end user computing (euc) risk: from assessment to...

11

End User Computing (EUC) Risk: End User Computing (EUC) Risk: From Assessment to AuditFrom Assessment to Audit

George MallikourtisGeorge MallikourtisCISA, CISMCISA, CISM

EfthimisEfthimis PapanikolaouPapanikolaouCISA, ISMS IACISA, ISMS IA

22

AgendaAgenda

EUCAsEUCAs : What, Who, Where: What, Who, WhereEnd User Computing Applications (End User Computing Applications (EUCAsEUCAs) ) ExposedExposedAssessment of Risks Assessment of Risks –– Theoretical FrameworkTheoretical FrameworkBusiness Cases in Banking SectorBusiness Cases in Banking SectorPractical steps to audit Practical steps to audit EUCAsEUCAsFinal thoughtsFinal thoughtsQ & AQ & A

33

EUCAsEUCAs : What, Who, Where : What, Who, Where What (1/2)What (1/2)

EUC (End User Computing)EUC (End User Computing): : any any computing activity developed and/or computing activity developed and/or managed managed outside a recognized formal IToutside a recognized formal IT..EUCAsEUCAs (End User Computing (End User Computing Applications)Applications): : Reporting programs, Reporting programs, spreadsheets, databases and spreadsheets, databases and programming languages available to end programming languages available to end ––users.users.

44

EUCAsEUCAs : What, Who, Where : What, Who, Where What (2/2)What (2/2)

MainlyMainly::Spreadsheets (MS Excel, Lotus 123, Spreadsheets (MS Excel, Lotus 123, OpenofficeOpenoffice))Local Databases (e.g. MS Access)Local Databases (e.g. MS Access)Business Intelligence reports (e.g. SQL Server Business Intelligence reports (e.g. SQL Server Analysis Services, Hyperion, Crystal Reports, Analysis Services, Hyperion, Crystal Reports, BRIO)BRIO)

55

EUCAsEUCAs : What, Who, Where: What, Who, WhereWhoWho

A financial analyst can create a spreadsheet to A financial analyst can create a spreadsheet to analyze and graph discrepancies between analyze and graph discrepancies between budget and actual performance numbers. budget and actual performance numbers.

A back office employee uses a reconciliation file A back office employee uses a reconciliation file (spreadsheet, local database) which compares (spreadsheet, local database) which compares the trade records within the main trade the trade records within the main trade processing system with those in the general processing system with those in the general ledger system.ledger system.

A project manager can develop a small database A project manager can develop a small database to track the progress of the project and to track the progress of the project and employee assignments. employee assignments.

66

EUCAsEUCAs : What, Who, Where: What, Who, WhereWhereWhere (1/3)(1/3)

Millions of managers and employees acting Millions of managers and employees acting as endas end--user programmers design, build, and user programmers design, build, and use use EUCAsEUCAs every dayevery dayEvery major corporation today uses endEvery major corporation today uses end--user user computing to make optimal decisions, computing to make optimal decisions, projecting the consequences of these projecting the consequences of these decisions for the firm in the form of a decisions for the firm in the form of a financial plan, and then comparing future financial plan, and then comparing future performance against , modeling, schedules, performance against , modeling, schedules, consolidations and financial closingsconsolidations and financial closings

77


Treasury and Back Office for pricing, Treasury and Back Office for pricing, valuation, settlementvaluation, settlementFinancial Services Office for reconciliations, Financial Services Office for reconciliations,

financial reporting, analyses, IFRS financial reporting, analyses, IFRS adjustments.adjustments.

Sales for decision making, marketing Sales for decision making, marketing queries, trend analysis.queries, trend analysis.Operations for tracking and monitoring of Operations for tracking and monitoring of

everyday workflowseveryday workflows

88


A Baseline Consulting survey of 250 senior IT managers showed thA Baseline Consulting survey of 250 senior IT managers showed that an at an average of 32 percent of their companies' corporate data was stoaverage of 32 percent of their companies' corporate data was stored in red in spreadsheets or databases on employees' computers. These systemsspreadsheets or databases on employees' computers. These systems are are usually not subject to corporations' standard controls, and are usually not subject to corporations' standard controls, and are in fact in fact usually not even tracked, either by IT departments or by the usually not even tracked, either by IT departments or by the departments responsible for regulatory compliance. departments responsible for regulatory compliance.

