Vous êtes sur la page 1sur 52

End User Computing (EUC) Risk:

From Assessment to Audit

George Mallikourtis
CISA, CISM

Efthimis Papanikolaou
CISA, ISMS IA 1
Agenda
„ EUCAs : What, Who, Where
„ End User Computing Applications (EUCAs)
Exposed
„ Assessment of Risks – Theoretical Framework
„ Business Cases in Banking Sector
„ Practical steps to audit EUCAs
„ Final thoughts
„ Q&A

2
EUCAs : What, Who, Where
What (1/2)
„ EUC (End User Computing): any
computing activity developed and/or
managed outside a recognized formal IT.
„ EUCAs (End User Computing
Applications): Reporting programs,
spreadsheets, databases and
programming languages available to end –
users.

3
EUCAs : What, Who, Where
What (2/2)
Mainly:
„ Spreadsheets (MS Excel, Lotus 123,
Openoffice)
„ Local Databases (e.g. MS Access)
„ Business Intelligence reports (e.g. SQL Server
Analysis Services, Hyperion, Crystal Reports,
BRIO)

4
EUCAs : What, Who, Where
Who

A financial analyst can create a spreadsheet to


analyze and graph discrepancies between
budget and actual performance numbers.
A back office employee uses a reconciliation file
(spreadsheet, local database) which compares
the trade records within the main trade
processing system with those in the general
ledger system.
A project manager can develop a small database
to track the progress of the project and
employee assignments.

5
EUCAs : What, Who, Where
Where (1/3)
Millions of managers and employees acting
as end-user programmers design, build, and
use EUCAs every day
Every major corporation today uses end-user
computing to make optimal decisions,
projecting the consequences of these
decisions for the firm in the form of a
financial plan, and then comparing future
performance against , modeling, schedules,
consolidations and financial closings

6
EUCAs : What, Who, Where
Where (2/3)

„ Treasury and Back Office for pricing,


valuation, settlement
„Financial Services Office for reconciliations,
financial reporting, analyses, IFRS
adjustments.
„ Sales for decision making, marketing
queries, trend analysis.
„Operations for tracking and monitoring of
everyday workflows

7
EUCAs : What, Who, Where
Where (3/3)
A Baseline Consulting survey of 250 senior IT managers showed that an
average of 32 percent of their companies' corporate data was stored in
spreadsheets or databases on employees' computers. These systems are
usually not subject to corporations' standard controls, and are in fact
usually not even tracked, either by IT departments or by the
departments responsible for regulatory compliance.

End User
Com puting
IT Controlled Applications, 32%
Applications, 68%

8
EUCAs Exposed (1/5)
Token war story

• "the ACCESS database used by capital


markets for confirmations had a fault
in its original design. The original
table of counterparties had never been
updated”
– (From a visit last week)

9
EUCAs Exposed (2/5)
“The ACCESS database used by capital markets for
confirmations had a fault in its original design. The
original table of counterparties had never been updated”.
(Financial Services Authority - Regulator of all providers
of financial service in UK - FSA.gov.uk)
FSA fines Credit Suisse £5.6m (Aug 2008): The booking
structure relied upon by the UK operations of Credit
Suisse for the CDO trading business was complex and
overly reliant on large spreadsheets with multiple entries.
This resulted in a lack of transparency and inhibited the
effective supervision, risk management and control of
the SCG. eusprig.org
10
EUCAs Exposed (3/5)

„ SEC: Ex-CFO Used Spreadsheets for Fraud


The former CFO of a company that produces
electronic databases of archived information from
publishers settled charges made by the Securities
and Exchange Commission that, with the use of
spreadsheet aids, he made fraudulent monthly
and quarterly and accounting entries for more
than five years.
He used "hidden rows" to keep falsities from hard
copy and covered up information by placing it in
"white font.“ (CFO.com)

11
EUCAs Exposed (4/5)

Bernard Lawrence "Bernie" Madoff, the former


Chairman of the NASDAQ stock exchange and the
admitted operator of the Ponzi scheme made "the
largest investment fraud in Wall Street history".
Madoff or DiPascali would enter trades that never
happened, with real prices, into an old IBM AS/400
computer he used for his advisory business and – voilà!
– he had a track record. Then, using a simple
spreadsheet such as Excel, more than 2,300 client
accounts were updated automatically – dividing among
all the accounts the gains from the “trades” that
amounted to “profits” of 1%. (FT.com Financial Times)

