Professional Documents
Culture Documents
George Mallikourtis
CISA, CISM
Efthimis Papanikolaou
CISA, ISMS IA 1
Agenda
EUCAs : What, Who, Where
End User Computing Applications (EUCAs)
Exposed
Assessment of Risks – Theoretical Framework
Business Cases in Banking Sector
Practical steps to audit EUCAs
Final thoughts
Q&A
2
EUCAs : What, Who, Where
What (1/2)
EUC (End User Computing): any
computing activity developed and/or
managed outside a recognized formal IT.
EUCAs (End User Computing
Applications): Reporting programs,
spreadsheets, databases and
programming languages available to end –
users.
3
EUCAs : What, Who, Where
What (2/2)
Mainly:
Spreadsheets (MS Excel, Lotus 123,
Openoffice)
Local Databases (e.g. MS Access)
Business Intelligence reports (e.g. SQL Server
Analysis Services, Hyperion, Crystal Reports,
BRIO)
4
EUCAs : What, Who, Where
Who
5
EUCAs : What, Who, Where
Where (1/3)
Millions of managers and employees acting
as end-user programmers design, build, and
use EUCAs every day
Every major corporation today uses end-user
computing to make optimal decisions,
projecting the consequences of these
decisions for the firm in the form of a
financial plan, and then comparing future
performance against , modeling, schedules,
consolidations and financial closings
6
EUCAs : What, Who, Where
Where (2/3)
7
EUCAs : What, Who, Where
Where (3/3)
A Baseline Consulting survey of 250 senior IT managers showed that an
average of 32 percent of their companies' corporate data was stored in
spreadsheets or databases on employees' computers. These systems are
usually not subject to corporations' standard controls, and are in fact
usually not even tracked, either by IT departments or by the
departments responsible for regulatory compliance.
End User
Com puting
IT Controlled Applications, 32%
Applications, 68%
8
EUCAs Exposed (1/5)
Token war story
9
EUCAs Exposed (2/5)
“The ACCESS database used by capital markets for
confirmations had a fault in its original design. The
original table of counterparties had never been updated”.
(Financial Services Authority - Regulator of all providers
of financial service in UK - FSA.gov.uk)
FSA fines Credit Suisse £5.6m (Aug 2008): The booking
structure relied upon by the UK operations of Credit
Suisse for the CDO trading business was complex and
overly reliant on large spreadsheets with multiple entries.
This resulted in a lack of transparency and inhibited the
effective supervision, risk management and control of
the SCG. eusprig.org
10
EUCAs Exposed (3/5)
11
EUCAs Exposed (4/5)
12
EUCAs Exposed (5/5)
- Excel error leaves Barclays with more
Lehman assets than it bargained for.
(Computerworld.com)
- A rogue trader costs France’s Société
Générale € 4.9 billion. Kerviel was able to
circumvent SG's internal warning systems
by opening and manipulating Excel
spreadsheet reports used by managers to
monitor traders' activities.
(Economist.com)
13
Assessment of Risks – Theoretical
Framework
14
F1. Inventory EUCAs
Inventory all EUCAs (spreadsheets,
databases etc.) that are used to
support significant business
processes.
Identification Techniques:
– Interviews
– Walkthroughs
– Tools
15
F2. Define the Risk Profile (1/4)
Complexity
Complexity Materiality
Materiality
Based on quantitative Based mostly on
criteria. qualitative criteria.
Defines the operational Defines the possible
risk. impact of a potential
threat.
• Both complexity and materiality should be
redefined according to the business area
audited
16
16
F2. Define the Risk Profile (2/4)
Materiality (1)
Immaterial : No key business decisions are made based on the
information. Any risk emerging would be embarrassing to those
directly associated with the spreadsheet, but would have no real long
term impact on the business.
Material : An error or a delay in the preparation of the file may result
in significant loss to the business. Information contained in the file is
sensitive and employees could exploit this information if they had
access to it.
Critical : An error or a delay in the preparation of the file may result
in material loss to the business. Information contained in the file is
highly sensitive and inappropriate disclosure may be exploited by
markets or competitors or could be in breach of legislation (such as
data protection legislation). The data could be used to perpetrate
senior management fraud.
17
F2. Define the Risk Profile (3/4)
Materiality (2)
Immaterial. A threshold establishing the minimum magnitude
necessary for a spreadsheet to be considered material should be
established. Any spreadsheet that processes or calculates dollar values
or operational quantities less than this threshold should be considered
to be of "immaterial magnitude."
Material. Spreadsheets processing a dollar value or operational
quantity above the materiality threshold should be considered to be
material.
Critical. A critical threshold should be established to flag
spreadsheets that process an extremely high-dollar value or
operational quantity.