End User Computing

Applications, 32%IT Controlled Applications, 68%

99

EUCAsEUCAs Exposed (1/5)Exposed (1/5)Token war story

• "the ACCESS database used by capital markets for confirmations had a fault in its original design. The original table of counterparties had never been updated”– (From a visit last week)

1010

EUCAsEUCAs Exposed (2/5)Exposed (2/5)

“The ACCESS database used by capital markets for confirmations had a fault in its original design. The original table of counterparties had never been updated”. (Financial Services Authority (Financial Services Authority -- Regulator of all providers Regulator of all providers of financial service in UK of financial service in UK -- FSA.gov.ukFSA.gov.uk))FSA fines Credit Suisse £5.6m (Aug 2008): The booking structure relied upon by the UK operations of Credit Suisse for the CDO trading business was complex and overly reliant on large spreadsheets with multiple entries. This resulted in a lack of transparency and inhibited the effective supervision, risk management and control of the SCG. eusprig.orgeusprig.org

1111


SEC: ExSEC: Ex--CFO Used Spreadsheets for FraudCFO Used Spreadsheets for FraudThe former CFO of a company that produces electronic databases of archived information from publishers settled charges made by the Securities and Exchange Commission that, with the use of spreadsheet aids, he made fraudulent monthly and quarterly and accounting entries for more than five years.He used "hidden rows" to keep falsities from hard copy and covered up information by placing it in "white font.“ ((CFO.comCFO.com))

1212


Bernard Lawrence "Bernie" MadoffBernard Lawrence "Bernie" Madoff,, the former the former Chairman of the NASDAQ stock exchange and the Chairman of the NASDAQ stock exchange and the admitted operator of the admitted operator of the Ponzi schemePonzi scheme made made "the "the largest investment fraud in Wall Street history".largest investment fraud in Wall Street history".Madoff or DiPascali would enter trades that never

happened, with real prices, into an old IBM AS/400 computer he used for his advisory business and – voilà! – he had a track record. Then, using a simple spreadsheet such as Excel, more than 2,300 client accounts were updated automatically – dividing among all the accounts the gains from the “trades” that amounted to “profits” of 1%. ((FT.comFT.com Financial Times)Financial Times)

1313


-- Excel error leaves Barclays with more Lehman assets than it bargained for.((Computerworld.comComputerworld.com))

-- A rogue trader costs France’s SociétéGénérale € 4.9 billion. Kerviel was able to circumvent SG's internal warning systems by opening and manipulating Excel spreadsheet reports used by managers to monitor traders' activities.((Economist.comEconomist.com))

1414

Assessment of Risks Assessment of Risks –– Theoretical Theoretical FrameworkFramework

1515

F1. Inventory F1. Inventory EUCAsEUCAs

Inventory all Inventory all EUCAsEUCAs (spreadsheets, (spreadsheets, databases etc.) that are used to databases etc.) that are used to support significant business support significant business processes.processes.Identification Techniques:Identification Techniques:–– InterviewsInterviews–– WalkthroughsWalkthroughs–– ToolsTools

1616

F2. Define the Risk Profile (1/4)F2. Define the Risk Profile (1/4)

ComplexityComplexityComplexityBased on quantitative Based on quantitative criteria.criteria.Defines the operational Defines the operational risk.risk.

MaterialityMaterialityMaterialityBased mostly on Based mostly on qualitative criteria.qualitative criteria.Defines the possible Defines the possible impact of a potential impact of a potential threat.threat.

16

• Both complexity and materiality should be redefined according to the business area audited

1717


Materiality (1)Materiality (1)Immaterial : Immaterial : No key business decisions are made based on the No key business decisions are made based on the information. information. AnyAny risk risk emergingemerging would be embarrasswould be embarrassinging to those to those directly associated with the spreadsheet, but would have no realdirectly associated with the spreadsheet, but would have no real long long term impact on the businessterm impact on the business..Material :Material : An error or a delay inAn error or a delay in thethe preparation of the preparation of the file file may result may result inin significant loss to the business. Information contained in thsignificant loss to the business. Information contained in the file e file is is sensitive and employees could exploit thsensitive and employees could exploit thisis information if they had information if they had access to itaccess to it..Critical :Critical : An error or a delay in An error or a delay in the the preparation of the preparation of the file file may result may result in in material loss to the business. Information contained in the material loss to the business. Information contained in the file file is is highly sensitive and inappropriate disclosure may be exploited bhighly sensitive and inappropriate disclosure may be exploited by y markets or competitors or could be in breach of legislation (sucmarkets or competitors or could be in breach of legislation (such as h as data protection legislation). The data protection legislation). The data data could be used to perpetrate could be used to perpetrate senior management fraud.senior management fraud.