12
EUCAs Exposed (5/5)
- Excel error leaves Barclays with more
Lehman assets than it bargained for.
(Computerworld.com)
- A rogue trader costs France’s Société
Générale € 4.9 billion. Kerviel was able to
circumvent SG's internal warning systems
by opening and manipulating Excel
spreadsheet reports used by managers to
monitor traders' activities.
(Economist.com)

13
Assessment of Risks – Theoretical
Framework

14
F1. Inventory EUCAs
„ Inventory all EUCAs (spreadsheets,
databases etc.) that are used to
support significant business
processes.
„ Identification Techniques:
– Interviews
– Walkthroughs
– Tools

15
F2. Define the Risk Profile (1/4)
Complexity
Complexity Materiality
Materiality
„ Based on quantitative „ Based mostly on
criteria. qualitative criteria.
„ Defines the operational „ Defines the possible
risk. impact of a potential
threat.
• Both complexity and materiality should be
redefined according to the business area
audited

16
16
F2. Define the Risk Profile (2/4)
Materiality (1)
„ Immaterial : No key business decisions are made based on the
information. Any risk emerging would be embarrassing to those
directly associated with the spreadsheet, but would have no real long
term impact on the business.
„ Material : An error or a delay in the preparation of the file may result
in significant loss to the business. Information contained in the file is
sensitive and employees could exploit this information if they had
access to it.
„ Critical : An error or a delay in the preparation of the file may result
in material loss to the business. Information contained in the file is
highly sensitive and inappropriate disclosure may be exploited by
markets or competitors or could be in breach of legislation (such as
data protection legislation). The data could be used to perpetrate
senior management fraud.

17
F2. Define the Risk Profile (3/4)
Materiality (2)
„ Immaterial. A threshold establishing the minimum magnitude
necessary for a spreadsheet to be considered material should be
established. Any spreadsheet that processes or calculates dollar values
or operational quantities less than this threshold should be considered
to be of "immaterial magnitude."
„ Material. Spreadsheets processing a dollar value or operational
quantity above the materiality threshold should be considered to be
material.
„ Critical. A critical threshold should be established to flag
spreadsheets that process an extremely high-dollar value or
operational quantity.

18
F2. Define the Risk Profile (4/4)
Complexity
„ Assessing EUCA complexity can be based
on a number of criteria. For example:
– Size or scale of an application
– Formulae design
– Use of scripts
– Logical complexity
– External links

19
F3. Assess Existing Controls
Control Definition
EUCA Policy & Control Standards Define the responsibilities and processes surrounding EUCAs with the aim of placing
responsibility for the risks arising and understanding and reducing
reducing these risks through
inventory and mitigation processes.
Access Controls Define and Restrict user access, rights and privileges

Change Controls Define the process to be followed whenever specific types of changes
changes are performed

Version Controls Ensure accurate identification of the current production files

Development Controls Control development, testing and approval of new critical EUCAs prior to deployment
into production
Documentation. Require that EUCAs are adequately documented with regard to their use and design

Input Controls. Employment of data validation to control or restrict input to valid


valid data.

Data Security and Integrity. Balancing input data with totals form data sources.

Output Controls Use of cross checks, balancing to ensure all input data has been accounted for and
reflected in the outputs and to prevent or highlight potential calculation
calculation errors.
Segregation of Duties Define duties, roles and responsibilities regarding the usage of EUCAs and design
changes.
Backup and Archival EUCAs should be maintained on a secured server that is backed – up on a regular
basis. Prior versions of critical files should be moved to a secure
secure archive folder to
prevent data corruption and ensure they are not accessed or used in error.

