Presentation is loading. Please wait.

Presentation is loading. Please wait.

GTAG-14 Auditing User-Developed Applications

Similar presentations


Presentation on theme: "GTAG-14 Auditing User-Developed Applications"— Presentation transcript:

1 GTAG-14 Auditing User-Developed Applications
Tim Fawcett, CISA, CISSP September 13, 2012 MANAGING RISK.IMPROVING PERFORMANCE.

2 UDAs in the News Groupon – March 2012
Groupon’s stock plunged 14% as its first-as-a-public-company 10-K filing with the Securities and Exchange Commission revealed that its auditor, Ernst & Young, found “a material weakness in its internal controls over its financial statement close process,” raising questions in some quarters as to why these weaknesses were not identified earlier. The weaknesses identified in the 10-K included “a number of manual post-close adjustments” (that is, a lack of adequately automated financial reporting leading to a welter of difficult-to-consolidate spreadsheets), and a failure to maintain both “effective controls to provide reasonable assurance that accounts were complete and accurate” and measures to ensure that account reconciliations “were properly performed, reviewed and approved.” The weaknesses identified in the 10-K included “a number of manual post-close adjustments” (that is, a lack of adequately automated financial reporting leading to a welter of difficult-to-consolidate spreadsheets), and a failure to maintain both “effective controls to provide reasonable assurance that accounts were complete and accurate” and measures to ensure that account reconciliations “were properly performed, reviewed and approved.” Management Accounting | April 02, 2012 | CFO.com | US - David Rosenbaum

3 UDAs in the News Biovail
Biovail Corp. has restated its 2005 and 2006 earnings upward because of an understatement stemming from a data error in tracking discounts in purchases of a drug, according to the company. The revisions boosted earnings for those years by $10.2 million and $7.7 million, respectively. As part of the restatement process, Biovail found that the data-input errors and the amortization calculation represented a material weakness. The company also concluded that the failure of later efforts of local management to find those errors in a timely way also represented a material weakness. To address the material weaknesses, management is installing measures to fix the control deficiency where the amortization error happened, … The measures include strengthening internal controls around the development and usage of spreadsheets and the review and analysis of those spreadsheets by local management. They also include mulling the automation of the spreadsheet-based data within the company's enterprise-resource-planning system. Herpes Drug-Cost Errors Spur Restatement Biovail found a miscue in a schedule used to track quantities of Zovirax that the company can buy at discount. Stephen Taub - CFO.com | US May 10, 2007 The miscue was in a schedule used to track quantities of Zovirax products that the company can buy at reduced supply prices from its marketing partner GlaxoSmithKline. The schedule is also used to calculate long-term assets being amortized to cost of goods sold relative to the amount of Zovirax that can be bought at the reduced prices. As a result of the error, Biovail has restated the cost of goods sold in its income statement for the three months ended March 31, 2006 to adjust for an overstatement of amortization expense. as a result of the restatement, it must correct other known errors in prior-year periods that were previously thought to be immaterial. two such cases— one involving foreign exchange, the other related to the blood-pressure drug Cardizem LA. Stephen Taub - CFO.com | May 10, 2007

4 UDAs in the News Kodak In reconciling the general ledger balance sheet account for severance as of September 30, 2005 relating to one of the Company’s plant closings in the United Kingdom under its ongoing restructuring program, the Company discovered that a spreadsheet error caused it to overstate a severance accrual as of and for the quarter ended June 30, 2005 by $11 million (net of tax). The Company performed a root cause analysis to understand the control deficiency, which revealed that the error was primarily the result of a failure in the operation of, not the design of, the existing preventive and detective controls surrounding the preparation and review of spreadsheets that include new or changed formulas. This deficiency resulted from a failure to follow established policies and procedures partially due to changes in personnel. The Company has concluded that this deficiency constitutes a “material weakness” as defined by the Public Company Accounting Oversight Board’s Auditing Standard No. 2. This material weakness resulted in an adjustment that was included in the restatement of the Company’s consolidated financial statements as of and for the quarter ended June 30, Additionally, if the material weakness is not corrected, it could result in a material misstatement of other financial statement accounts that utilize spreadsheets that would result in a material misstatement to annual or interim financial statements that might not be prevented or detected. This excerpt taken from the EK 10-Q filed Dec 12, 2005 Severance In reconciling the general ledger balance sheet account for severance as of September 30, 2005 relating to one of the Company’s plant closings in the United Kingdom under its ongoing restructuring program, the Company discovered that a spreadsheet error caused it to overstate a severance accrual as of and for the quarter ended June 30, 2005 by $11 million (net of tax). root cause analysis to understand the control deficiency, which revealed that the error was primarily the result of a failure in the operation of, not the design of, the existing preventive and detective controls surrounding the preparation and review of spreadsheets that include new or changed formulas. This deficiency resulted from a failure to follow established policies and procedures partially due to changes in personnel. Excerpt taken from the EK 10-Q filed Dec 12, 2005

5 Spreadsheet-based revenue recognition
UDAs in the News A survey in 2006 of 685 senior financial executives from a broad range of companies, revealed that revenue recognition and reporting activities are not automated within Financial / ERP systems. As a result, 92% of public companies are forced to rely on spreadsheets to fill vital gaps in their revenue reporting processes—despite the fact that spreadsheets are prone to errors, lack audit capabilities, and resist internal controls. Spreadsheet-based revenue recognition and reporting tasks. (Multiple responses accepted, n=685) 1. Creating accounting entries 52% 2. Creating revenue recognition schedules for future periods 47% 3. Reporting on future revenue streams 4. Applying revenue allocation rules 43% 5. Performing revenue contribution analysis 42% 6. Redistributing revenue (e.g. SOP 97-2, EITF 00-21) 35% 7. Reviewing sales orders for deferred revenue 27% 8. Do not use spreadsheets for any of these activities 8% Source: and IDC (International Data Corporation) 2006 A recent survey of 685 senior financial executives from a broad range of companies, revealed that revenue recognition and reporting activities are not automated within Financial/ERP systems. As a result, 92% of public companies are forced to rely on spreadsheets to fill vital gaps in their revenue reporting processes—despite the fact that spreadsheets are prone to errors, lack audit capabilities, and resist internal controls. This, and other findings, is from a new report by and IDC, “Enterprise Systems and Revenue Recognition: The Missing Link".

6 Overview What is a UDA? Benefits and Risks Internal Audit’s Role
Scoping an Internal Audit of UDAs Best Practices for Frameworks of Controls over UDAs MS Office/ Excel Control Examples

7 Defining User-Developed Applications (UDA)
For purposes of this GTAG, UDAs are any application that are not managed and developed in a traditional IT environment and under a formal development process. Spreadsheets used on an ad hoc basis — to provide lists of information or to quantitatively illustrate data available elsewhere — usually are not considered UDAs. A UDA is key if at least one of the following criteria are met: The UDA is used to initiate, accumulate, record, report, or monitor material financial reporting-related transactions and key operational management reports and/or meet regulatory compliance requirements. The UDA’s use is inherent in performing key financial and/or operational control processes (e.g., account reconciliations and key performance indicator reports) so that if the spreadsheet or data was lost or corrupted, the loss would impact the control’s effectiveness. Defining what constitutes a key UDA is critical to developing the internal audit scope. Because every newly created spreadsheet or database does not constitute a UDA, management must determine and define what constitutes a key UDA. As a reminder, for purposes of this GTAG, UDAs are any application that are not managed and developed in a traditional IT environment and under a formal development process. Spreadsheets used on an ad hoc basis — to provide lists of information or to quantitatively illustrate data available elsewhere — usually are not considered UDAs. A UDA is key if at least one of the following criteria are met: • The UDA is used to initiate, accumulate, record, report, or monitor material financial reporting-related transactions and key operational management reports and/or meet regulatory compliance requirements. • The UDA’s use is inherent in performing key financial and/or operational control processes (e.g., account reconciliations and key performance indicator reports) so that if the spreadsheet or data was lost or corrupted, the loss would impact the control’s effectiveness.