1818


Materiality (2)Materiality (2)

Immaterial.Immaterial. A threshold establishing the minimum magnitude A threshold establishing the minimum magnitude necessary for a spreadsheet to be considered material should be necessary for a spreadsheet to be considered material should be established. Any spreadsheet that processes or calculates dollarestablished. Any spreadsheet that processes or calculates dollar values values or operational quantities less than this threshold should be conor operational quantities less than this threshold should be considered sidered to be of "immaterial magnitude." to be of "immaterial magnitude." Material.Material. Spreadsheets processing a dollar value or operational Spreadsheets processing a dollar value or operational quantity above the materiality threshold should be considered toquantity above the materiality threshold should be considered to be be material. material. Critical.Critical. A critical threshold should be established to flag A critical threshold should be established to flag spreadsheets that process an extremely highspreadsheets that process an extremely high--dollar value or dollar value or operational quantity. operational quantity.

1919


ComplexityComplexityAssessing Assessing EUCAEUCA complexity can be based complexity can be based on a number of criteria. For example: on a number of criteria. For example: –– Size or scale of Size or scale of an applicationan application–– Formulae designFormulae design–– Use of scriptsUse of scripts–– Logical complexityLogical complexity–– External linksExternal links

2020

F3. Assess Existing ControlsF3. Assess Existing ControlsControlControl DefinitionDefinitionEUCA Policy & Control StandardsEUCA Policy & Control Standards Define the responsibilities and processes surrounding Define the responsibilities and processes surrounding EUCAsEUCAs with the aim of placing with the aim of placing

responsibility for the risks arising and understanding and reducresponsibility for the risks arising and understanding and reducing these risks through ing these risks through inventory and mitigation processes.inventory and mitigation processes.

Access ControlsAccess Controls Define and Restrict user access, rights and privilegesDefine and Restrict user access, rights and privileges

Change ControlsChange Controls Define the process to be followed whenever specific types of chaDefine the process to be followed whenever specific types of changes are performednges are performed

Version ControlsVersion Controls Ensure accurate identification of the current production filesEnsure accurate identification of the current production files

Development ControlsDevelopment Controls Control development, testing and approval of new critical Control development, testing and approval of new critical EUCAsEUCAs prior to deployment prior to deployment into productioninto production

Documentation. Documentation. Require that Require that EUCAsEUCAs are adequately documented with regard to their use and designare adequately documented with regard to their use and design

Input Controls. Input Controls. Employment of data validation to control or restrict input to vaEmployment of data validation to control or restrict input to valid data.lid data.

Data Security and Integrity. Data Security and Integrity. Balancing input data with totals form data sources. Balancing input data with totals form data sources.

Output ControlsOutput Controls Use of cross checks, balancing to ensure all input data has beenUse of cross checks, balancing to ensure all input data has been accounted for and accounted for and reflected in the outputs and to prevent or highlight potential creflected in the outputs and to prevent or highlight potential calculation errors.alculation errors.

Segregation of DutiesSegregation of Duties Define duties, roles and responsibilities regarding the usage ofDefine duties, roles and responsibilities regarding the usage of EUCAsEUCAs and design and design changes.changes.

Backup and ArchivalBackup and Archival EUCAsEUCAs should be maintained on a secured server that is backed should be maintained on a secured server that is backed –– up on a regular up on a regular basis. Prior versions of critical files should be moved to a secbasis. Prior versions of critical files should be moved to a secure archive folder to ure archive folder to prevent data corruption and ensure they are not accessed or usedprevent data corruption and ensure they are not accessed or used in error.in error.