20
F3a. Calculate Risk Exposure

Determine EUCAs Risk based on Complexity and Criticality


5 MEDIUM MEDIUM HIGH HIGH HIGH
4 MEDIUM MEDIUM MEDIUM HIGH HIGH
Materiality 3 LOW LOW MEDIUM MEDIUM MEDIUM
2 LOW LOW LOW LOW LOW
1 LOW LOW LOW LOW LOW

1 2 3 4 5

Complexity

21
F3b. Recommend Remediation
Actions
„ The auditor must communicate the results of
the Risk Assessment using illustrative
examples.
„ The recommendations must focus primarily
on policies and standards for EUCAs.
„ There should be references to existing
frameworks (e.g. Polices and Procedures).
„ Depending on the outcome of the Risk
Assessment the examination of some
EUCAs on an individual basis maybe
required.
22
Business cases in Banking Sector (1/9)
Case 1: Allied Irish Banks Group
by Andrew McGeady, Joseph McGouran
Allied Irish Banks Group is Ireland’s leading
banking and financial services organization
„ AIBG initiated a project (in co-operation with EUC
consultants) in order to address the area of End
User Computing (EUC) in AIB Capital Markets.

„ The EUC issue having come to the fore after the


introduction of compliance legislation and the
heightened vigilance of auditors.

23
Business cases in Banking Sector (2/9)
Case 1: Allied Irish Banks Group

„ AIBCM Architecture & Research Team published a


strategy document outlining a framework that would
provide the necessary control for End User
Computing:
Five key stages:
9 Acknowledge the EUC issue
9 Establish a register of critical EUC applications
9 Remediate existing critical EUC applications (each
critical application was analysed, remediated - by the
project team and the owners - and validated)
9 Implement a controlled environment for the housing
of such applications (EUC technical tools for auditing,
access and version control are recommended)
9 Develop guidelines and templates consistent with the
EUC policy for future EUC development

24
Business cases in Banking Sector (3/9)
Case 1: Allied Irish Banks Group

The project was successfully carried out with the


following conclusions
„ The key to avoid confusion is to ensure that
divisions of ownership and responsibility are set out
clearly in the organizational EUC policy and
procedures.
„ Making the effort to talk personally to all involved
is of vital importance in ensuring the success of
EUC in the organizations.
„ With appropriate control in place, End User
Development can be a valuable asset to the
organization, combining in-depth business
knowledge with the power of IT to create
applications that can complement the existing IT
processes.

25
Business cases in Banking Sector (4/9)
Case 2: Nova Ljubljanjska Bank (NLB)
by J.Hriberšek, B. Werber, J. Zupancic
ƒNLB is the major bank in Slovenia. The study presents the
results of an empirical investigation of EUCAs in the bank, with
emphasis on end-user support provided by the Information
Centre, the local MIS staff, and informal sources . The goal of
investigation was to identify and evaluate key factors of end
user - support.
ƒThe investigation showed that users preferred more the
informal sources of support than the local MIS staff &
Information Centre.
ƒBecause spreadsheets are the most widespread EUC
programming tool in the bank, the users expressed high
interest for additional knowledge of the subject. Data base
development methods ranked the lowest.

26
Business cases in Banking Sector (5/9)
Case 2: Nova Ljubljanjska Bank (NLB)

Based on the results, the following measures have


been suggested:

ƒ Strengthen the role and redefine the function of the


Information Centre, so that it will be able to provide
quick responses to concrete questions from the
users, as basic precondition for successful
development of EUC
ƒ Develop training focusing on improvement of the
quality of EUCAs development.

27
Business cases in Banking Sector (6/9)
Case 3: A mid - sized international bank
by Jamie Chambers and John Hamill

An external audit comment was the primary stimulus


for the project to a mid sized international bank: the
auditors remarked that there was a high level of
dependency on complex EUCAs (databases &
spreadsheets) particularly in the production of
financial accounts.

28
Business cases in Banking Sector (7/9)
Case 3: A mid - sized international bank
by Jamie Chambers and John Hamill

ƒ The project was terminated in an early


stage….
ƒ During the course of the project there
were some far-reaching executive
changes with led to a withdrawal of
support for any efforts.