8 Defining User-Developed Applications (UDA)
Examples of UDAs Spreadsheets Access Databases Crystal Reports Other Databases Scripts (SQL Scripts) ACL Web Apps Apps Executable Easytrieve

9 Defining User-Developed Applications (UDA)
“If the normal operation of the manual portion of the control is sufficient to detect an error in the automated portion (e.g., the computer report), then the control can be considered entirely manual since no reliance is being placed on the computer application. For example, a bank reconciliation might use a report from the general ledger system of cash transactions; if the report was incorrect or incomplete, it would be detected by the bank reconciliation process.” Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners, Page 34

10 Benefits of User-developed Applications
Almost every organization uses some form of UDAs because they are: Quicker to develop and use. Readily available tools at a lower cost. Configurable and flexible. Quicker to develop and use. It may take several weeks and likely be expensive for IT personnel, who are following a rigorous system development and change management life cycle process, to create or modify a report that extracts information from a system in the format that a manager needs. That same manager often can extract and format the information within hours by using tools and utilities available to end users. Readily available tools at a lower cost. Commonly available tools, such as spreadsheets, offer users a way to automate business logic without going through a lengthy and costly software selection and/or system development and implementation process. Configurable and flexible. Compared to traditionally managed IT applications, users have much greater flexibility to configure UDAs to fulfill business needs. For example, information in spreadsheets can easily be sorted and reformatted to allow additional analysis by users unfamiliar with structured programming languages and application development methodologies.

11 Risks Associated With User-developed Applications
Control breakdowns within UDAs are often traced to: Lack of structured development processes and change management controls Data download issues Increasing complexity Lack of developer experience Lack of version controls Lack of documentation Lack of support Limited input and output controls Lack of formal testing Hidden data columns or worksheets • Lack of structured development processes and change management controls. Lack of structure and controls around the development of and/or change to UDAs can lead to inaccurate calculations and data output. • Data download issues. Lack of controls around the downloading of data from IT-developed or supported applications into the UDA can lead to use of inaccurate information. Similar issues also may occur for applications that rely on UDA output. • Increasing complexity. The risk of UDAs becoming more complex over time than originally intended is often commonplace. Without adequate design or architecture, errors can occur in data manipulation and/or the resulting output. • Lack of developer experience. UDA development by individuals who are unfamiliar with a particular application’s functionality may cause them to use inefficient or ineffective development practices. For example, in designing a formula in a spreadsheet application, the developer of the UDA may “hard code” a particular number in a calculation rather than referencing the number from a field in the spreadsheet or using built-in application functionality. • Lack of version controls. UDAs may be updated by many individuals, leading to various errors resulting from changes or corrections being deleted when older files overwrite a newer version. • Lack of documentation. Lack of formal documentation of UDA design and functionality creates an environment that can lead to inaccurate information being input, processed, and eventually reported or used elsewhere. In addition, the lack of documentation makes it difficult to support and/or transition the use of the UDA to another employee or department. • Lack of support. UDAs may be developed by an employee using a technology unfamiliar to others in the organization, which can create future support issues. • Limited input and output controls. Lack of appropriate input and output controls, such as completeness checks, validity edits, and balancing routines, may result in data errors. • Lack of formal testing. Failure to properly test a UDA’s completeness and accuracy can lead to undetected errors. • Hidden data columns or worksheets. UDAs may contain hidden data columns and worksheets that go undetected and untested.

12 Internal Audit’s Role Global Technology Audit Guide (GTAG®) 14 Auditing User-developed Applications GTAG-14 provides direction on how to scope an internal audit of UDAs. GTAG-14 also provides guidance for how the internal auditor’s role as a consultant can be leveraged to assist management with developing an effective UDA control framework, including: Identifying the UDA population by using different discovery techniques. Assessing and ranking the risks associated with each UDA based on the potential impact and likelihood of risk occurrence. GTAG-14 Auditing User-developed Applications provides direction on how to scope an internal audit of UDAs. More specifically, it focuses the auditor on: • Identifying availability of an existing UDA control framework that includes policies, procedures, UDA inventories, and a risk-ranking methodology that can be relied on for scoping purposes. • Using the existing UDA control framework components to scope the UDA population to be included in the audit. GTAG-14 also provides guidance for how the internal auditor’s role as a consultant can be leveraged to assist management with developing an effective UDA control framework, including: • Identifying the UDA population by using different discovery techniques. • Assessing and ranking the risks associated with each UDA based on the potential impact and likelihood of risk occurrence.

13 Internal Audit’s Role GTAG-14 Summary Use of UDAs can contribute to or detract from an organization’s control environment. Professional judgment must be applied as to what constitutes key when auditing UDAs. Ideally, the organization has established an enterprise definition that can be used. However if such a definition is absent, a systematic approach must be used to determine the extent of risk to the organization and, more importantly, the level of risk that the organization is willing to accept. The use of UDAs can contribute to or detract from an organization’s control environment. Professional judgment must be applied as to what constitutes key when auditing UDAs. Ideally, the organization has established an enterprise definition that can be used; however, if such a definition is absent, a systematic approach must be used to determine the extent of risk to the organization and, more importantly, the level of risk that the organization is willing to accept. As one considers the extent of the audit program provided here, he or she will undoubtedly notice that many of the same considerations apply when evaluating as when auditing complex systems. UDAs can disrupt (or corrupt) downstream processes and a thorough review often is required to understand this impact. In addition, if upstream controls are weak, then UDA controls may not make much difference.

14 Scoping an Internal Audit or UDA Program
An internal auditor, whether auditing a UDA program or providing guidance to users on the development of a UDA program must: Define what constitutes a key UDA and Determine the population of UDAs for Audit, or include in the UDA Program by: Defining Risk Factors Risk Ranking

15 Scoping an Internal Audit or UDA Program
Define what constitutes a key UDA Any application that are not managed and developed in a traditional IT environment and under a formal development process. A UDA is key if at least one of the following criteria are met: The UDA is used to initiate, accumulate, record, report, or monitor material financial reporting-related transactions and key operational management reports and/or meet regulatory compliance requirements. The UDA’s use is inherent in performing key financial and/or operational control processes (e.g., account reconciliations and key performance indicator reports) so that if the spreadsheet or data was lost or corrupted, the loss would impact the control’s effectiveness. Spreadsheets used on an ad hoc basis — to provide lists of information or to quantitatively illustrate data available elsewhere — usually are not considered UDAs. 3.1. Defining What Constitutes a Key User-developed Application Defining what constitutes a key UDA is critical to developing the internal audit scope. Because every newly created spreadsheet or database does not constitute a UDA, management must determine and define what constitutes a key UDA. As a reminder, for purposes of this GTAG, UDAs are any application that are not managed and developed in a traditional IT environment and under a formal development process. Spreadsheets used on an ad hoc basis — to provide lists of information or to quantitatively illustrate data available elsewhere — usually are not considered UDAs. A UDA is key if at least one of the following criteria are met: • The UDA is used to initiate, accumulate, record, report, or monitor material financial reporting-related transactions and key operational management reports and/or meet regulatory compliance requirements. • The UDA’s use is inherent in performing key financial and/or operational control processes (e.g., account reconciliations and key performance indicator reports) so that if the spreadsheet or data was lost or corrupted, the loss would impact the control’s effectiveness.

16 Scoping an Internal Audit or UDA Program
Determine the population of UDAs for Audit Management may call for a review of specific, known UDAs (e.g., those that support journal entries) or it may require the identification of all steps and tools used to support business processes. In either case, if management does not maintain a consolidated list of UDA applications, the auditor may, in the role of consultant, guide management on how to identify and inventory UDAs by evaluating business process documentation such as business process flows and procedural narratives. Other techniques that management may consider for identifying the UDA population include: The use of a search capability to identify spreadsheet and database file tags within all or specific file directories related to a business process. Use of purchased software tools to detect UDA populations. (See section 4.1 for UDA discovery tool attributes and capabilities) Review of reports identifying manual journal entries, which likely are supported by a UDA. 3.2. Determining and Defining the User developed Application Population Management may call for a review of specific, known UDAs (e.g., those that support journal entries) or it may require the identification of all steps and tools used to support business processes. In either case, if management does not maintain a consolidated list of UDA applications, the auditor may, in the role of consultant, guide management on how to identify and inventory UDAs by evaluating business process documentation such as business process flows and procedural narratives. Other techniques that management may consider for identifying the UDA population include: • The use of a search capability to identify spreadsheet and database file tags within all or specific file directories related to a business process. • Use of purchased software tools to detect UDA populations. (See section 4.1 for UDA discovery tool attributes and capabilities.) • Review of reports identifying manual journal entries, which likely are supported by a UDA.