18
F2. Define the Risk Profile (4/4)
Complexity
Assessing EUCA complexity can be based
on a number of criteria. For example:
– Size or scale of an application
– Formulae design
– Use of scripts
– Logical complexity
– External links
19
F3. Assess Existing Controls
Control Definition
EUCA Policy & Control Standards Define the responsibilities and processes surrounding EUCAs with the aim of placing
responsibility for the risks arising and understanding and reducing
reducing these risks through
inventory and mitigation processes.
Access Controls Define and Restrict user access, rights and privileges
Change Controls Define the process to be followed whenever specific types of changes
changes are performed
Development Controls Control development, testing and approval of new critical EUCAs prior to deployment
into production
Documentation. Require that EUCAs are adequately documented with regard to their use and design
Data Security and Integrity. Balancing input data with totals form data sources.
Output Controls Use of cross checks, balancing to ensure all input data has been accounted for and
reflected in the outputs and to prevent or highlight potential calculation
calculation errors.
Segregation of Duties Define duties, roles and responsibilities regarding the usage of EUCAs and design
changes.
Backup and Archival EUCAs should be maintained on a secured server that is backed – up on a regular
basis. Prior versions of critical files should be moved to a secure
secure archive folder to
prevent data corruption and ensure they are not accessed or used in error.
20
F3a. Calculate Risk Exposure
1 2 3 4 5
Complexity
21
F3b. Recommend Remediation
Actions
The auditor must communicate the results of
the Risk Assessment using illustrative
examples.
The recommendations must focus primarily
on policies and standards for EUCAs.
There should be references to existing
frameworks (e.g. Polices and Procedures).
Depending on the outcome of the Risk
Assessment the examination of some
EUCAs on an individual basis maybe
required.
22
Business cases in Banking Sector (1/9)
Case 1: Allied Irish Banks Group
by Andrew McGeady, Joseph McGouran
Allied Irish Banks Group is Ireland’s leading
banking and financial services organization
AIBG initiated a project (in co-operation with EUC
consultants) in order to address the area of End
User Computing (EUC) in AIB Capital Markets.
23
Business cases in Banking Sector (2/9)
Case 1: Allied Irish Banks Group
24
Business cases in Banking Sector (3/9)
Case 1: Allied Irish Banks Group
25
Business cases in Banking Sector (4/9)
Case 2: Nova Ljubljanjska Bank (NLB)
by J.Hriberšek, B. Werber, J. Zupancic
NLB is the major bank in Slovenia. The study presents the
results of an empirical investigation of EUCAs in the bank, with
emphasis on end-user support provided by the Information
Centre, the local MIS staff, and informal sources . The goal of
investigation was to identify and evaluate key factors of end
user - support.
The investigation showed that users preferred more the
informal sources of support than the local MIS staff &
Information Centre.
Because spreadsheets are the most widespread EUC
programming tool in the bank, the users expressed high
interest for additional knowledge of the subject. Data base
development methods ranked the lowest.
26
Business cases in Banking Sector (5/9)
Case 2: Nova Ljubljanjska Bank (NLB)
27
Business cases in Banking Sector (6/9)
Case 3: A mid - sized international bank
by Jamie Chambers and John Hamill
28
Business cases in Banking Sector (7/9)
Case 3: A mid - sized international bank
by Jamie Chambers and John Hamill
29
Business cases in Banking Sector (8/9)
Case 3: A mid - sized international bank
CONCLUSIONS
Even simple spreadsheets can cause large losses in
an environment where very large transactions (>
€1Bn) are commonplace.
It was interesting to note that few managers felt
responsibility, believing their applications to be well
controlled, or unimportant.
No attempt was made to ensure staff were qualified
in the development of EUCAs to a level
commensurate with their responsibilities. Managers
were grateful when their staff constructed
applications to address processing and reporting
issues, but had no framework for supporting,
controlling, managing or even promoting these
activities.
30
Business cases in Banking Sector (9/9)
Case 3: A mid - sized international bank
by Jamie Chambers and John Hamill
EUCA risk was poorly understood, and rarely controlled in any
way around the Bank. The observations echoed those of Croll
[Croll, 2005]: 'there is almost no spreadsheet software quality
assurance or appreciation of the software development life
cycle as it might relate to spreadsheets'.
The problem of EUC ownership (and hence budgeting) meant
that the project ended prematurely. A standardized approach to
the problem, dividing the responsibilities between IT,
Operational Risk, and departmental managers could help the
organizations both to recognize and to tackle the risk in a
coherent way. In addition, C-level management commitment,
and Internal Audit & Information Security involvement are
essential.
31
Auditing EUCAs - Practical
Issues
Define the different EUCAs used by the
auditees.
Decide the method to create your
inventory
Define the complexity and materiality
scales
32
Practical issues – EUCAs Categories
The most common EUCAs are spreadsheet
applications.
