Presentation is loading. Please wait.

Presentation is loading. Please wait.

End User Computer Controls Marc Engel, CPA, CISA, CFE Risk Management Advisory Services LLC

Published byBrittney Summers Modified over 9 years ago

Similar presentations

Presentation on theme: "End User Computer Controls Marc Engel, CPA, CISA, CFE Risk Management Advisory Services LLC"— Presentation transcript:

1 End User Computer Controls Marc Engel, CPA, CISA, CFE Risk Management Advisory Services LLC Marc.Engel@rmadvisory.com Marc.Engel@rmadvisory.com Marc.engelcpa@gmail.com Marc.engelcpa@gmail.com 973-953-8569 Presented December 6, 2012 to the Association of International Bank Auditors Risk Management Advisory Services

2 Key Discussion Points Topics: (1)_Overview of Excel risks as part of the risk assessment (2)_Risks of fraud and errors; best practices to prevent and detect them (3)_Applying Change controls to Excel Objective: Consider the risks involved in controlling spreadsheets and other user directed applications. Discuss controls that can be easily implemented to meet SOX requirements for risk analysis, and establishing effective controls. RM Advisory Services

3 Excel Risks as Part of the Risk Analysis Background Companies that are subject to FDICIA or SOX should now be compliant for their primary computer systems and applications. It’s possible that some companies subject to FDICIA or SOX are insufficiently covering the risks inherent in user-directed apps. Many may need to tighten controls over applications such as Excel or Access. These are often used in accounting and finance departments to generate calculations or support for journal entries or business decisions. RM Advisory Services

4 The Problem: Inherently Weak Controls Can anyone give some personal observations of incorrect information caused by Excel use? Some of my observations: – a formula for a financial statement number using a random number generator; no documentation – budget equaled actual exactly because the preparer copied the budget numbers – New accountant changed an allocation; Regulator gave MoU. RM Advisory Services

5 Risks involving the use of Excel Consider these examples: An Excel spreadsheet to control fixed assets. Some Risks: – Formulas are not locked, eg. because each new purchase adds a line to the list of fixed assets. – Approvals consist of a signature on the hard copy. Excel may be used to prepare financial statements and for variance analyses; Some Risks of inaccurate information: – Lack of control over input cells, output cells, formula results, and – different versions of the spreadsheet – Consolidation worksheets – information downloaded to standardized workbook then consolidated at corporate offices RM Advisory Services

6 Need for Controls Could such errors appear in the financial statements and the MD&A? Even if totally innocent, whose responsibility? Consequently, lack of proper controls over such applications could result in a finding of a significant deficiency or even a material weakness. If not corrected prior to year end, this might have to be reported as an exception in the annual report. RM Advisory Services

7 Solution Overview COSO compliant, effective controls are easily implemented. Five basic areas to consider are: – Risk Assessment, – Limited Access, – Design and Documentation, – Change Controls, and – Monitoring. RM Advisory Services

8 Risk Assessment Formalized risk assessment is a required element of internal control under COSO. A company could generate a risk threshold for spreadsheets, based on a percentage of its total assets or gross revenue. Any spreadsheet generating aggregate entries over that percentage would be deemed critical. So if the gross revenue is $500m and the threshold is.1% of that, any spreadsheet generating entries of $500k in aggregate over the year would be deemed “critical” and subject to additional controls. RM Advisory Services

9 Risk Assessment Key steps: – Inventory all spreadsheets used to generate journal entries and supporting work papers for published financial information, and – measure them in aggregate by type of entry. In the above fixed asset example, all fixed asset entries would be aggregated to include the spreadsheet in the critical spreadsheet group, rather than excluding it based on many small individual entries it would generate. RM Advisory Services

10 Spreadsheet Inventory Spreadsheet inventory should have: List of all spreadsheets used for production of financial statements and numbers that support JEs. Include location, owner, main user, frequency of use. (Keep current by requiring all new spreadsheets to be registered.) Security inventory with all passwords for all sheets; Kept by IT Security. RM Advisory Services

11 Control Attributes Each spreadsheet’s purpose, frequency of being run, and formulas should be documented and explained on a separate tab in the workbook. Passwords should be backed up separately so if the password keeper leaves or forgets, the company still can unlock the spreadsheet. All superseded versions should be removed from the production folders. RM Advisory Services

12 Design and Documentation Good spreadsheet design makes a spreadsheet reliable, without constant testing or risk of error. Keypoints are: Range control, Formula control, and Password protection. Range control entails – setting up input areas, so that formulas do not need to be revised whenever data is added. This is done by – putting formulas on a separate sheet in the workbook; – putting them at the top of the page and adding data underneath. – Controling input via Excel’s excellent Forms functionality RM Advisory Services