17 Scoping an Internal Audit or UDA Program
Defining Risk Factors Using spreadsheets or other UDAs for accumulating and calculating critical operational and material financial information can present significant risk to the organization, including: Data integrity issues. Errors made during input, processing, and output, including interfaces and reports. Errors or intentional manipulation due to unsecured files or unmanaged change. Defining Risk Factors When developing a UDA control framework, the process typically begins by interviewing key management and staff members. This is required to gain a complete understanding of who uses UDAs and how they are used as a part of business processes, reporting functions, compliance programs, or control structure. Establishing materiality guidelines will be critical during the risk assessment phase described later in this section. Assessing the UDA’s risk that is relevant to the organization’s overall operational, financial, and compliance objectives presents the internal auditor with a considerable challenge. Using spreadsheets or other UDAs for accumulating and calculating critical operational and material financial information can present significant risk to the organization, including: • Data integrity issues. • Errors made during input, processing, and output, including interfaces and reports. • Errors or intentional manipulation due to unsecured files or unmanaged change.

18 Scoping an Internal Audit or UDA Program
Risk Ranking At a minimum, the risk factors for identifying the impact of a failure in a UDA should include: Financial, operational, and regulatory compliance materiality of the UDA. Expected life and frequency of use of the application. Number of users of both the application and the results. At a minimum, the risk factors for identifying the likelihood of a failure in a UDA should include: Complexity of obtaining inputs and generating desired outputs. Frequency of modification to the UDA. Additional risk criteria for determining impact may include: • The number of business processes reliant on the UDA. • The number of controls supported by the UDA. • Alternative or independent sources of data and/or controls in place that would detect a UDA control failure. • Alternative controls or data sources that would detect a UDA error or integrity issue. • Sensitive information, such as PII, contained in the UDA. LIKELIHOOD Additional risk criteria for determining the likelihood may include: • Relationship to other systems and their outputs. Spreadsheets that produce outputs that are easily verified to other reliable data • Guidelines established and used during the design of input and output controls (e.g., data input area does not contain formulas or input data is in the same order as the source data). • Logic guidelines established and followed during development of the UDA and when changes are made to existing UDAs (e.g., use of formulas that foot and cross-foot data, locking and protecting cells, placement of critical values in separate cells, etc.). • Guidelines established and followed for testing and approvals of newly developed UDAs and modifications to existing UDAs. • Prior control failures associated with the reliance on UDAs. • Access guidelines established and followed that control access to UDAs (e.g., storage and limited to appropriate users). • Knowledge of the staff responsible for creating and maintaining the UDA. • Use of version control. • Use of monitoring controls.

19 Scoping an Internal Audit or UDA Program
Example of Impact Risk Ranking Criteria 1. Financial Materiality. Financial statement impact is defined by the sum of the financial transactions or reporting supported by the UDA over the course of the quarter, net of any reversals of prior quarter entries. An example of material financial risk ranking is:

20 Scoping an Internal Audit or UDA Program
Operational Materiality. Operational impact is defined by the sum of the decision management supported by the UDA.

21 Scoping an Internal Audit or UDA Program
Compliance Materiality. Compliance impact is defined by the potential of a significant penalty or damaging disclosure occurring as a result of an error by the UDAs used to support the compliance program.

22 Scoping an Internal Audit or UDA Program
3.4. Risk Ranking The next step in preparing the risk assessment involves the review and risk ranking by impact and likelihood of each UDA using the inventory and risk criteria established in the previous section. Based on the assessment of these criteria, overall risk rating for each UDA may be determined by using the following impact and likelihood scales.

23 Scoping an Internal Audit or UDA Program
The assessment of the likelihood criteria determines the overall risk rating for each UDA.

24 Scoping an Internal Audit or UDA Program
The overall risk rating is then developed for the UDA based on the impact and the likelihood that a highly impacting error could occur. A composite score that may be used is the impact scale multiplied by the likelihood scale. Following are some recommended sample guidelines:

25 Scoping an Internal Audit or UDA Program
The following example shows the results of a risk assessment using the minimum risk factors described in the previous section. This template would be altered depending on the relevant risk factors for the organization under review.

26 Scoping an Internal Audit or UDA Program
High Level Approach to Risk Ranking Another approach to consider evaluates risk at a much higher level. As with the previous approach, the UDA population is identified by business processes. This approach identifies the risk, mitigating controls, and residual risk with recommended inclusion or exclusion from the population.

27 Scoping an Internal Audit or UDA Program
Another approach to consider evaluates risk at a much higher level. As with the previous approach, the UDA population is identified by business processes. This approach identifies the risk, mitigating controls, and residual risk with recommended inclusion or exclusion from the population.

28 Audit Areas System Security and Access Audit Trails
Inputs, Edits, and Interfaces Data Processing and Data Integrity Reports and Output Retention Backup and Recovery Change Management A. System Security and Access B. Audit Trails C. Inputs, Edits, and Interfaces D. Data Processing and Data Integrity E. Reports and Output F. Retention G. Backup and Recovery H. Change Management

29 Audit Areas System Security and Access
Identify in-scope UDAs and related data and determine the file names, directories, datasets, and/or databases where the UDAs and data reside. Obtain the access rights to in-scope UDAs and related data and evaluate the appropriateness of such access. Verify that user authentication controls to the systems containing the UDAs and data appropriately restrict unauthorized access. Determine whether there are other ways to access the UDA or the data and evaluate the controls over the access. Verify whether access is periodically reviewed. 1. Identify in-scope UDAs and related data and determine the file names, directories, datasets, and/or databases where the UDAs and data reside. Consider: • UDA source and executable files. • Data files related to both input and output. • Audit trail logs. • PII contained in data. 2. Obtain the access rights to in-scope UDAs and related data and evaluate the appropriateness of such access. Consider: • System administrators. • Security administrators. • Shared/default user accounts. • View access to PII. 3. Verify that user authentication controls to the systems containing the UDAs and data appropriately restrict unauthorized access. Consider: • Password parameter settings (e.g., length, complexity, history, expiration period). • Account lockout after a set number of unsuccessful attempts. • Session terminated after a period of inactivity. • Two-factor authentication used during remote access. 4. Determine whether there are other ways to access the UDA or the data and evaluate the controls over the access. 5. Verify whether access is periodically reviewed. Consider: • Annual reviews. • Documented reviews and approvals. • Corrective actions taken on a timely basis.

30 Audit Areas Audit Trails
Identify whether audit trails exist and where they reside. Determine the appropriateness of the audit trail. Verify that users with the ability to change or delete audit trail programs and logs are not the users of the UDA and/or data. Verify that the audit trails are periodically reviewed and retained for an appropriate period of time. 1. Identify whether audit trails exist and where they reside. 2. Determine the appropriateness of the audit trail. Consider: • Audit trails are automatically produced by the application. • Audit trails cannot be turned off. • Information captured by the audit trail is appropriate. 3. Verify that users with the ability to change or delete audit trail programs and logs are not the users of the UDA and/or data. 4. Verify that the audit trails are periodically reviewed and retained for an appropriate period of time.

31 Audit Areas C. Inputs, Edits, and Interfaces
1. Identify the source and type of input data. 2. Verify that controls over critical file inputs are appropriate. Consider: • Data validation rules. • Edits are consistent regardless of source. • Record/item counts and balances ensure completeness. 3. Verify whether error notifications or reports are produced and corrective actions have been taken. Consider: • Control totals are reconciled to ensure completeness. • Erroneous input files can be backed out and rerun. 1. Identify the source and type of input data. 2. Verify that controls over critical file inputs are appropriate. Consider: • Data validation rules. • Edits are consistent regardless of source. • Record/item counts and balances ensure completeness. 3. Verify whether error notifications or reports are produced and corrective actions have been taken. Consider: • Control totals are reconciled to ensure completeness. • Erroneous input files can be backed out and rerun.