2121

F3a. Calculate Risk ExposureF3a. Calculate Risk Exposure

MaterialityMateriality

55 MEDIUMMEDIUM MEDIUMMEDIUM HIGHHIGH HIGHHIGH HIGHHIGH

44 MEDIUMMEDIUM MEDIUMMEDIUM MEDIUMMEDIUM HIGHHIGH HIGHHIGH

33 LOWLOW LOWLOW MEDIUMMEDIUM MEDIUMMEDIUM MEDIUMMEDIUM

22 LOWLOW LOWLOW LOWLOW LOWLOW LOWLOW

11 LOWLOW LOWLOW LOWLOW LOWLOW LOWLOW

11 22 33 44 55

ComplexityComplexity

Determine EUCAs Risk based on Complexity and Criticality

2222

F3b. Recommend Remediation F3b. Recommend Remediation ActionsActions

The auditor must communicate the results of The auditor must communicate the results of the Risk Assessment using illustrative the Risk Assessment using illustrative examples.examples.The recommendations must focus primarily The recommendations must focus primarily on policies and standards for on policies and standards for EUCAsEUCAs..There should be references to existing There should be references to existing frameworks (e.g. Polices and Procedures).frameworks (e.g. Polices and Procedures).Depending on the outcome of the Risk Depending on the outcome of the Risk Assessment the examination of some Assessment the examination of some EUCAsEUCAs on an individual basis maybe on an individual basis maybe required.required.

2323

Allied Irish Banks Group is IrelandAllied Irish Banks Group is Ireland’’s leading s leading banking and financial services organizationbanking and financial services organization

AIBG initiated a project (in coAIBG initiated a project (in co--operation with EUC operation with EUC consultants) in order to address consultants) in order to address the area of End the area of End User Computing (EUC) in AIB Capital Markets.User Computing (EUC) in AIB Capital Markets.

The EUC issue having come to the fore after the The EUC issue having come to the fore after the introduction of compliance legislation and the introduction of compliance legislation and the heightened vigilance of auditors.heightened vigilance of auditors.

Business cases in Banking Sector (1/9)Business cases in Banking Sector (1/9)

Case 1: Allied Irish Banks GroupCase 1: Allied Irish Banks Group

byby Andrew Andrew McGeadyMcGeady, Joseph , Joseph McGouranMcGouran

2424



AIBCM Architecture & Research Team published a AIBCM Architecture & Research Team published a strategy document outlining a framework that would strategy document outlining a framework that would provide the necessary control for End User provide the necessary control for End User ComputingComputing::Five key stages:Five key stages:Acknowledge the EUC issueAcknowledge the EUC issueEstablish a register of critical EUC applicationsEstablish a register of critical EUC applicationsRemediate existing critical EUC applications (each Remediate existing critical EUC applications (each critical application was analysed, remediated critical application was analysed, remediated -- by the by the project team and the owners project team and the owners -- and validated)and validated)Implement a controlled environment for the housing Implement a controlled environment for the housing of such applications (EUC technical tools for auditing, of such applications (EUC technical tools for auditing, access and version control are recommended)access and version control are recommended)Develop guidelines and templates consistent with the Develop guidelines and templates consistent with the EUC policy for future EUC developmentEUC policy for future EUC development

2525



The project was successfully carried out with the The project was successfully carried out with the following conclusionsfollowing conclusions

The key to avoid confusion is to ensure that The key to avoid confusion is to ensure that divisions of ownership and responsibility are set out divisions of ownership and responsibility are set out clearly in the organizational EUC policy and clearly in the organizational EUC policy and procedures. procedures. Making the effort to talk personally to all involved Making the effort to talk personally to all involved is of vital importance in ensuring the success of is of vital importance in ensuring the success of EUC in the organizations.EUC in the organizations.With appropriate control in place, End User With appropriate control in place, End User Development can be a valuable asset to the Development can be a valuable asset to the organization, combining inorganization, combining in--depth business depth business knowledge with the power of IT to create knowledge with the power of IT to create applications that can complement the existing IT applications that can complement the existing IT processes. processes.