End User databases like MS Access are the
new trend since data volumes are
increasing rapidly.
The new users are more and more IT
literate and they deploy much more
computing power like reporting and
scripting tools.
33
Practical issues – Inventory
It is nearly impossible to make the
inventory of all EUCAs.
Usually the files are scattered to servers,
local PCs and optical media.
The most practical approach is to gather
files referred to a reporting cycle (e.g.
month, quarter, semester) for each
significant business process.
34
Practical issues – Complexity (1/5)
The criteria to characterize an EUCA as
complex may vary according to its type,
purpose ,its processing frequency.
The most frequent EUCAs are spreadsheet
applications.
For spreadsheet applications there are a
lot of proposed sets of complexity criteria.
35
Practical issues – Complexity (2/5)
A proposed set of complexity criteria for local
databases
•Number of Tables
•Number of Queries
•Number of Forms
•Number of Modules
36
Practical issues – Complexity (3/5)
Criteria Operator Value Score
Number of Tables > 5 5
Number of Tables > 10 5
Number of Tables > 15 5
Number of Queries > 5 5
Number of Queries > 10 5
Number of Queries > 15 5
Number of Forms > 5 5
Number of Forms > 10 5
Number of Forms > 15 5
Number of Modules > 0 10
Number of Modules > 5 10
Number of Modules > 10 10
Complexity Definition:
Low <=10
Medium <=20
High >20
Practical issues – Complexity (4/5)
A comprehensive proposed set of complexity criteria
for spreadsheets
Sheets Invisible Cells (text and
Formulas background are the same
Formula with Errors color)
Array Formulas Hidden Rows and
Columns
Nested Ifs
Hidden Sheets
Max Nested If Level
Very Hidden Sheets
External Links (sheet made invisible
Macros through use of VBA code)
Pivot Tables Password Protected
Named Items Workbook Size 38
Practical issues – Complexity (5/5)
39
Practical issues – Materiality (1/3)
Materiality is always subjective and
challengeable by the auditees.
Some times, collaborating with the
auditees prior to the risk assessment may
prove useful for defining materiality
thresholds.
Even EUCAs graded as immaterial should
get attention (otherwise what’s the point
of having them).
40
Practical issues – Materiality(2/3)
A proposed set of materiality criteria
41
Practical issues – Materiality(3/3)
42
Practical issues – Overall Risk
43
Final thoughts
Summarizing,
There are ongoing studies about defining
appropriate and objective complexity and
materiality criteria.
EUCAs are NOT only spreadsheets. More
EUCAs will come forth as users get more
IT literate.
44
Reference
1. FSA – Buckner, User computing in financial regulation
2. Hoye, Perry, Enterprise spreadsheets: Best practices for Risk Mitigation & Control
3. McGeady McGouran: End User Computing in AIB Capital Markets: A Management Summary
4. Jamie Chambers, John Hamill: Controlling End User Computing Applications - a case study
5. Hriberšek, Werber, Zupancic, End-User Computing in Banking Industry, A case of a large
Slovenian Bank
6. O’ Beirne, Auditing Spreadsheets Motivations & Methodology
7. Struthers – Kennedy / Protivity, Excel at managing spreadsheet risk
8. Cooper, Wilson, The hidden risk of End User Computing
9. PWC, The use of spreadsheets: Considerations for Section 404 of the SOX Act
10. Gallegos, Senft, Information Technology Control and Audit
11. Protiviti, Spreadsheets: friend or foe?
12. Perry, Automating Spreadsheet Discovery and Risk Assessment
13. Panko, Revising the Panco – Halverson Taxonomy of Spreadsheet Risks
14. Powell, Baker, and Lawson, Errors in Operational Spreadsheets: A Review of the State of the
Art
15. Panco, Port: The Dark Matter of Corporate IT
16. Burdick, Improving Spreadsheet Audits in Six Steps
17. Powell, Baker, and Lawson, An auditing protocol for spreadsheet models
18. ITGI, IT Control Objectives for Sarbanes-Oxley 45
Final thoughts
Summarizing,
EUCAs are NOT only spreadsheets. More
EUCAs will come forth as users get more
IT literate.
EUC can either be performed in a
controlled manner serving to advance
organizational goals or “in the dark”,
serving only to add to the level of risk
carried by the organization.
46
Final thoughts
Summarizing,
To efficiently mitigate EUC risk within an
organization, there is a EUC Risk Continuum
leading to success which requires a cultural
change (e.g. policies, controls, best
practices) and adoption of new technology.
The key to avoid confusion applying EUC
policies is to ensure that ownership and
responsibility are logical and are set out
clearly.
47
Final thoughts
EUC Risk Continuum
48
Final thoughts
The auditor’s role in controlling EUC will evolve along
with the maturity of the organization.
49
Thank You
Thank you very much for your participation.
Keep in touch,
52