32 Audit Areas Data Processing and Data Integrity
Determine whether the system-produced records are overridden manually on a routine basis to fix processing errors. Determine whether data manipulation tools are used to correct processing errors. Verify that detailed audit trails for manual overrides are maintained with the source request from the business. Verify that processing errors are clearly described, promptly detected, and flagged for correction. Determine whether a process exists to reverse transactions, correct errors, and re-process transactions with special manual handling. Verify processing controls exists for spreadsheets. 1. Determine whether the system-produced records are overridden manually on a routine basis to fix processing errors. Consider: • Repetitive break fixes due to the same cause. • Corrective actions to fix application code defects. 2. Determine whether data manipulation tools are used to correct processing errors. Consider: • Utilities that can overwrite records. • SQL statements to override database records in relational databases. • Record/item counts and balances ensure completeness. 3. Verify that detailed audit trails for manual overrides are maintained with the source request from the business. Consider: • Manual monitoring controls identify unauthorized entry of manual overrides. • User ID and time stamp are captured for override transactions. • Exception and activity logs exist. (Note: Override authorization should be reviewed during the system security and access evaluation.) 4. Verify that processing errors are clearly described, promptly detected, and flagged for correction. Consider: • Record processing should stop once error occurs. • Exception report data available for corrective action. • Corrective action reports are reviewed for problems. • Items cleared in accordance with business service-level objectives. 5. Determine whether a process exists to reverse transactions, correct errors, and re-process transactions with special manual handling. Consider: • Special business rules and procedures should be defined by the organization. • Application allows for special handling. • Rejected records are re-processed within an acceptable time frame. 6. Verify processing controls exists for spreadsheets. Consider: • Formulas and computations are supported by adequate documentation endorsing the logic being used. • Formulas and cells are locked to prevent changes. • Cell references or name ranges are used in formulas instead of constants. • Cross check totals are used. • Automatic calculation function is turned on in spreadsheet. • Embedded computations are supported with adequate documentation describing computation logic and mechanics.

33 Audit Areas Reports and Output
Verify that output control totals are compared with input control totals and errors are resolved. Verify that UDA application logic and critical formulas are periodically validated. Determine whether mitigating business controls exist to detect output errors (e.g., downstream reconciliations and/or control processing). E. Reports and Output 1. Verify that output control totals are compared with input control totals and errors are resolved. 2. Verify that UDA application logic and critical formulas are periodically validated. 3. Determine whether mitigating business controls exist to detect output errors (e.g., downstream reconciliations and/or control processing).

34 Audit Areas Retention Verify that data is appropriately retained.
Ensure that appropriate information or notations exist for documents/ reports retained past the period outlined in the data retention policy. F. Retention 1. Verify that data is appropriately retained. Consider: • Type of data and programs. • Retained for a sufficient amount of time. • Kept in a safe place. • Physical documents. • Archived data is legible and can be reproduced if necessary. 2. Ensure that appropriate information or notations exist for documents/ reports retained past the period outlined in the data retention policy.

35 Audit Areas Backup and Recovery
Verify that a list of critical UDAs is maintained. Verify whether critical UDAs and related data are periodically backed up. Determine whether backups are retained in a safe location. Determine whether UDA recovery is periodically tested. G. Backup and Recovery 1. Verify that a list of critical UDAs is maintained. 2. Verify whether critical UDAs and related data are periodically backed up. Consider: • Type of backup (e.g., full or incremental). • Frequency of backups. 3. Determine whether backups are retained in a safe location. Consider: • On- or off-site location. • Accessible to authorized personnel. 4. Determine whether UDA recovery is periodically tested. Consider: • Recovery was successful. • Recovery included in disaster recovery exercise. • Recovery efforts summarized and the lessons learned noted.

36 Audit Areas Change Management
Verify that appropriate application change management procedures are followed. Verify that a separate source copy is maintained. Verify that the approved application version is moved into production. H. Change Management 1. Verify that appropriate application change management procedures are followed. Consider: • Changes are tested, reviewed, and approved. • Testing includes formulas, logic, and downstream feeds. • Test results are retained for a period of time. • Testing performed by person independent of developer who created the change. • Testing performed in a separate, production-like environment. 2. Verify that a separate source copy is maintained. Consider: • Source is properly protected. 3. Verify that the approved application version is moved into production. Consider: • Source and executable code. • Proper segregation of duties exist between the “developer,” the person moving the code, and end users.

37 Control Framework or Guidelines
Spreadsheet Development and Maintenance Overview Access Guidelines Source Data Guideline Source Output Guidelines Testing Guidelines Logic Guidelines Version, Backup, and Archiving Documentation Guidelines

38 Control Framework or Guidelines
Spreadsheet Development and Maintenance Define Requirements Design Implement Test & Verify Deploy Maintain & Document Academic research indicates that spreadsheet development shares many characteristics with traditional software development*… the benefits gained from a sound development lifecycle… includes design, inspection, and maintenance. * Panko, Raymond R. and Nicholas Ordway. “Sarbanes-Oxley: What about All the Spreadsheets?” University of Hawaii, 2005.

39 Control Framework or Guidelines
Process Risks Inaccuracies in end-user systems result in financial reporting misstatement. Process Controls All spreadsheets and other end-user systems are protected from unauthorized access. Spreadsheets and other end-user systems are saved in secure directories on secure network file servers where access privileges are limited to appropriate people or business groups. To ensure data is input correctly and completely, the input data is reviewed and verified for reasonableness by both the preparer and reviewer of the spreadsheet or other end-user system. Changes to the logic or mechanics of the end-user system are reviewed and verified by both the preparer and the reviewers of the spreadsheet or other end-user system. Process Risks Inaccuracies in end-user systems result in financial reporting misstatement. Process Controls All spreadsheets and other end-user systems are protected from unauthorized access. Spreadsheets and other end-user systems are saved in secure directories on secure network file servers where access privileges are limited to appropriate people or business groups. To ensure data is input correctly and completely, the input data is reviewed and verified for reasonableness by both the preparer and reviewer of the spreadsheet or other end-user system. Changes to the logic or mechanics of the end-user system are reviewed and verified by both the preparer and the reviewers of the spreadsheet or other end-user system.

40 Control Framework or Guidelines
Access Guidelines Limit access to spreadsheets and other end user systems stored on a network server on a need-to know basis according to job responsibilities. Access Guidelines • Limit access to spreadsheets and other end user systems stored on a network server on a need-to know basis according to job responsibilities.

41 Control Framework or Guidelines
Source Data Guidelines The data input area generally should not contain formulas. “When each cell contains both key data and the complicated assumption-laden algorithms to be applied, confirming the results are appropriate or reasonable may be virtually impossible — even if calculated correctly. It is a better practice to separate the data from the algorithms and assumptions being applied to the data.”* When possible, data input — manual or interfaced — should be in the same order as the source data to facilitate review and minimize input errors. Lock formulas. Source Data Guidelines • The data input area generally should not contain formulas. “When each cell contains both key data and the complicated assumption-laden algorithms to be applied, confirming the results are appropriate or reasonable may be virtually impossible — even if calculated correctly. It is a better practice to separate the data from the algorithms and assumptions being applied to the data.”9 • When possible, data input — manual or interfaced — should be in the same order as the source data to facilitate review and minimize input errors. • Lock formulas. * Spreadsheet ‘Worst Practices,’” CFO.com

42 Control Framework or Guidelines
Source Output Guidelines Do not use the same worksheet and only change the assumptions and variables while leaving no baseline or trail of what has been changed during the “what if” analysis. “The best way to compare and review results from different combinations of variables are (a) to copy the original data sets and calculations into a separate spreadsheet tab, and (b) to build a comparison spreadsheet tab, which presents and contrasts the original.”* Consider what the final presentation format needs to look like. Avoid the need to manually retype the output into other formats and tools, causing errors.* Identify authorized users for each report that is output as well as data storage and retention guidelines. Source Output Guidelines • Do not use the same worksheet and only change the assumptions and variables while leaving no baseline or trail of what has been changed during the “what if” analysis. “The best way to compare and review results from different combinations of variables are (a) to copy the original data sets and calculations into a separate spreadsheet tab, and (b) to build a comparison spreadsheet tab, which presents and contrasts the original.”10 • Consider what the final presentation format needs to look like. Avoid the need to manually retype the output into other formats and tools, causing errors.11 • Identify authorized users for each report that is output as well as data storage and retention guidelines. * Spreadsheet ‘Worst Practices,’” CFO.com

43 Control Framework or Guidelines
Testing Guidelines Make sure that changes to highly complex or critical UDAs are formally requested, documented, and tested. Task someone other than the spreadsheet’s user or developer with testing complex or critical calculations and logic. Use analysis and reasonableness reviews to detect errors in calculations and logic. Testing Guidelines • Make sure that changes to highly complex or critical UDAs are formally requested, documented, and tested. • Task someone other than the spreadsheet’s user or developer with testing complex or critical calculations and logic. • Use analysis and reasonableness reviews to detect errors in calculations and logic.