2626

Business cases in Banking Sector (4/9)Business cases in Banking Sector (4/9)Case 2: Nova Case 2: Nova LjubljanjskaLjubljanjska Bank (NLB)Bank (NLB)

by by J.HriberJ.Hriberššekek, B. , B. WerberWerber, J. , J. ZupancicZupancic

NLB is the major bank in Slovenia. The study presents the NLB is the major bank in Slovenia. The study presents the results of an empirical investigation of results of an empirical investigation of EUCAsEUCAs in the bank, with in the bank, with emphasis on endemphasis on end--user support provided by the Information user support provided by the Information Centre, the local MIS staff, and informal sources . The goal of Centre, the local MIS staff, and informal sources . The goal of investigation was to identify and evaluate key factors of end investigation was to identify and evaluate key factors of end user user -- support. support. The investigation showed that users preferred more the The investigation showed that users preferred more the

informal sources of support than the local MIS staff & informal sources of support than the local MIS staff & Information Centre. Information Centre. Because spreadsheets are the most widespread EUC Because spreadsheets are the most widespread EUC

programming tool in the bank, the users expressed high programming tool in the bank, the users expressed high interest for additional knowledge of the subject. Data base interest for additional knowledge of the subject. Data base development methods ranked the lowest. development methods ranked the lowest.

2727

Business cases in Banking Sector (5/9)Business cases in Banking Sector (5/9)Case 2: Nova Case 2: Nova LjubljanjskaLjubljanjska Bank (NLB)Bank (NLB)

Based on the results, the following measures have Based on the results, the following measures have been suggested: been suggested:

Strengthen the role and redefine the function of the Strengthen the role and redefine the function of the Information Centre, so that it will be able to provide Information Centre, so that it will be able to provide quick responses to concrete questions from the quick responses to concrete questions from the users, as basic precondition for successful users, as basic precondition for successful development of EUCdevelopment of EUCDevelop training focusing on improvement of the Develop training focusing on improvement of the quality of quality of EUCAsEUCAs development. development.

2828

Business cases in Banking Sector (6/9)Business cases in Banking Sector (6/9)Case 3: A mid Case 3: A mid -- sized international bank sized international bank

by Jamie Chambers and John by Jamie Chambers and John HamillHamill

An An external audit commentexternal audit comment was the primary stimulus was the primary stimulus for the project to a mid sized international bank: the for the project to a mid sized international bank: the auditors remarked that there was a high level of auditors remarked that there was a high level of dependency on complex dependency on complex EUCAsEUCAs (databases & (databases & spreadsheets) particularly in the production of spreadsheets) particularly in the production of financial accounts.financial accounts.

2929



The project was terminated in an early The project was terminated in an early stagestage……..During the course of the project there During the course of the project there were some farwere some far--reaching executive reaching executive changes with led to a withdrawal of changes with led to a withdrawal of supportsupport for any efforts.for any efforts.

3030


CONCLUSIONSCONCLUSIONSEven simple spreadsheets can cause large losses in Even simple spreadsheets can cause large losses in an environment where very large transactions (> an environment where very large transactions (> €€1Bn) are commonplace.1Bn) are commonplace.It was interesting to note that few managers felt It was interesting to note that few managers felt responsibility, believing their applications to be well responsibility, believing their applications to be well controlled, or unimportant.controlled, or unimportant.No attempt was made to ensure staff were qualified No attempt was made to ensure staff were qualified in the development of in the development of EUCAsEUCAs to a level to a level commensurate with their responsibilities. Managers commensurate with their responsibilities. Managers were grateful when their staff constructed were grateful when their staff constructed applications to address processing and reporting applications to address processing and reporting issues, but had no framework for supporting, issues, but had no framework for supporting, controlling, managing or even promoting these controlling, managing or even promoting these activities.activities.

3131



EUCA risk was poorly understood, and rarely controlled in any EUCA risk was poorly understood, and rarely controlled in any way around the Bank. The observations echoed those of way around the Bank. The observations echoed those of CrollCroll[[CrollCroll, 2005]: 'there is almost no spreadsheet software quality , 2005]: 'there is almost no spreadsheet software quality assurance or appreciation of the software development life assurance or appreciation of the software development life cycle as it might relate to spreadsheets'.cycle as it might relate to spreadsheets'.The problem of EUC ownership (and hence budgeting) meant The problem of EUC ownership (and hence budgeting) meant that the project ended prematurely. A standardized approach to that the project ended prematurely. A standardized approach to the problem, dividing the responsibilities between IT, the problem, dividing the responsibilities between IT, Operational Risk, and departmental managers could help the Operational Risk, and departmental managers could help the organizations both to recognize and to tackle the risk in a organizations both to recognize and to tackle the risk in a coherent way. In addition, Ccoherent way. In addition, C--level management commitment, level management commitment, and Internal Audit & Information Security involvement are and Internal Audit & Information Security involvement are essential. essential.

