…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.

Slides:

Advertisements

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

Advertisements

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Control and Accounting Information Systems

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Introduction to Enterprise Risk Management (ERM)

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.

Miklos A. Vasarhelyi Siripan Kuenkaikaew Silvia Romero

Continuous Auditing Technology Adoption in Leading Internal Audit Organizations Miklos A. Vasarhelyi Siripan Kuenkaikaew.

Audit considerations for your 11i implementation Richard Byrom Oracle Applications Consultant EOUG October 2003.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

15 1 Chapter 15 Database Administration Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Why Managers Must Understand IT Managers play a key role –Frame opportunities and threats so others can understand them –Evaluate and prioritize problems.

The Information Systems Audit Process

ECM Base Compliance Input Messaging & Alert Compliance dashboard Compliance Monitoring Internal & External Audit Tracking Access Control Compliance & Financial.

Consulting Solutions from cdms Management Advisory Services.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Information Systems Controls for System Reliability -Information Security-

PAINTING THE FULL PICTURE

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Spreadsheet Management. Sarbanes-Oxley Act (SOX, 2002) Requires “an effective system of internal control” for financial reporting in publicly- held companies.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

INTRODUCTION TO PUBLIC FINANCE MANAGEMENT Module 3.2 -Internal Control & Audit.

TO ENSURE  THE EFFICIENT & EFFECTIVE DEVELOPMENT / MAINTENANCE OF IT SYSTEMS  PROPER IMPLEMENTATION OF IT SYSTEMS  PROTECTION OF DATA AND PROGRAMS.

ISMMMO, Antalya April Internal Audit, Best Practices Özlem Aykaç, CIA,CCSA CAE Coca-Cola İçecek.

Chapter 9: Introduction to Internal Control Systems

Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet.

Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.

Introduction to Internal Control Systems

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

Chapter 5 Internal Control over Financial Reporting

Internal Control in a Financial Statement Audit

A DEPARTMENTAL PERSPECTIVE Drive Value through Compliance with the Green Book – Stop Checking the Box.

1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.

Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.

Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.

Auditing Information Systems (AIS)

…optimise your IT investments Successful approaches for Test Data Management Philip Howard Research Director – Bloor Research.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

Everyone’s Been Hacked Now What?. OakRidge What happened?

Continuous Auditing at Unibanco Washington Lopes

Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.

FACILITATOR Prof. Dr. Mohammad Majid Mahmood Art of Leadership & Motivation HRM – 760 Lecture - 25.

Service Level Agreements Service Level Statements NO YES The process of negotiating and defining the levels of user service (service levels) required.

…optimise your IT investments Data Discovery Understanding data relationships Philip Howard Research Director – Bloor Research.

…optimise your IT investments Warehousing for low latency analytics Philip Howard Research Director – Bloor Research.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.

IT Controls Global Technology Auditing Guide 1.

Kathy Corbiere Service Delivery and Performance Commission

Advisory Services from cdms Management Advisory Services.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.

Outcomes of the FMC review Vania Tomeva, PIFC consultant July 2013, Tbilisi 1.

McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

IS YOUR ORGANISATION’S INFORMATION SECURE?

An Overview on Risk Management

Internal Control Principles

ENTERPRISE RISK MANAGEMENT IN THE CASE OF THE FINANCIAL SERVICE SECTOR

Internal Control in a Financial Statement Audit

Errors, Fraud, Risk Management, and Internal Controls

Audit & Risk Management

Database Administration

SAP GRC EOH GRC Solutions Divisional divider Option 1.

Presentation transcript:

…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Why spreadsheet governance is important Prevent errors that can impact financial and operational accuracy Prevent fraud Reduce disk space and associated costs Ensure compliance Improve business process efficiency Prevent fines Prevent reputational damage Improve decision making Reduce audit fees Enables various IT processes

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Maturity Models To identify where you are today To identify where you want to get to To identify the steps between NB: not all organisations want to get to the same end point

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Spreadsheet MMM Not just about spreadsheets Any end-user computing (EUC) resources such as Access databases, Crystal Reports, PowerPoint presentations and so on Differs from other maturity models in that there are both personnel and corporate maturity levels

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Personnel maturity Inexperienced users Enthusiastic users Experienced users Trained users Tend to be self-taught Junior personnel develop expertise Junior personnel become senior Formal training and best practices

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Maturity Stage 1 Organisations do not understand extent of reliance on EUCs Users are self-taught and do not make use of external resources Transition to stage 2 typically because of a significant event such as a significant/material error, financial restatement, fraud, auditor scrutiny or forthcoming compliance audit Inexperienced users1. Denial

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Maturity Stage 2 Manual governance based on access, change and version control, which may cause change management issues No accuracy testing May be custom macros for basic controls and auditing—not easy to support and unsustainable in long run May include risk assessment Transition to stage 3 because manual controls breaking down, experienced staff get promoted or because of compliance requirements. Inexperienced users1. Denial Enthusiastic users2. Manual

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Maturity Stage 3 Use of formal remediation tools and methodologies either via audit forms or via diagnostic software May include end user training on spreadsheet compliance (e.g. for SOX) Transition to stage 4 often as result of auditor or consultant recommendation Inexperienced users1. Denial Enthusiastic users2. Manual 3. RemedialExperienced users

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Maturity Stage 4 Identification of critical spreadsheet assets May adopt use of automated discovery, inventory management and risk assessment software Ideally, should come before stage 3 but most companies only discover risks due to links and dependencies after remediation has started Stages 3 and 4 often help to build business case for more advanced stages Inexperienced users1. Denial Enthusiastic users2. Manual 3. Remedial 4. Recognised Experienced users

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Maturity Stage 5 Can capture and/or have eliminated errors and ad hoc processes Logic and formula errors indentified and fixed Controlled development processes and end users trained in development best practices Process controls to detect and/or prevent errors Inexperienced users1. Denial Enthusiastic users2. Manual 3. Remedial 4. Recognised Experienced users Trained users5. Captured

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Maturity Stage 6 Formal development, control and risk mitigation processes Segregation of duties, change request management, test and signoff on changes and new models, routine review and approval processes May be issues with existing processes. Balance between collaboration and control may vary by department or, indeed, spreadsheet Inexperienced users1. Denial Enthusiastic users2. Manual 3. Remedial 4. Recognised Experienced users Trained users5. Captured Trained users6. Formalised

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Maturity Stage 7 Automated monitoring and/or control environment Management reporting on EUC control process This stage involves cultural shift: about implementing better business processes not just collecting data about spreadsheets Inexperienced users1. Denial Enthusiastic users2. Manual 3. Remedial 4. Recognised Experienced users Trained users5. Captured Trained users6. Formalised Trained users7. Managed

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Maturity Stage 8 Spreadsheet processes and alerts part of broader GRC framework Automated integration of spreadsheet data with central applications to eliminate error-prone practices Inexperienced users1. Denial Enthusiastic users2. Manual 3. Remedial 4. Recognised Experienced users Trained users5. Captured Trained users6. Formalised Trained users7. Managed Trained users8. Integrated

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010 Conclusion Spreadsheet management is iterative and evolving Spreadsheet management is ongoing Spreadsheet management is integral to governance, risk and compliance Spreadsheet management should be treated as a part of data governance Spreadsheet management is a part of optimising business processes A maturity model helps you to understand where you are and where you’re going

telling the Information Management story Confidential © Bloor Research 2009 telling the right story Confidential © Bloor Research 2010