44 Control Framework or Guidelines
Logic Guidelines Place critical values in a separate cell and refer to this cell in the formula rather than incorporating the number in a formula in one or more cells. Incorporate batch totals and control totals. Use formulas that foot and cross-foot data. Ensure data integrity by locking or protecting cells to prevent inadvertent or intentional changes to static data or formulas. Include expected results where possible to compare and monitor the reasonableness of UDA output. Logic Guidelines • Place critical values in a separate cell and refer to this cell in the formula rather than incorporating the number in a formula in one or more cells. • Incorporate batch totals and control totals. • Use formulas that foot and cross-foot data. • Ensure data integrity by locking or protecting cells to prevent inadvertent or intentional changes to static data or formulas. • Include expected results where possible to compare and monitor the reasonableness of UDA output.

45 Control Framework or Guidelines
Version, Backup, and Archiving Guidelines Use unique folder and file naming conventions that include the month, quarter, and year to help ensure that only current and approved versions of UDAs are used. Consider using check-in and check-out software to manage version control. Ensure data backup by storing spreadsheets and other UDAs on a network server that is backed up daily. Store historical files and databases not in use in a segregated, read-only folder to avoid mistakenly using them. Version, Backup, and Archiving Guidelines • Use unique folder and file naming conventions that include the month, quarter, and year to help ensure that only current and approved versions of UDAs are used. Consider using check-in and check-out software to manage version control. • Ensure data backup by storing spreadsheets and other UDAs on a network server that is backed up daily. • Store historical files and databases not in use in a segregated, read-only folder to avoid mistakenly using them.

46 Control Framework or Guidelines
Documentation Guidelines Document the purpose and use of each critical UDA and update accordingly. The documentation should include the business objective, inputs, outputs, and sequence of execution for multistep processes. Create a consistent layout for spreadsheets and other UDAs to simplify use and testing. The areas for data input, calculations, and output should be distinct and separate. Use Consistent Cell Styles Documentation Guidelines Document the purpose and use of each critical UDA and update accordingly. The documentation should include the business objective, inputs, outputs, and sequence of execution for multistep processes. Create a consistent layout for spreadsheets and other UDAs to simplify use and testing. The areas for data input, calculations, and output should be distinct and separate. Label files, data sets, worksheets, key fields, rows, columns, and data for easy identification. Inventory all key spreadsheets and other UDAs impacting financial statement preparation. Clearly document assumptions applied and leveraged to generate data or perform calculations.

47 Control Framework or Guidelines
Documentation Guidelines (continued) Label files, data sets, worksheets, key fields, rows, columns, and data for easy identification. Inventory all key spreadsheets and other UDAs impacting financial statement preparation. Clearly document assumptions applied and leveraged to generate data or perform calculations. Documentation Guidelines Document the purpose and use of each critical UDA and update accordingly. The documentation should include the business objective, inputs, outputs, and sequence of execution for multistep processes. Create a consistent layout for spreadsheets and other UDAs to simplify use and testing. The areas for data input, calculations, and output should be distinct and separate. Label files, data sets, worksheets, key fields, rows, columns, and data for easy identification. Inventory all key spreadsheets and other UDAs impacting financial statement preparation. Clearly document assumptions applied and leveraged to generate data or perform calculations.

48 MS Office/Excel Controls
Specific Controls and Methods for Controlling Excel UDAs Preventing Unauthorized Access to Spreadsheets Managing and Monitoring Changes with SharePoint Retaining and Archiving Spreadsheets Developing Robust Spreadsheet Models Preventing Unauthorized Access to Spreadsheets As the complexity and importance of a spreadsheet increases, so too does the cost of errors and inappropriate disclosures of data. The 2007 Microsoft Office system offers a number of options for helping to secure critical spreadsheets from unauthorized access and modification on both the client and server. This section will take a closer look at the following four technologies. 1. Microsoft Office SharePoint® Server 2007 permissions 2. Sharing spreadsheets using Excel® Services 3. Information Rights Management 4. Workbook encryption Office SharePoint Server 2007 Permissions Office SharePoint Server 2007 is a scalable enterprise portal, content management, and collaboration server built on Microsoft Windows® SharePoint Services. Organizations can use Office SharePoint Server 2007 to store, protect, share, and track important documents and information through a single Web-based portal. All interactions within Office SharePoint Server 2007 are protected and monitored by a single sign-on system to safeguard against unauthorized access to critical documents. Office SharePoint Server 2007 uses a security model based on site groups and rights. Site groups are groups of users with related security requirements. Site owners can assign Security rights to each security group. An organization can customize the rights assigned to these site groups or add new site groups as needed. By default, Office SharePoint Server 2007 includes six site groups: Administrator, Web Designer, Contributor, Reader, Guest, and Viewer. Once groups and permissions have been defined, Office SharePoint Server 2007 safeguards the sites and documents stored within the portal using this permission structure. Sharing Spreadsheets Using Excel Services Excel Services is a new server-based technology that supports loading, calculating, and rendering Microsoft Office Excel spreadsheets in a Web browser. Excel Services comprises two primary interfaces: Microsoft Office Excel Web Access allows customers to view spreadsheets in a Web browser and the Excel application programming interface (API) allows developers to share Excel features among applications. With the Microsoft Office system, customers can publish spreadsheets and view them with any modern browser, without the need to install software on the local computer. This allows organizations to share spreadsheets without exposing sensitive business logic. Finally, because Excel Services is part of Office SharePoint Server 2007, it takes full advantage of document management and workflow capabilities to help maintain control over critical spreadsheets. Controlling What Users Can See Publishing a spreadsheet to Office SharePoint Server 2007 saves the entire spreadsheet to the server to allow for data refreshes and recalculation. However, the parts of the spreadsheet accessible to viewers and available for download through the Web browser are controlled by the author of the spreadsheet. Microsoft Office Excel 2007 spreadsheet software provides three options for controlling the viewable area of the spreadsheet on the server: The entire workbook (default). Users can view the entire workbook and download it to the desktop. A subset of sheets. The workbook author permits users to view and download a subset of sheets. This does not affect how the spreadsheet appears when opened in Office Excel 2007, only how it appears when viewed on the server. This mode is useful when workbooks contain numerous “behind the scenes” worksheets that hold intermediate calculations, source data, etc., but only a few sheets that users should see. A set of named items, such as Named Ranges, charts, tables, and PivotTable® and PivotChart® dynamic views. In this mode, users can only view and download specific items selected by the workbook author. Users access these items through a drop-down menu in their Web browser. The View Item Right Office SharePoint Server 2007 adds a new feature for spreadsheets (and other documents) stored in SharePoint document libraries. With this View Item Right, spreadsheet administrators can restrict user access to viewing and executing on the server. Users cannot download a copy of the spreadsheet or access any areas that were not published to be viewable on the server. This feature can hide and make inaccessible proprietary information contained in the workbook, such as specific formulas, the proprietary model, the external data connections, and hidden elements. The View Item Right affects the way Excel Web Access and the Excel API allow access to a workbook. Information Rights Management Organizations can use Information Rights Management (IRM) to protect and maintain greater control over digital information, including confidential and sensitive spreadsheets. Microsoft Windows Rights Management Services (RMS) in the Microsoft Windows Server™ 2003 operating system allows organizations and individual users to set policies that allow better control over who can open, copy, print, or forward information created in Office Excel 2007. IRM in Office Excel 2007 With Office Excel 2007, Information rights management policies allow users to set different levels of file protection to balance the needs to efficiently share information and help protect privacy. Set file permissions at different levels and change the level for specific users and groups of users. Assign permissions according to roles and responsibilities. For example, set different permissions for a viewer, a reviewer, or a file editor. Restrict file printing to reduce the number of times a sensitive spreadsheet can be copied. Set expiration dates to provide a date after which a spreadsheet file can no longer be opened or used by others. Help prevent forwarded files from unauthorized access. Unintended recipients cannot open files protected with IRM policies. Instead, a message informs the recipient that they do not have access rights. Optionally, the file owner can include an address for contact. IRM and Office SharePoint Server 2007 SharePoint document libraries are also highly integrated with Information Rights Management policies. Using IRM, Office SharePoint Server 2007 can apply policies automatically to help protect spreadsheets as they are downloaded to a user’s laptop. Offline use is unhindered, but permissions such as forwarding, printing, or editing can be disallowed as needed on a user-by-user basis. Finally, Office SharePoint Server 2007 can employ IRM policies to expire content after a specified time. This helps reduce erroneous access and distribution of outdated spreadsheets. 4. Workbook Encryption Customers without Office SharePoint Server 2007 can use the “Secure a Workbook” functionality in Office Excel 2007 to establish a basic level of file security. The Secure a Workbook feature allows users to specify a password to open the workbook. The workbook is encrypted using a symmetric encryption type known as 40-bit RC4. Stronger encryption types can be selected depending on the security needs of the organization.