3232

Auditing Auditing EUCAsEUCAs -- Practical Practical IssuesIssues

Define the different Define the different EUCAsEUCAs used by the used by the auditeesauditees..Decide the method to create your Decide the method to create your inventoryinventoryDefine the complexity and materiality Define the complexity and materiality scalesscales

3333

Practical issues Practical issues –– EUCAsEUCAs CategoriesCategories

The most common The most common EUCAsEUCAs are spreadsheet are spreadsheet applications.applications.End User databases like MS Access are the End User databases like MS Access are the new trend since data volumes are new trend since data volumes are increasing rapidly.increasing rapidly.The new users are more and more IT The new users are more and more IT literate and they deploy much more literate and they deploy much more computing power like reporting and computing power like reporting and scripting tools. scripting tools.

3434

Practical issues Practical issues –– InventoryInventory

It is nearly impossible to make the It is nearly impossible to make the inventory of all inventory of all EUCAsEUCAs..Usually the files are scattered to servers, Usually the files are scattered to servers, local PCs and optical media.local PCs and optical media.The most practical approach is to gather The most practical approach is to gather files referred to a reporting cycle (e.g. files referred to a reporting cycle (e.g. month, quarter, semester) for each month, quarter, semester) for each significant business process.significant business process.

3535

Practical issues Practical issues –– Complexity (1/5)Complexity (1/5)

The criteria to characterize an EUCA as The criteria to characterize an EUCA as complex may vary according to its type, complex may vary according to its type, purpose ,its processing frequency. purpose ,its processing frequency. The most frequent The most frequent EUCAsEUCAs are spreadsheet are spreadsheet applications.applications.For spreadsheet applications there are a For spreadsheet applications there are a lot of proposed sets of complexity criteria.lot of proposed sets of complexity criteria.


3636

A proposed set of complexity criteria for local A proposed set of complexity criteria for local databasesdatabases

••Number of TablesNumber of Tables••Number of QueriesNumber of Queries••Number of FormsNumber of Forms••Number of ModulesNumber of Modules

Criteria Operator Value Score

Number of Tables > 5 5



Number of Queries > 5 5



Number of Forms > 5 5



Number of Modules > 0 10




Complexity Definition:Low <=10Medium <=20High >20

Practical issues Practical issues –– Complexity (4/5)Complexity (4/5)A comprehensive proposed set of complexity criteria A comprehensive proposed set of complexity criteria for spreadsheetsfor spreadsheets

SheetsSheetsFormulasFormulasFormula with ErrorsFormula with ErrorsArray FormulasArray FormulasNested IfsNested IfsMax Nested If LevelMax Nested If LevelExternal LinksExternal LinksMacrosMacrosPivot TablesPivot TablesNamed ItemsNamed Items

Invisible Cells (text and Invisible Cells (text and background are the same background are the same color)color)Hidden Rows and Hidden Rows and ColumnsColumnsHidden SheetsHidden SheetsVery Hidden Sheets Very Hidden Sheets (sheet made invisible (sheet made invisible through use of VBA code)through use of VBA code)Password ProtectedPassword ProtectedWorkbook SizeWorkbook Size 3838


3939

Practical issues Practical issues –– Materiality (1/3)Materiality (1/3)

4040

Materiality is always subjective and Materiality is always subjective and challengeable by the challengeable by the auditeesauditees..Some times, collaborating with the Some times, collaborating with the auditeesauditees prior to the risk assessment may prior to the risk assessment may prove useful for defining materiality prove useful for defining materiality thresholds.thresholds.Even Even EUCAsEUCAs graded as immaterial should graded as immaterial should get attention (otherwise whatget attention (otherwise what’’s the point s the point of having them).of having them).

