End User Computing Technology Controls in Business Renetta Ho-Antonio PMCP, ERM, CISM

Introduction The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act. The use of spreadsheets in financial reporting and operational processes, is a key tool for some corporations, and is an integral part of the information and decision-making framework. Spreadsheet functionality is easy and flexible however, if companies heavily rely on the information contain in these spreadsheets, then they should ensure to increase their focus on controls related to the development and maintenance as related to Section 404 of the Sarbanes-Oxley Act. This presentation gives an idea as to the assessment of specific control activities that should be considered by management in evaluating the use of significant spreadsheets.

The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.

The use of spreadsheets in financial reporting and operational processes, is a key tool for some corporations, and is an integral part of the information and decision-making framework.

Spreadsheet functionality is easy and flexible however, if companies heavily rely on the information contain in these spreadsheets, then they should ensure to increase their focus on controls related to the development and maintenance as related to Section 404 of the Sarbanes-Oxley Act.

This presentation gives an idea as to the assessment of specific control activities that should be considered by management in evaluating the use of significant spreadsheets.

Coverage EUC Definition EUC Application Controls EUC Audits EUC Challenges and Feedback

EUC Definition

EUC Application Controls

EUC Audits

EUC Challenges and Feedback

End User Computing Definition: From an Audit perspective, End User Computing (i.e. spreadsheets) is defined as a tool designed for the purpose of extracting information and performing data manipulation prior to the transfer of and/or downstream of results to a book of record system, i.e financial reporting In addition, EUC as files in standalone software programs, such as Excel and MS Access, that are created and maintained locally by end users, and are not formally support by technology groups, are generally classified as EUCs since they may not be covered by General IT Controls.

Definition:

From an Audit perspective, End User Computing (i.e. spreadsheets) is defined as a tool designed for the purpose of extracting information and performing data manipulation prior to the transfer of and/or downstream of results to a book of record system, i.e financial reporting

In addition, EUC as files in standalone software programs, such as Excel and MS Access, that are created and maintained locally by end users, and are not formally support by technology groups, are generally classified as EUCs since they may not be covered by General IT Controls.

EUC Application Controls An End User Computing work program should cover 4 controls: Identification of all EUC as they relate to the Financial and Operational control. Security and Access of the network path where the EUC is located. Functional Integrity within a change management process to analyze how are changes completed, tested, reviewed and approved. Inventory and Testing. This is the Risk assessment and the impact to the organization.

An End User Computing work program should cover 4 controls:

Identification of all EUC as they relate to the Financial and Operational control.

Security and Access of the network path where the EUC is located.

Functional Integrity within a change management process to analyze how are changes completed, tested, reviewed and approved.

Inventory and Testing. This is the Risk assessment and the impact to the organization.

Impact Testing & Security SOC Gen impact testing, Security, End User Computing (EUC) Environment and Disaster Recovery. Security testing for applications (non-euc) : end to end data flow level testing to ensure access privileges and system settings are adequately designed to prevent fraudulent activities, such as:- Soc-Gen Impact : Test password controls at the operating system, application and database layers with appropriate segregation of duties, proper approval, “need-to-know” privileges, logging and monitoring reviews and active directory access controls. Identify and test if roaming profile has been initiated . Security and Integrity of data.

SOC Gen impact testing, Security, End User Computing (EUC) Environment and Disaster Recovery.

Security testing for applications (non-euc) : end to end data flow level testing to ensure access privileges and system settings are adequately designed to prevent fraudulent activities, such as:-

Soc-Gen Impact : Test password controls at the operating system, application and database layers with appropriate segregation of duties, proper approval, “need-to-know” privileges, logging and monitoring reviews and active directory access controls.

Identify and test if roaming profile has been initiated .

Security and Integrity of data.

EUC Controls An independent person reviews and confirms the functionality built into the EUC file on creation and in the event of a change. Functionality for review includes but is not limited to programming, formulae, sorting of the data, aggregation of data, report creation, links between spreadsheets and/or other applications. Functional Integrity:- Development LifeCycle; Ownership; Change control processes; Version control; Input control; Logical inspection; Overall analytics and Documentation. Is the licence for EUC application maintained through enterprise program acquisition? Are there third party agreements with technology vendors that host technology services for the entity in respect of EUC application? Is there a technology contract with an outside service provider to perform technology services such as development of code, integration testing and conversion of data?