49 MS Office/Excel Controls – Spreadsheet Access
Preventing Unauthorized Access to Spreadsheets Office SharePoint Server Capabilities Sharing Spreadsheets Using Excel Services Information Rights Management Workbook Encryption Office SharePoint Server 2007 Permissions Office SharePoint Server 2007 is a scalable enterprise portal, content management, and collaboration server built on Microsoft Windows® SharePoint Services. Organizations can use Office SharePoint Server 2007 to store, protect, share, and track important documents and information through a single Web-based portal. All interactions within Office SharePoint Server 2007 are protected and monitored by a single sign-on system to safeguard against unauthorized access to critical documents. Office SharePoint Server 2007 uses a security model based on site groups and rights. Site groups are groups of users with related security requirements. Site owners can assign Security rights to each security group. Sharing Spreadsheets Using Excel Services Excel Services - supports loading, calculating, and rendering Microsoft Office Excel spreadsheets in a Web browser. Microsoft Office Excel 2007 spreadsheet software provides three options for controlling the viewable area of the spreadsheet on the server: The entire workbook (default). Users can view the entire workbook and download it to the desktop. A subset of sheets. The workbook author permits users to view and download a subset of sheets. This does not affect how the spreadsheet appears when opened in Office Excel 2007, only how it appears when viewed on the server. This mode is useful when workbooks contain numerous “behind the scenes” worksheets that hold intermediate calculations, source data, etc., but only a few sheets that users should see. A set of named items, such as Named Ranges, charts, tables, and PivotTable® and PivotChart® dynamic views. In this mode, users can only view and download specific items selected by the workbook author. Users access these items through a drop-down menu in their Web browser. The View Item Right Office SharePoint Server 2007 adds a new feature for spreadsheets (and other documents) stored in SharePoint document libraries. With this View Item Right, spreadsheet administrators can restrict user access to viewing and executing on the server. Users cannot download a copy of the spreadsheet or access any areas that were not published to be viewable on the server. This feature can hide and make inaccessible proprietary information contained in the workbook, such as specific formulas, the proprietary model, the external data connections, and hidden elements. The View Item Right affects the way Excel Web Access and the Excel API allow access to a workbook. Information Rights Management IRM in Office Excel 2007 With Office Excel 2007, Information rights management policies allow users to set different levels of file protection to balance the needs to efficiently share information and help protect privacy. Set file permissions at different levels and change the level for specific users and groups of users. Assign permissions according to roles and responsibilities. For example, set different permissions for a viewer, a reviewer, or a file editor. Restrict file printing to reduce the number of times a sensitive spreadsheet can be copied. Set expiration dates to provide a date after which a spreadsheet file can no longer be opened or used by others. Help prevent forwarded files from unauthorized access. Unintended recipients cannot open files protected with IRM policies. Instead, a message informs the recipient that they do not have access rights. Optionally, the file owner can include an address for contact. IRM and Office SharePoint Server 2007 SharePoint document libraries are also highly integrated with Information Rights Management policies. Using IRM, Office SharePoint Server 2007 can apply policies automatically to help protect spreadsheets as they are downloaded to a user’s laptop. Offline use is unhindered, but permissions such as forwarding, printing, or editing can be disallowed as needed on a user-by-user basis. Finally, Office SharePoint Server 2007 can employ IRM policies to expire content after a specified time. This helps reduce erroneous access and distribution of outdated spreadsheets. 4. Workbook Encryption Customers without Office SharePoint Server 2007 can use the “Secure a Workbook” functionality in Office Excel 2007 to establish a basic level of file security. The Secure a Workbook feature allows users to specify a password to open the workbook. The workbook is encrypted using a symmetric encryption type known as 40-bit RC4. Stronger encryption types can be selected depending on the security needs of the organization.

50 MS Office/Excel Controls – Spreadsheet Changes
Managing and Monitoring Spreadsheet Changes with SharePoint Versioning - SharePoint Server has a robust check-in/check-out and versioning mechanism Auditing - SharePoint Server allows administrators to audit key events within document libraries. While there is no built-in capability to audit changes within spreadsheets individually, the audit log records spreadsheet events such as Open, Modify, and Delete. Workflow - With SharePoint Server management can build workflows that map to important business processes. Enterprise Content Management in Office SharePoint Server 2007 The versioning, auditing, and workflow capabilities in Office SharePoint Server 2007 allow users to better manage important spreadsheets and documents without sacrificing productivity. Versioning Office SharePoint Server 2007 has a robust check-in/check-out and versioning mechanism that allows users to check in changes under a new major (1.0 to 2.0) or minor (1.8 to 1.9) version. Office SharePoint Server 2007 will store as many back versions as is needed with a full version history showing who created the version and when each version was created Auditing Office System SharePoint Server 2007 allows administrators to audit key events within document libraries. While there is no built-in capability to audit changes within spreadsheets individually, the audit log records spreadsheet events such as Open, Modify, and Delete. Workflow With Office SharePoint Server 2007 customers can build workflows that map to important business processes. These capabilities facilitate more manageable collaboration, enforceable and measurable business processes, and more intelligent records management. - Content Approval

51 MS Office/Excel Controls – Retaining and Archiving
Retaining and Archiving Spreadsheets The following Office SharePoint Server capabilities can help users fulfill records management requirements: Vault Capabilities - The Records Repository has several features that help ensure the integrity of files stored in the repository. Information Management Policies - Provide controls that consistently and uniformly enforce the labeling, auditing, and expiration of records. Hold - The Records Repository allows users to apply one or more holds that suspend records management policies on specific items to prevent documents from being changed during litigation, audits, or other investigations. Office SharePoint Server 2007 Record Repository Office SharePoint Server 2007 provides a scalable and efficient records management system with a specialized Records Repository site template. Vault Capabilities The Records Repository has several features that help ensure the integrity of files stored in the repository. 1. the ability to ensure that records are never automatically modified by the system. This means that records uploaded to a records repository and then downloaded later will be identical, byte for byte. 2. default version and audit settings that monitor changes to content to prevent direct tampering of records. 3. records managers can add and maintain metadata on items separately from the record’s metadata. This allows information such as who manages the item to be changed without modifying the underlying record. Changes to this metadata are versioned as well. Information Management Policies These policies provide controls that consistently and uniformly enforce the labeling, auditing, and expiration of records. Policies can be configured for a specific storage location or content type. For example, to ensure that all contracts are retained uniformly in an organization, expiration dates can be based on a common property such as the contract execution date. Hold The Records Repository allows IT staff, records managers, and legal authorities to apply one or more holds that suspend records management policies on specific items to prevent documents from being changed during litigation, audits, or other investigations. The process of creating, managing, and releasing holds is monitored and recorded so that the system can account for all actions taken. Record Collection Interface Records repositories provide a set of services that aid in content collection. These services allow people and automated systems to easily submit content to a records repository without necessarily having access or permission to any of the contents of the site. Content can be submitted through a Web service by using the SOAP protocol or through by using the SMTP protocol. Record Routing Content submitted to a records repository can be routed to the proper location within the records management system based on content type. For example, the Record Collection Interface can be implemented on a different repository, allowing Office 2007 clients and servers to treat third-party repositories as records repositories. Additionally, records management policies are built on an extensible framework that allows customers to buy or build custom policies to extend or replace existing ones.