29
Business cases in Banking Sector (8/9)
Case 3: A mid - sized international bank

CONCLUSIONS
ƒ Even simple spreadsheets can cause large losses in
an environment where very large transactions (>
€1Bn) are commonplace.
ƒ It was interesting to note that few managers felt
responsibility, believing their applications to be well
controlled, or unimportant.
ƒ No attempt was made to ensure staff were qualified
in the development of EUCAs to a level
commensurate with their responsibilities. Managers
were grateful when their staff constructed
applications to address processing and reporting
issues, but had no framework for supporting,
controlling, managing or even promoting these
activities.

30
Business cases in Banking Sector (9/9)
Case 3: A mid - sized international bank
by Jamie Chambers and John Hamill
ƒ EUCA risk was poorly understood, and rarely controlled in any
way around the Bank. The observations echoed those of Croll
[Croll, 2005]: 'there is almost no spreadsheet software quality
assurance or appreciation of the software development life
cycle as it might relate to spreadsheets'.
ƒ The problem of EUC ownership (and hence budgeting) meant
that the project ended prematurely. A standardized approach to
the problem, dividing the responsibilities between IT,
Operational Risk, and departmental managers could help the
organizations both to recognize and to tackle the risk in a
coherent way. In addition, C-level management commitment,
and Internal Audit & Information Security involvement are
essential.

31
Auditing EUCAs - Practical
Issues
„ Define the different EUCAs used by the
auditees.
„ Decide the method to create your
inventory
„ Define the complexity and materiality
scales

32
Practical issues – EUCAs Categories
„ The most common EUCAs are spreadsheet
applications.
„ End User databases like MS Access are the
new trend since data volumes are
increasing rapidly.
„ The new users are more and more IT
literate and they deploy much more
computing power like reporting and
scripting tools.
33
Practical issues – Inventory
„ It is nearly impossible to make the
inventory of all EUCAs.
„ Usually the files are scattered to servers,
local PCs and optical media.
„ The most practical approach is to gather
files referred to a reporting cycle (e.g.
month, quarter, semester) for each
significant business process.

34
Practical issues – Complexity (1/5)
„ The criteria to characterize an EUCA as
complex may vary according to its type,
purpose ,its processing frequency.
„ The most frequent EUCAs are spreadsheet
applications.
„ For spreadsheet applications there are a
lot of proposed sets of complexity criteria.

35
Practical issues – Complexity (2/5)
A proposed set of complexity criteria for local
databases

•Number of Tables
•Number of Queries
•Number of Forms
•Number of Modules

36
Practical issues – Complexity (3/5)
Criteria Operator Value Score
Number of Tables > 5 5
Number of Tables > 10 5
Number of Tables > 15 5
Number of Queries > 5 5
Number of Queries > 10 5
Number of Queries > 15 5
Number of Forms > 5 5
Number of Forms > 10 5
Number of Forms > 15 5
Number of Modules > 0 10
Number of Modules > 5 10
Number of Modules > 10 10

Complexity Definition:
Low <=10
Medium <=20
High >20
Practical issues – Complexity (4/5)
A comprehensive proposed set of complexity criteria
for spreadsheets
„ Sheets „ Invisible Cells (text and
„ Formulas background are the same
„ Formula with Errors color)
„ Array Formulas „ Hidden Rows and
Columns
„ Nested Ifs
„ Hidden Sheets
„ Max Nested If Level
„ Very Hidden Sheets
„ External Links (sheet made invisible
„ Macros through use of VBA code)
„ Pivot Tables „ Password Protected
„ Named Items „ Workbook Size 38
Practical issues – Complexity (5/5)

39
Practical issues – Materiality (1/3)
„ Materiality is always subjective and
challengeable by the auditees.
„ Some times, collaborating with the
auditees prior to the risk assessment may
prove useful for defining materiality
thresholds.
„ Even EUCAs graded as immaterial should
get attention (otherwise what’s the point
of having them).

40
Practical issues – Materiality(2/3)
A proposed set of materiality criteria

„ Field Value (>, <, contains a string, or =)


„ Object Name (e.g. Table, Sheet, Query)
„ File Name
„ File Path
„ External Link
„ Built-in Document Property

41
Practical issues – Materiality(3/3)

42
Practical issues – Overall Risk

43
Final thoughts
Summarizing,
„ There are ongoing studies about defining
appropriate and objective complexity and
materiality criteria.
„ EUCAs are NOT only spreadsheets. More
EUCAs will come forth as users get more
IT literate.