Practical issues Practical issues –– Materiality(2/3)Materiality(2/3)A proposed set of materiality criteriaA proposed set of materiality criteria

4141

Field Value (>, <, contains a string, or =)Field Value (>, <, contains a string, or =)Object Name (e.g. Table, Sheet, Query)Object Name (e.g. Table, Sheet, Query)File NameFile NameFile PathFile PathExternal LinkExternal LinkBuiltBuilt--in Document Propertyin Document Property

Practical issues Practical issues –– Materiality(3/3)Materiality(3/3)

4242

Practical issues Practical issues –– Overall RiskOverall Risk

4343

4444

Final thoughtsFinal thoughts

Summarizing,Summarizing,There are ongoing studies about defining There are ongoing studies about defining appropriate and objective complexity and appropriate and objective complexity and materiality criteria.materiality criteria.EUCAsEUCAs are NOT only spreadsheets. More are NOT only spreadsheets. More EUCAsEUCAs will come forth as users get more will come forth as users get more IT literate.IT literate.

4545

Reference Reference 1.1. FSA FSA –– BucknerBuckner, , User computing in financial regulationUser computing in financial regulation2.2. HoyeHoye, Perry, Enterprise spreadsheets, Perry, Enterprise spreadsheets: Best practices for Risk Mitigation & Control : Best practices for Risk Mitigation & Control 3.3. McGeadyMcGeady McGouran: End User Computing in AIB Capital Markets: A ManagemenMcGouran: End User Computing in AIB Capital Markets: A Management Summaryt Summary4.4. Jamie Chambers, John Hamill: Controlling End User Computing ApplJamie Chambers, John Hamill: Controlling End User Computing Applications ications -- a case study a case study 5.5. HriberHriberššekek, , WerberWerber, , ZupancicZupancic, , EndEnd--User Computing in Banking Industry, A case of a large User Computing in Banking Industry, A case of a large

Slovenian Bank Slovenian Bank 6.6. OO’’ BeirneBeirne, Auditing Spreadsheets Motivations & Methodology , Auditing Spreadsheets Motivations & Methodology 7.7. Struthers Struthers –– Kennedy / Kennedy / ProtivityProtivity, Excel at managing spreadsheet risk , Excel at managing spreadsheet risk 8.8. Cooper, Wilson, The hidden risk of End User Computing Cooper, Wilson, The hidden risk of End User Computing 9.9. PWC, The use of spreadsheets: Considerations for Section 404 of PWC, The use of spreadsheets: Considerations for Section 404 of the SOX Actthe SOX Act10.10. GallegosGallegos,, SenftSenft,, Information Technology Control and AuditInformation Technology Control and Audit11.11. ProtivitiProtiviti, Spreadsheets: friend or foe? , Spreadsheets: friend or foe? 12.12. Perry, Automating Spreadsheet Discovery and Risk Assessment Perry, Automating Spreadsheet Discovery and Risk Assessment 13.13. PankoPanko, Revising the , Revising the PancoPanco –– Halverson Taxonomy of Spreadsheet Risks Halverson Taxonomy of Spreadsheet Risks 14.14. Powell, Baker, and Lawson, Errors in Operational Spreadsheets: APowell, Baker, and Lawson, Errors in Operational Spreadsheets: A Review of the State of the Review of the State of the

Art Art 15.15. PancoPanco, Port: The Dark Matter of Corporate IT, Port: The Dark Matter of Corporate IT16.16. Burdick, Improving Spreadsheet Audits in Six StepsBurdick, Improving Spreadsheet Audits in Six Steps17.17. Powell, Baker, and Lawson, An auditing protocol for spreadsheet Powell, Baker, and Lawson, An auditing protocol for spreadsheet modelsmodels18.18. ITGI, ITGI, IT Control Objectives for SarbanesIT Control Objectives for Sarbanes--OxleyOxley

4646


Summarizing,Summarizing,EUCAsEUCAs are NOT only spreadsheets. More are NOT only spreadsheets. More EUCAsEUCAs will come forth as users get more will come forth as users get more IT literate.IT literate.EUC can either be performed in a EUC can either be performed in a controlled manner serving to advance controlled manner serving to advance organizational goals or organizational goals or ““in the darkin the dark””, , serving only to add to the level of risk serving only to add to the level of risk carried by the organization.carried by the organization.