52 MS Office/Excel Controls – Spreadsheet Models
Developing Robust Spreadsheet Models Microsoft Excel can be used to create a robust spreadsheet model that meets compliance challenges and enhances productivity. MS Excel capabilities can help an organization deploy spreadsheet models that make it easier to become, and stay, compliant. Cell styles Checksums Lock important cells Using Excel Tables to reduce errors Defined Names Formula auditing tools Data Sources and Input Developing Robust Spreadsheet Models Microsoft Office Excel 2007 can be used to create a robust spreadsheet model that meets compliance challenges and enhances productivity. The following capabilities in Office Excel 2007 can help an organization deploy spreadsheet models that make it easier to become, and stay, compliant. Cell Styles Checksums Lock Important Cells Using Excel Tables to Reduce Errors Defined Names Formula Auditing Tools Data Sources and Input

53 MS Office/Excel Controls – Cell Styles
Cell styles help distinguish input cells from calculation cells 1. Cell Styles Complex spreadsheets with multiple contributors can be unclear and difficult to read. Users interpret the information in the spreadsheet differently, make errors based on assumptions, and are unable to quickly interpret or analyze the data. Cell formatting is an important tool that can be used to visually clarify the structure of a spreadsheet with color, font, borders, and data formats. Office Excel 2007 allows users to quickly define reusable cell formatting styles that make it easy to clearly indicate input cells, formulas, output cells and other key components. To make formatting updates simple, style changes are automatically applied to all cells using that style. Cell styles Cell styles help distinguish input cells from calculation cells

54 MS Office/Excel Controls – Use of Checksums
DataSafeXL August 2010 white paper “Excel Hell: How Simple Checksums Can Ease The Pain of Financial Modeling” provides a good primer on one approach to managing checksums. Cell-based modeling is a root cause of some of the issues including: Simple errors in formula construction, returning error values such as: #VALUE! ; #REF! ; #NAME? ; #N/A; etc. Errors in formulas dependent on other feeder cells that only become apparent later on, usually in different tabs to the tab you are currently working on, but missed because you cannot see them or are not alerted to them. Changing the spreadsheet structure which frequently creates errors containing the notation #REF! which ripples through financial statement rollups, thus making them unreadable.

55 MS Office/Excel Controls – Use of Checksums
Create a page purely for checksums. At the most basic level, even very simple checksums can help you maintain the integrity of every spreadsheet you construct. However, most people fail to plan this aspect, usually due to time-pressures, but also on account of lack of know-how or even pure laziness! But why not build every new spreadsheet from a template already containing a basic Checksum structure? Here’s how to do it:- Step 1:- Create a page purely for checksums. It can look something like this:

56 MS Office/Excel Controls – Use of Checksums
For each sheet in your workbook select all cells with the arrow situated between the A and the 1. Give this range a name similar to “INDEXSHT1.” This creates a named range which will detect any formula errors in the whole sheet, e.g. #VALUE! ; #REF! ; #NAME? ; #N/A; etc. Step 2:- For each sheet in your workbook (except the checksums sheet because this will potentially give you a circular reference), go to the arrow situated between the A and the 1 of each sheet and click on it so that it selects the whole sheet range. Then give this range a name similar to “INDEXSHT1”, just has been done in the screenshot below. You now have a named range which will detect any formula errors in the whole sheet, e.g.: #VALUE! ; #REF! ; #NAME? ; #N/A; etc.

57 MS Office/Excel Controls – Use of Checksums
For cells B10 through B12 write the formula for the appropriate sheet =IF(ISERROR(SUM(INDEXSHT1)),FALSE,TRUE) For cells B10:B12 name the range “SUMMARYCHECK” and Cell B6 name “SUMMARY” Add the formula to Cell B6 =IF(COUNTIF(SUMMARYCHECK,FALSE),FALSE,TRUE) Step 3:- Now for the checksum formula. Following our example, in Cell B10 on the Checksums page write the formula “=IF(ISERROR(SUM(INDEXSHT1)),FALSE,TRUE)” which will tell Excel to search for any error in the whole of Sheet 1. For Cells B11 and B12, obviously you will need to substitute the named range INDEXSHT1 for the corresponding ranges in the other sheets (e.g. INDEXSHT2, INDEXSHT2, etc.). Step 4: Then add a summary checksum for all the individual sheet checksums (Cell B6 in the example below). This is important as we will see later. Do this by selecting all the cells with the sheet checksum formulas (B10:B12 in the example) and giving them a named range such as “SUMMARYCHECK”. We also give a name to Cell B6 (I have called it “SUMMARY”). Now add the formula to Cell B6: “=IF(COUNTIF(SUMMARYCHECK,FALSE),FALSE,TRUE)”.

58 MS Office/Excel Controls – Use of Checksums
Add some simple conditional formats to the checksum cells (green for TRUE, red for FALSE) to help make them more visibly identifiable. So now, when you get any error in the relevant sheets, you will see the checksum turn from TRUE to FALSE and from green to red as can be seen in the above examples. Now add some simple conditional formats to the checksum cells (green for TRUE, red for FALSE) to help make them more visibly identifiable. The next screenshot shows you how to do this. You have now practically completed your exercise in creating your Checksums page.

59 MS Office/Excel Controls – Use of Checksums
Checksums shown are in their simplest format Use checksums at a more advanced level by creating multiple checksums for a single sheet, perhaps referencing various important ranges rather than whole sheet ranges Help to pinpoint errors much more quickly and effectively You can include any kind of formula such as those to identify mistakes or to aid reconciliations, e.g. =IF(SUM(RANGE1)SUM(RANGE2),FALSE,TRUE)

60 MS Office/Excel Controls – Protect Worksheets
Shortcut = Ctl+1 2. Lock Important Cells In addition to making the spreadsheet more understandable, organizations can reduce user errors by password protecting (or locking) specific cells, ranges, or sheets. This is a key step in the development of a robust spreadsheet. Protect Worksheets This feature can be used to lock important areas of a spreadsheet to prevent users from modifying the values or formulas in those cells. For example, an author can password-protect selected cells and prevent different types of changes to cells and other elements in the worksheet. Lock certain cells or ranges in a protected worksheet By default, the Locked setting is turned on for every cell in a worksheet. This can be confusing, because the locked setting doesn’t actually do anything until you apply the Protect Sheet command. That’s why it’s often better to uncheck the Locked box for everything first, before choosing the specific cells you want to lock. 1. If the worksheet is protected, do the following: On the Review tab, in the Changes group, click Unprotect Sheet. 2. Select the whole worksheet by clicking the Select All button. 3. On the Home tab, in the Font group, click the Format Cell Font dialog box launcher. Keyboard shortcut You can also press CTRL+1. 4. On the Protection tab, clear the Locked check box, and then click OK. 5. In the worksheet, select just the cells that you want to lock. 6. On the Home tab, in the Font group, click the Format Cell Font dialog box launcher. 7. On the Protection tab, select the Locked check box, and then click OK. If you have formulas you want to protect, you can use the Hidden check box in this dialog box to hide the cells with formulas. The results of the formula still show up in the cell, but the formula itself is hidden from prying eyes. 8. On the Review tab, in the Changes group, click Protect Sheet. 9. In the Allow all users of this worksheet to list, select the elements that you want users to be able to change. 10. In the Password to unprotect sheet box, type a password for the sheet, click OK, and then retype the password to confirm it. Notes The password is optional. If you do not supply a password, then any user can unprotect the sheet and change the protected elements. Make sure that you choose a password that is easy to remember, because if you lose the password, you cannot gain access to the protected elements on the worksheet.

