Internal Auditors Target Spreadsheets
The practitioners'
leading trade group launches a campaign to get better control over
spreadsheets and databases created without oversight from IT.
Last
month the Institute
of Internal Auditors
plugged a gap in its guidance for members by issuing recommendations for the
auditing of "user-developed applications," which generally are
spreadsheets and databases developed by end users rather than by IT
personnel.
User-developed applications,
or UDAs, are subject to a high level of data-integrity risk because there may
not be adequate controls over validating their output or making changes to
them, the IIA points out. There is also confidentiality risk, because a UDA
and its data typically are easy to transmit outside the company via e-mail.
And there is a risk that some UDAs will not be available for audit, because
they may be stored on end users' hard drives or even portable flash drives
and thus not captured in a periodic network backup by the IT department
It
is the availability risk that most concerns Mary Ann Tourney, internal audit
manager for Talecris Biotherapeutics, a $1.5 billion provider of
injectionable medical treatments. Not knowing about a UDA that feeds
information to a financial-reporting system, for instance, could cause
financial-statement errors to go undetected or render incorrect the
assessment of internal controls that is required under the Sarbanes-Oxley
Act.
"The
predominant pitfall, to me, is identifying the population of impacted
systems," says Tourney. "It's sort of a scavenger hunt. Most
auditors are concerned about UDAs because both the ownership and the
management of the information are so dispersed. Without established and
enforced standards for the creation and management of UDAs, it is a difficult
population of sources to capture, much less test."
That
concern points to the fine line internal auditors always walk: remaining
independent from management while also acting as its adviser. It is
management's ultimate responsibility to create and maintain an inventory of
"critical" UDAs to be included in an audit, points out Cyndi
Plamondon, the IIA's vice president of professional practices. Internal
audit, though, should help define what constitutes a key UDA and also compile
its own list prior to conducting an audit and compare it with management's,
she says.
Internal
audit then should evaluate management's controls over identifying UDAs and
their owners, how UDAs are used, how changes to them are made and by whom,
and what network systems they feed, the IIA says. Auditors also should evaluate
the level of risk associated with each UDA and determine whether the controls
reduce risk to an acceptable level based on the company's risk appetite and
tolerance.
Special
attention should be given to manual journal entries supported by UDAs. "If
internal auditors do not have access to a management-generated inventory and
risk ranking of UDAs, they would do well to look first at those that support
the financial close and reporting process," the IIA states.
The
IIA's recommendations are contained in the institute's 14th Global Technology
Audit Guide. User-developed applications were recommended as a topic ripe for
guidance by the IIA's advanced technology committee, but the factors that
make UDA audits tricky are not new. Corporate end users have been creating
spreadsheets and databases without IT supervision for decades, and they have
always been risky and difficult to track.
"It may be that we had
a gap in our guidance," acknowledges Plamondon. "In some
organizations, UDAs may not have gotten as much attention in the past as they
should have. Now we're making our members aware that they should look at
these applications and how they are controlled."
Article was earlier published in one of the reputed financial magazine.
|