44
Reference
1. FSA – Buckner, User computing in financial regulation
2. Hoye, Perry, Enterprise spreadsheets: Best practices for Risk Mitigation & Control
3. McGeady McGouran: End User Computing in AIB Capital Markets: A Management Summary
4. Jamie Chambers, John Hamill: Controlling End User Computing Applications - a case study
5. Hriberšek, Werber, Zupancic, End-User Computing in Banking Industry, A case of a large
Slovenian Bank
6. O’ Beirne, Auditing Spreadsheets Motivations & Methodology
7. Struthers – Kennedy / Protivity, Excel at managing spreadsheet risk
8. Cooper, Wilson, The hidden risk of End User Computing
9. PWC, The use of spreadsheets: Considerations for Section 404 of the SOX Act
10. Gallegos, Senft, Information Technology Control and Audit
11. Protiviti, Spreadsheets: friend or foe?
12. Perry, Automating Spreadsheet Discovery and Risk Assessment
13. Panko, Revising the Panco – Halverson Taxonomy of Spreadsheet Risks
14. Powell, Baker, and Lawson, Errors in Operational Spreadsheets: A Review of the State of the
Art
15. Panco, Port: The Dark Matter of Corporate IT
16. Burdick, Improving Spreadsheet Audits in Six Steps
17. Powell, Baker, and Lawson, An auditing protocol for spreadsheet models
18. ITGI, IT Control Objectives for Sarbanes-Oxley 45
Final thoughts
Summarizing,
„ EUCAs are NOT only spreadsheets. More
EUCAs will come forth as users get more
IT literate.
„ EUC can either be performed in a
controlled manner serving to advance
organizational goals or “in the dark”,
serving only to add to the level of risk
carried by the organization.
46
Final thoughts
Summarizing,
„ To efficiently mitigate EUC risk within an
organization, there is a EUC Risk Continuum
leading to success which requires a cultural
change (e.g. policies, controls, best
practices) and adoption of new technology.
„ The key to avoid confusion applying EUC
policies is to ensure that ownership and
responsibility are logical and are set out
clearly.
47
Final thoughts
EUC Risk Continuum

48
Final thoughts
„ The auditor’s role in controlling EUC will evolve along
with the maturity of the organization.

49
Thank You
Thank you very much for your participation.
Keep in touch,

George Mallikourtis, CISA, CISM


„ gmallikourtis@alpha.gr
Efthimis Papanikolaou, CISA, ISMS IA
„ e.papanikolaou@alpha.gr
50
Reference
1. FSA – Buckner, User computing in financial regulation
2. Hoye, Perry, Enterprise spreadsheets: Best practices for Risk Mitigation & Control
3. McGeady McGouran: End User Computing in AIB Capital Markets: A Management Summary
4. Jamie Chambers, John Hamill: Controlling End User Computing Applications - a case study
5. Hriberšek, Werber, Zupancic, End-User Computing in Banking Industry, A case of a large
Slovenian Bank
6. O’ Beirne, Auditing Spreadsheets Motivations & Methodology
7. Struthers – Kennedy / Protivity, Excel at managing spreadsheet risk
8. Cooper, Wilson, The hidden risk of End User Computing
9. PWC, The use of spreadsheets: Considerations for Section 404 of the SOX Act
10. Gallegos, Senft, Information Technology Control and Audit
11. Protiviti, Spreadsheets: friend or foe?
12. Perry, Automating Spreadsheet Discovery and Risk Assessment
13. Panko, Revising the Panco – Halverson Taxonomy of Spreadsheet Risks
14. Powell, Baker, and Lawson, Errors in Operational Spreadsheets: A Review of the State of the
Art
15. Panco, Port: The Dark Matter of Corporate IT
16. Burdick, Improving Spreadsheet Audits in Six Steps
17. Powell, Baker, and Lawson, An auditing protocol for spreadsheet models
18. ITGI, IT Control Objectives for Sarbanes-Oxley 51
Q&A

52