13 Design and Documentation Formula controls: Formulas are locked and password protected so the user cannot change them. Only specific input areas are unlocked for the user. Formulas should be color coded to be easily recognizable. Color coding conventions (standards) should be included in the company’s procedures for designing spreadsheets. – Excel 2007 provides formats for different cell types, such as calculated cell, input, output, and others, on the Home ribbon. Best practice designs – Use one spreadsheet for a particular purpose so a new version each month (or quarter) is not needed. RM Advisory Services

14 Limited Access The company should set up a secure directory or folder. The network administrator limits access to – specific profiles of staff needing access to perform their duties. – Other staff members are excluded. RM Advisory Services

15 Limited Access Quick connections to external data In Office Excel 2007, you no longer need to know the server or database names of corporate data sources. Instead, you can use Quicklaunch to select from a list of data sources that your administrator or workgroup expert has made available for you. A connection manager in Excel allows you to view all connections in a workbook and makes it easier to reuse a connection or to substitute a connection with another one. (Excel online documentation). Using these features makes enforcing a secure download process straightforward; (documenting it as well). RM Advisory Services

16 Monitoring Enforcing segregation of duties – i.e. a single individual should not have rights to both prepare and enter an entire transaction. There must be an audit trail to document the review of entries. A checklist should be used and approved, to prove that all needed spreadsheets were updated timely. Off premises vacation rules to prevent override of controls > Spreadsheets are updated by other staff. RM Advisory Services

17 Monitoring Management can monitor spreadsheet activity since: – All spreadsheets to prepare FS or supporting info are inventoried, aggregated as to FS impact, risk rated, and all critical spreadsheets are secured. – Mid management knows which are the key spreadsheets and can enforce controls over spreadsheets. – Spreadsheets are password protected and the passwords are kept by IT security. RM Advisory Services

18 Change Controls Possibly contentious but consider: How would you feel about the IT staff revising your software just on the programmer’s approval? Same concept applies to your finance dept staff changing critical spreadsheets with no approval. RM Advisory Services

19 Change Controls Change controls block unauthorized changes, verify accuracy of changes to the spreadsheet, and enforce version control. Naming conventions lower the risk of using a superseded version. Granted that most spreadsheets will most likely be initially designed by the owner / user. Nevertheless, after a spreadsheet is designed properly, it should be password protected so the designer/ user cannot make changes. Changes should be performed in a test folder set up for this purpose and kept out of the production folders. A second person tests the spreadsheet with a pre-approved test set. The final version is forwarded to the approver who password protects it and posts it to the secure folder. RM Advisory Services

20 Questions? Any questions can be addressed to: Marc Engel, CPA, CISA, CFE RM Advisory Services Marc.Engel@rmadvisory.com Marc.Engel@rmadvisory.com Marc.engelcpa@gmail.com 973-953-8569 Marc.engelcpa@gmail.com

Download ppt "End User Computer Controls Marc Engel, CPA, CISA, CFE Risk Management Advisory Services LLC"

Similar presentations

Business Planning using Spreasheets-2 1 BP-2: Good Spreadsheet Practice  There is always the temptation to rush in and start entering data.  However.

Business Planning using Spreasheets-2 1 BP-2: Good Spreadsheet Practice  There is always the temptation to rush in and start entering data.  However.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
1 CA202 Spreadsheet Application Collaborating with Colleagues Lecture # 16 Dammam Community College.

1 CA202 Spreadsheet Application Collaborating with Colleagues Lecture # 16 Dammam Community College.
General Ledger and Journals. Financial Services - GL and Journals presentation 280709 2 What are journals? A journal [document] is used to record accounting.

General Ledger and Journals. Financial Services - GL and Journals presentation What are journals? A journal [document] is used to record accounting.
Tutorial 8: Developing an Excel Application

Tutorial 8: Developing an Excel Application
XP New Perspectives on Microsoft Excel 2003, Second Edition- Tutorial 8 1 Microsoft Office Excel 2003 Tutorial 8 – Developing an Excel Application.

XP New Perspectives on Microsoft Excel 2003, Second Edition- Tutorial 8 1 Microsoft Office Excel 2003 Tutorial 8 – Developing an Excel Application.
Auditing Concepts.

Auditing Concepts.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza

The Islamic University of Gaza
 Transaction  It is a business event for example a sale of inventory “Hall 2009”

 Transaction  It is a business event for example a sale of inventory “Hall 2009”
The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.

The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
CHAPTER 10 UNDERSTANDING INTERNAL CONTROLS Fall 2007

CHAPTER 10 UNDERSTANDING INTERNAL CONTROLS Fall 2007
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
1. Definition of a Reconciliation 2. Importance of a Reconciliation 3. When to Prepare a Reconciliation 4. Items Needed to Prepare a Reconciliation 5.

1. Definition of a Reconciliation 2. Importance of a Reconciliation 3. When to Prepare a Reconciliation 4. Items Needed to Prepare a Reconciliation 5.
Recordkeeping & Accounting

Recordkeeping & Accounting
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 1 The Impact of Information Technology on the Audit.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.

Similar presentations

Ads by Google