4747


Summarizing,Summarizing,To efficiently mitigate EUC risk within an To efficiently mitigate EUC risk within an organization, there is a EUC Risk Continuum organization, there is a EUC Risk Continuum leading to success which requires a cultural leading to success which requires a cultural change (e.g. policies, controls, best change (e.g. policies, controls, best practices) and adoption of new technology.practices) and adoption of new technology.The key to avoid confusion applying EUC The key to avoid confusion applying EUC policies is to ensure that ownership and policies is to ensure that ownership and responsibility are logical and are set out responsibility are logical and are set out clearly.clearly.

4848

Final thoughtsFinal thoughtsEUC Risk ContinuumEUC Risk Continuum

The auditorThe auditor’’s role in controlling EUC will evolve along s role in controlling EUC will evolve along with the maturity of the organization. with the maturity of the organization.

4949


5050

Thank You Thank You

Thank you very much for your participation.Thank you very much for your participation.Keep in touch,Keep in touch,

George Mallikourtis, CISA, CISM George Mallikourtis, CISA, CISM [email protected]@alpha.gr

EfthimisEfthimis PapanikolaouPapanikolaou, CISA, ISMS IA , CISA, ISMS IA [email protected]@alpha.gr

5151

Reference Reference 1.1. FSA FSA –– BucknerBuckner, , User computing in financial regulationUser computing in financial regulation2.2. HoyeHoye, Perry, Enterprise spreadsheets, Perry, Enterprise spreadsheets: Best practices for Risk Mitigation & Control : Best practices for Risk Mitigation & Control 3.3. McGeadyMcGeady McGouran: End User Computing in AIB Capital Markets: A ManagemenMcGouran: End User Computing in AIB Capital Markets: A Management Summaryt Summary4.4. Jamie Chambers, John Hamill: Controlling End User Computing ApplJamie Chambers, John Hamill: Controlling End User Computing Applications ications -- a case study a case study 5.5. HriberHriberššekek, , WerberWerber, , ZupancicZupancic, , EndEnd--User Computing in Banking Industry, A case of a large User Computing in Banking Industry, A case of a large

Slovenian Bank Slovenian Bank 6.6. OO’’ BeirneBeirne, Auditing Spreadsheets Motivations & Methodology , Auditing Spreadsheets Motivations & Methodology 7.7. Struthers Struthers –– Kennedy / Kennedy / ProtivityProtivity, Excel at managing spreadsheet risk , Excel at managing spreadsheet risk 8.8. Cooper, Wilson, The hidden risk of End User Computing Cooper, Wilson, The hidden risk of End User Computing 9.9. PWC, The use of spreadsheets: Considerations for Section 404 of PWC, The use of spreadsheets: Considerations for Section 404 of the SOX Actthe SOX Act10.10. GallegosGallegos,, SenftSenft,, Information Technology Control and AuditInformation Technology Control and Audit11.11. ProtivitiProtiviti, Spreadsheets: friend or foe? , Spreadsheets: friend or foe? 12.12. Perry, Automating Spreadsheet Discovery and Risk Assessment Perry, Automating Spreadsheet Discovery and Risk Assessment 13.13. PankoPanko, Revising the , Revising the PancoPanco –– Halverson Taxonomy of Spreadsheet Risks Halverson Taxonomy of Spreadsheet Risks 14.14. Powell, Baker, and Lawson, Errors in Operational Spreadsheets: APowell, Baker, and Lawson, Errors in Operational Spreadsheets: A Review of the State of the Review of the State of the

Art Art 15.15. PancoPanco, Port: The Dark Matter of Corporate IT, Port: The Dark Matter of Corporate IT16.16. Burdick, Improving Spreadsheet Audits in Six StepsBurdick, Improving Spreadsheet Audits in Six Steps17.17. Powell, Baker, and Lawson, An auditing protocol for spreadsheet Powell, Baker, and Lawson, An auditing protocol for spreadsheet modelsmodels18.18. ITGI, ITGI, IT Control Objectives for SarbanesIT Control Objectives for Sarbanes--OxleyOxley

5252

Q & AQ & A

end user computing (euc) risk: from assessment to...

Documents