An independent person reviews and confirms the functionality built into the EUC file on creation and in the event of a change. Functionality for review includes but is not limited to programming, formulae, sorting of the data, aggregation of data, report creation, links between spreadsheets and/or other applications.

Functional Integrity:- Development LifeCycle; Ownership; Change control processes; Version control; Input control; Logical inspection; Overall analytics and Documentation.

Is the licence for EUC application maintained through enterprise program acquisition?

Are there third party agreements with technology vendors that host technology services for the entity in respect of EUC application?

Is there a technology contract with an outside service provider to perform technology services such as development of code, integration testing and conversion of data?

Risk Assessment Impact of an error on the organization: No or Minimal impact, does not compromise business decisions, regulatory requirements or corporate reputation. Use & sensitivity of the data: Either not sensitive or if some what sensitive, is only used inside the organization or Either used inside or outside the organization and contains sensitive data. Complexity of dependencies: Single or multiple EUC activity, no linkages or dependencies. There may be multiple EUC activities with linkages and interdependencies Functionality: Simple to some advanced functions (macros, embedded codes), complex codes. There may be advanced functions that will require a manual to support and have interactions across EUC activities. Number of users updating content or functions. Frequency of use: Monthly, weekly or more frequently. Anticipated length of Use: From a ‘One off’ up to a year or Greater than a year or in perpetuity Development Time: Minor or no time pressure to restricted or severe time pressures.

Impact of an error on the organization: No or Minimal impact, does not compromise business decisions, regulatory requirements or corporate reputation.

Use & sensitivity of the data: Either not sensitive or if some what sensitive, is only used inside the organization or Either used inside or outside the organization and contains sensitive data.

Complexity of dependencies: Single or multiple EUC activity, no linkages or dependencies. There may be multiple EUC activities with linkages and interdependencies

Functionality: Simple to some advanced functions (macros, embedded codes), complex codes. There may be advanced functions that will require a manual to support and have interactions across EUC activities.

Number of users updating content or functions.

Frequency of use: Monthly, weekly or more frequently.

Anticipated length of Use: From a ‘One off’ up to a year or Greater than a year or in perpetuity

Development Time: Minor or no time pressure to restricted or severe time pressures.

Disaster Recovery Disaster recovery (non-BCP): business is engaged with technology to ensure continuous service. Application and Systems Recovery adequacy. Business requirements and processes provide adequate disaster recovery. Business owners conduct Business Impact Analysis (BIA) to define priority/criticality of application and identify maximum allowable time (RTO) and acceptable level of data loss (RPO) and provide Fail Over criteria for mission critical applications.

Disaster recovery (non-BCP): business is engaged with technology to ensure continuous service. Application and Systems Recovery adequacy. Business requirements and processes provide adequate disaster recovery. Business owners conduct Business Impact Analysis (BIA) to define priority/criticality of application and identify maximum allowable time (RTO) and acceptable level of data loss (RPO) and provide Fail Over criteria for mission critical applications.

Conclusion Every corporation would need to define their own process, tools and mechanisms to ensure that there are appropriate controls when there is an existence of end user computing, especially if this relates to SOX. Spreadsheets specifically is woven into the management fabric of every organization today. It is important from a CEO/CFO Certification standpoint that management understands how spreadsheets are used to ensure adequacy of related controls. This will play a critical part in management’s assessment of the effectiveness of their internal control over financial reporting. Good article to read is France's SocGen hit by $7.1 billion alleged fraud http://www.marketwatch.com/news/story/rogue-traders-fraud-led-71/story.aspx?guid=%7B1C980919-2F3E-4A28-AAC4-A2FB129BE6E8%7D

Every corporation would need to define their own process, tools and mechanisms to ensure that there are appropriate controls when there is an existence of end user computing, especially if this relates to SOX.

Spreadsheets specifically is woven into the management fabric of every organization today. It is important from a CEO/CFO Certification standpoint that management understands how spreadsheets are used to ensure adequacy of related controls. This will play a critical part in management’s assessment of the effectiveness of their internal control over financial reporting.

Good article to read is France's SocGen hit by $7.1 billion alleged fraud http://www.marketwatch.com/news/story/rogue-traders-fraud-led-71/story.aspx?guid=%7B1C980919-2F3E-4A28-AAC4-A2FB129BE6E8%7D