register so the people-to-access mapping is checked, not just stored.
5. Generate an evidence report so leadership sees the routine — the sample reports gallery shows the output.

The register is the smallest piece that closes the governance-evidence gap — and it works precisely because it does not try to be the other three.

In Short

• HRIS, MDM, spreadsheet, and people & accounts register are complementary, not competing — four jobs, not four options.
• The HRIS records employment, the MDM manages devices, the spreadsheet is a flexible scratchpad — none maps people to their system accounts as dated, owned evidence.
• A register fills exactly that gap, and feeds access reviews and evidence reports.
• CertPilot does not replace an HRIS, MDM, directory/identity provider, or spreadsheet — and does not manage devices, run HR, sync accounts, or act on access.
• Layer the register on top of the tools you already have; start from your HRIS list and import your spreadsheet.

Frequently Asked Questions

Does a people & accounts register replace my HRIS?

No. An HRIS is your HR system of record for employment, payroll, and termination; a register is a record of which system accounts each person holds, kept as governance evidence. The HRIS tells you who is employed; the register tells you what access they have. Keep both — the register starts from the HRIS's people list.

Is a people & accounts register an MDM?

No. An MDM manages and can enforce controls on devices — enrolling laptops, pushing policy, wiping a lost phone. A register tracks account ownership and status, not devices, and it enforces nothing. They cover different layers: the device versus the access.

If I already have an HRIS, do I still need this?

Usually yes. An HRIS has no account-level mapping — it does not know which SaaS tools and admin consoles a person can log into. That mapping, with owners and statuses, is what an access review needs and what an HRIS cannot provide.

Can't I just use a spreadsheet?

You can start in one, and a register imports a spreadsheet by CSV. The difference is discipline: ownership, status, dates, and a habit of reviewing it. A loose spreadsheet drifts and is rarely trusted as evidence; the register adds the structure that makes the same data reviewable.

Does CertPilot sync from my HRIS or MDM?

No. CertPilot does not sync from an HRIS, an MDM, a directory, or any other system, and it does not discover accounts automatically. The register reflects exactly what you enter or import by CSV — it is customer-maintained by design.