Your SlideShare is downloading. ×
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.

590

Published on

The use of spreadsheets in financial reporting and operational processes, is a key tool for some corporations, and is an integral part of the information and decision-making framework. …

The use of spreadsheets in financial reporting and operational processes, is a key tool for some corporations, and is an integral part of the information and decision-making framework.

Published in: Economy & Finance, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
590
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. End User Computing Technology Controls in Business Renetta Ho-Antonio PMCP, ERM, CISM
  • 2. Introduction
    • The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
    • The use of spreadsheets in financial reporting and operational processes, is a key tool for some corporations, and is an integral part of the information and decision-making framework.
    • Spreadsheet functionality is easy and flexible however, if companies heavily rely on the information contain in these spreadsheets, then they should ensure to increase their focus on controls related to the development and maintenance as related to Section 404 of the Sarbanes-Oxley Act.
    • This presentation gives an idea as to the assessment of specific control activities that should be considered by management in evaluating the use of significant spreadsheets.
  • 3. Coverage
        • EUC Definition
        • EUC Application Controls
        • EUC Audits
        • EUC Challenges and Feedback
  • 4. End User Computing
    • Definition:
        • From an Audit perspective, End User Computing (i.e. spreadsheets) is defined as a tool designed for the purpose of extracting information and performing data manipulation prior to the transfer of and/or downstream of results to a book of record system, i.e financial reporting
        • In addition, EUC as files in standalone software programs, such as Excel and MS Access, that are created and maintained locally by end users, and are not formally support by technology groups, are generally classified as EUCs since they may not be covered by General IT Controls.
  • 5. EUC Application Controls
    • An End User Computing work program should cover 4 controls:
    • Identification of all EUC as they relate to the Financial and Operational control.
    • Security and Access of the network path where the EUC is located.
    • Functional Integrity within a change management process to analyze how are changes completed, tested, reviewed and approved.
    • Inventory and Testing. This is the Risk assessment and the impact to the organization.
  • 6. Impact Testing & Security
    • SOC Gen impact testing, Security, End User Computing (EUC) Environment and Disaster Recovery.
    • Security testing for applications (non-euc) : end to end data flow level testing to ensure access privileges and system settings are adequately designed to prevent fraudulent activities, such as:-
      • Soc-Gen Impact : Test password controls at the operating system, application and database layers with appropriate segregation of duties, proper approval, “need-to-know” privileges, logging and monitoring reviews and active directory access controls.
      • Identify and test if roaming profile has been initiated .
      • Security and Integrity of data.
  • 7. EUC Controls
    • An independent person reviews and confirms the functionality built into the EUC file on creation and in the event of a change. Functionality for review includes but is not limited to programming, formulae, sorting of the data, aggregation of data, report creation, links between spreadsheets and/or other applications.
    • Functional Integrity:- Development LifeCycle; Ownership; Change control processes; Version control; Input control; Logical inspection; Overall analytics and Documentation.
    • Is the licence for EUC application maintained through enterprise program acquisition?
    • Are there third party agreements with technology vendors that host technology services for the entity in respect of EUC application?
    • Is there a technology contract with an outside service provider to perform technology services such as development of code, integration testing and conversion of data?
  • 8. Risk Assessment
    • Impact of an error on the organization: No or Minimal impact, does not compromise business decisions, regulatory requirements or corporate reputation.
    • Use & sensitivity of the data: Either not sensitive or if some what sensitive, is only used inside the organization or Either used inside or outside the organization and contains sensitive data.
    • Complexity of dependencies: Single or multiple EUC activity, no linkages or dependencies. There may be multiple EUC activities with linkages and interdependencies
    • Functionality: Simple to some advanced functions (macros, embedded codes), complex codes. There may be advanced functions that will require a manual to support and have interactions across EUC activities.
    • Number of users updating content or functions.
    • Frequency of use: Monthly, weekly or more frequently.
    • Anticipated length of Use: From a ‘One off’ up to a year or Greater than a year or in perpetuity
    • Development Time: Minor or no time pressure to restricted or severe time pressures.
  • 9. Disaster Recovery
    • Disaster recovery (non-BCP): business is engaged with technology to ensure continuous service. Application and Systems Recovery adequacy. Business requirements and processes provide adequate disaster recovery. Business owners conduct Business Impact Analysis (BIA) to define priority/criticality of application and identify maximum allowable time (RTO) and acceptable level of data loss (RPO) and provide Fail Over criteria for mission critical applications.
  • 10. Conclusion
    • Every corporation would need to define their own process, tools and mechanisms to ensure that there are appropriate controls when there is an existence of end user computing, especially if this relates to SOX.
    • Spreadsheets specifically is woven into the management fabric of every organization today. It is important from a CEO/CFO Certification standpoint that management understands how spreadsheets are used to ensure adequacy of related controls. This will play a critical part in management’s assessment of the effectiveness of their internal control over financial reporting.
    • Good article to read is France's SocGen hit by $7.1 billion alleged fraud http://www.marketwatch.com/news/story/rogue-traders-fraud-led-71/story.aspx?guid=%7B1C980919-2F3E-4A28-AAC4-A2FB129BE6E8%7D

×