61 MS Office/Excel Controls – Allow Users to Edit Ranges
2. Lock Important Cells In addition to making the spreadsheet more understandable, organizations can reduce user errors by password protecting (or locking) specific cells, ranges, or sheets. This is a key step in the development of a robust spreadsheet. Allow Users to Edit Ranges Similar to the Protect Worksheet functionality, the Allow Users to Edit Ranges feature allows users to lock specific areas of a spreadsheet. In addition, an author can grant edit permissions to specific groups, users, or computers based on Windows authentication. Unlock ranges on a protected worksheet for users to edit Important To give specific users permission to edit ranges in a protected worksheet, your computer must be running Microsoft Windows XP or later, and your computer must be on a domain. Instead of using permissions that require a domain, you can also specify a password for a range. 1. Select the worksheet that you want to protect. 2. On the Review tab, in the Changes group, click Allow Users to Edit Ranges. Note This command is available only when the worksheet is not protected. 3. Do one of the following: To add a new editable range, click New. To modify an existing editable range, select it in the Ranges unlocked by a password when sheet is protected box, and then click Modify. To delete an editable range, select it in the Ranges unlocked by a password when sheet is protected box, and then click Delete. 4. In the Title box, type the name for the range that you want to unlock. 5. In the Refers to cells box, type an equal sign (=), and then type the reference of the range that you want to unlock. Tip You can also click the Collapse Dialog button, select the range in the worksheet, and then click the Collapse Dialog button again to return to the dialog box. 6. For password access, in the Range password box, type a password that allows access to the range. Note Specifying a password is optional when you plan to use access permissions. Using a password allows you to see user credentials of any authorized person who edits the range. 7. For access permissions, click Permissions, and then click Add. 8. In the Enter the object names to select (examples) box, type the names of the users who you want to be able to edit the ranges. Tip To see how user names should be entered, click examples. To verify that the names are correct, click Check Names. 9. Click OK. 10. To specify the type of permission for the user who you selected, in the Permissions box, select or clear the Allow or Deny check boxes, and then click Apply. 11. Click OK two times. Tip If prompted for a password, type the password that you specified. 12. In the Allow Users to Edit Ranges dialog box, click Protect Sheet. 13. In the Allow all users of this worksheet to list, select the elements that you want users to be able to change. 14. In the Password to unprotect sheet box, type a password, click OK, and then retype the password to confirm it. Notes The password is optional. If you do not supply a password, then any user can unprotect the worksheet and change the protected elements. Make sure that you choose a password that you can remember, because if you lose the password, you cannot gain access to the protected elements on the worksheet. If a cell belongs to more than one range, users who are authorized to edit any of those ranges can edit the cell. If a user tries to edit multiple cells at once and is authorized to edit some but not all of those cells, the user will be prompted to select and edit the cells one by one

62 MS Office/Excel Controls – Tables
Tables make common tasks easier to perform and more robust. As data is added to a table, any elements associated with the table automatically adjust. Formatting applies to new rows and formulas update to include new data. PivotChart views, PivotTable views, Conditional Formatting, and Data Validation will all update to fit the new data. 3. Using Excel Tables to Reduce Errors Tables are common elements in spreadsheets, and they are the standard method for organizing and displaying structured data. Office Excel 2007 now recognizes tables as a native object in spreadsheets, which allows users to create robust tables that better maintain structure and are significantly easier to interact with. A table consists of three pieces: header row, data region, and total row Common Tasks Tables make common tasks easier to perform and more robust. As data is added to a table, any elements associated with the table automatically adjust. Formatting applies to new rows and formulas update to include new data. PivotChart views, PivotTable views, Conditional Formatting, and Data Validation all will update to fit the new data.

63 MS Office/Excel Controls – Table Referencing
Formulas that reference data in a table do so by name (the name of the column, e.g. “Sales”) rather than by an undecipherable A1-style address (e.g., D1:D10). This type of referencing is called “Structured Referencing” and it increases the readability of formulas to make them easier to maintain and edit later. Referencing Data Formulas that reference data in a table do so by name (the name of the column, e.g. “Sales”) rather than by an undecipherable A1-style address (e.g., D1:D10). This type of referencing is conditional Formatting, and Data Validation all will update to fit the new data. called “Structured Referencing” and it increases the readability of formulas to make them easier to maintain and edit later.

64 MS Office/Excel Controls – Spreadsheet Models
Table formatting features behave intelligently. For example, if alternate-row formatting is enabled on a table, Excel will maintain the alternating format rule through actions that would have traditionally disrupted this layout, such as filtering, hiding rows, or manual rearranging of rows and columns. Better Formatting With Office Excel 2007, Additionally, Office Excel 2007 includes a large number of professionally designed table styles that look good out of the box.

65 MS Office/Excel Controls – Use of Named Ranges
Create a Named Range in Excel Select the cell or range of cells to be named, such as B2 to B5 Click in the Name box, to the left of the formula bar. Type a name for the list, e.g. Jan_sales  Press the Enter key on the keyboard The name will appear in the Name box Named Range Examples A named range can be used when creating charts, and in formulas and functions such as: = SUM( Jan_sales ) = Jan_total + Feb_total + Mar_total Since a named range doesn't change when a formula is copied to other cells, it provides an alternative to using absolute cell references in functions and formulas. How to Related Tutorial: Excel Range Name Overview Drag select the cell or range of cells to be named, such as B2 to B5 The name appears in the Name box Named Range Examples A named range can be used when creating charts, and in formulas and functions such as: = SUM( Jan_sales ) = Jan_total + Feb_total + Mar_total Since a named range doesn't change when a formula is copied to other cells, it provides an alternative to using absolute cell references in functions and formulas.

66 MS Office/Excel Controls – Spreadsheet Models
The Name Manager View important details such as the name’s reference, value, and scope. Create and scope names. Rename existing names. Delete multiple names at once. Sort and filter the name list by common criteria including scope, type, and if the name returns an error. 4. Defined Names Defined names simplify writing formulas in complex spreadsheets, especially those spreadsheets shared among several people. However, when a spreadsheet contains hundreds or even thousands of defined names, it becomes more challenging to perform tasks such as deleting multiple names, renaming names, and finding broken names. The new Name Manager dialog box, designed specifically for viewing and managing defined names, makes it easier to: View important details such as the name’s reference, value, and scope. Create and scope names. Rename existing names. Delete multiple names at once. Sort and filter the name list by common criteria including scope, type, and if the name returns an error.

67 MS Office/Excel Controls – Trace Precedents
Trace Precedents using auditing arrows Graphically display (or “trace”) the relationships between cells and formulas. Trace a cell's precedents (the cells that provide information to that cell). Trace a cell's dependents (the cells that receive information from that cell.) Check for errors in a formula. 5. Formula Auditing Tools Regulatory compliance legislation requires auditable and transparent practices for spreadsheets used in financial reporting. Office Excel 2007 provides auditing tools that, along with a consistent use of cell styles and naming conventions, can accelerate the testing of spreadsheet models and reduce the risk of error once a spreadsheet is in production. Auditing tools in Office Excel 2007 enable users to: Graphically display (or “trace”) the relationships between cells and formulas. Trace a cell's precedents (the cells that provide information to that cell). Trace a cell's dependents (the cells that receive information from that cell.) Check for errors in a formula.

68 MS Office/Excel Controls – Importing From Data Sources
There are a variety of data sources that you can connect to: Analysis Services, SQL Server, Microsoft Access, other OLAP and relational databases, spreadsheets, and text files. Many data sources have an associated ODBC driver or OLE DB provider. A connection file defines all the information that is needed to access and retrieve data from a data source. Connection information is copied from a connection file into a workbook, and the connection information can easily be edited. The data is copied into a workbook so that you can use it just as you use data stored directly in the workbook.

69 MS Office/Excel Controls – Importing From Data Sources
There are a variety of data sources that you can connect to: Analysis Services, SQL Server, Microsoft Access, other OLAP and relational databases, spreadsheets, and text files. Many data sources have an associated ODBC driver or OLE DB provider. A connection file defines all the information that is needed to access and retrieve data from a data source. Connection information is copied from a connection file into a workbook, and the connection information can easily be edited. The data is copied into a workbook so that you can use it just as you use data stored directly in the workbook.

70 Overview What is a UDA? Benefits and Risks Internal Audit’s Role
Scoping an Internal Audit of UDAs Best Practices for Frameworks of Controls over UDAs MS Office/ Excel Control Examples

71 Questions? Tim Fawcett Manager, Stinnett & Associates


Download ppt "GTAG-14 Auditing User-Developed Applications"

Similar presentations


Ads by Google