Archive for the 'Auditor Guidance' Category

PwC Promotes Spreadsheet Integrity Review

Published April 21, 2011 Auditor Guidance Leave a Comment

PricewaterhouseCoopers recently published an overview of their service offering for a Spreadsheet Integrity Review to help organizations assess spreadsheet risk and “…develop a long-term strategy to effect timely, accurate, and flexible reporting.” The overview asserts that spreadsheets are integral to an organization’s information and decision-making framework, yet they are often developed and supported in uncontrolled environments. This lack of control can lead to a variety of errors, including input errors, logic errors, interface errors, and others including incorrect cell references and broken or incorrect links.

The promotion of this service offering by PwC suggests the firm is continuing their focus in helping organizations mitigate Spreadsheet and End-user Computing Risk. It is also consistent with recent guidance from the Institute of Internal Auditors (IIA) in GTAG-14, recommending all organizations consider formal programs to audit and control mission critical spreadsheets and EUCs.

You can read the full overview here on PwC’s web site.

New White Paper Addresses Guidance from the IIA’s GTAG-14 on Auditing User-Developed Applications

Published August 2, 2010 Auditor Guidance , Best Practices , Breaking News , GTAG-14 , Regulatory Mandates Leave a Comment

Download the White PaperNew Guidance from the Institute of Internal Auditors
According to the newly released Global Technology Audit Guide (GTAG®) 14: Auditing User-developed Applications from The Institute of Internal Auditors: “User-developed applications (UDAs) typically consist of spreadsheets and databases created and used by end users to extract, sort, calculate, and compile organizational data to analyze trends, make business decisions, or summarize operational and financial data and reporting results. Almost every organization uses some form of UDAs because they can be more easily developed, are less costly to produce, and can typically be changed with relative ease versus programs and reports developed by IT personnel.”

The GTAG 14 is careful to point out that “once end users are given freedom to extract, manipulate, summarize, and analyze their UDA data without assistance from IT personnel, end users inherit risks.” These risks include errors in UDA logic (e.g. honest mistakes), non-compliance with regulatory mandates, and even fraud – all leading to a high likelihood of material errors. GTAG 14’s primary emphasis is to provide direction to internal auditors on how to scope an internal audit of UDAs and assist management with developing an effective UDA control framework. It also outlines other considerations that internal auditors should address when performing UDA audits, including functional requirements for best-of-breed tools, and best practices for controls over UDAs.

New Prodiance White Paper Addresses IIA GTAG-14 Guidance
Last week, Prodiance launched a new white paper that summarizes how the Prodiance Enterprise Risk Manager (ERM) system and associated professional service offerings enable organizations to fulfill the IIA’s guidelines for identifying, monitoring, and controlling mission critical User-Developed Applications (UDAs). The new, complimentary white paper is entitled Addressing Guidance from the IIA’s GTAG-14 for Auditing User-Developed Applications and can be downloaded from the Prodiance.com web site via the following link.

Download the White Paper

New Guidance from the IIA on Performing Spreadsheet Audits

Published July 12, 2010 Auditor Guidance , Best Practices , Breaking News , GTAG-14 Leave a Comment
Tags: , , , ,

The Institute of Internal Auditors (IIA) just published a new Global Technology Audit Guide (GTAG 14) entitled Auditing User-developed Applications which encourages internal auditors to consider performing audits for critical spreadsheets used in financial reporting. The guide was authored by spreadsheet domain experts, and provides an overview of the challenges and risks organizations face with uncontrolled spreadsheets, Access databases and other user-developed applications (UDAs) and provides a roadmap with considerations for performing an audit. There are also several sample templates for defining what a risky spreadsheet is, as well as capturing documentation, control procedures, and more.

An IIA membership and login is required to download the new GTAG 14 guide for free. Alternatively, nonmembers can purchase a copy for $25 per the IIA from their bookstore.

>> READ THE FULL STORY

OMB Circular A-123 and Spreadsheet Controls

Published February 18, 2010 Auditor Guidance , OMB Circular A-123 , Regulatory Mandates Leave a Comment
Tags: , , ,

I recently came across OMB Circular A-123 and thought it was worth a discussion regarding the intersection of this government regulatory mandate and the topic of Spreadsheet Controls. So, here is a quick run down of what you need to know for government entities. Keep in mind this summary is focused on spreadsheet use in financial reporting and close the books activities within government agencies.

First, the Office of Budget and Management (OMB) Circular A-123 is the federal government’s version of SOX. Like SOX 404, it requires that management that management establish effective internal controls over the financial reporting (ICFR) process. Further, it requires that such controls and the assessment process should be documented. As with SOX, material weaknesses (e.g. material misstatements due to spreadsheet errors) can result in non-compliance, and the OMB can request audit opinion if needed to enforce corrective actions. It also recommends a risk assessment to identify areas at risk (e.g. uncontrolled spreadsheets used in financial reporting). In addition, Circular A-123 recommends continuous monitoring and testing to improve the control environment. As specified, “appropriate internal control should be integrated into each system…” which implies an automated approach is preferred over manual controls. With automation, effective controls can be embedded into the business process so that they become part of doing business as usual.

Control activities recommended in Circular A-123 include: policies, segregation of duties, access control, documentation, accurate information processing (e.g. data integrity), input/output control, safeguarding of records (e.g. critical spreadsheets and EUCs), monitoring of controls (e.g. reporting & dashboards). These are all standard control requirements which are consistent with SOX guidelines. That said, spreadsheets controls are not specifically called out, but as with SOX, the NAIC Model Audit Rule, Solvency II, Basel II, and OCC guidelines and similar regulatory mandates, we do know that external auditors are scrutinizing the spreadsheet environment, especially when they see a heavy reliance on uncontrolled spreadsheets.

So, my recommendation on OMB Circular A-123 is to follow Big 4 auditor guidance on Spreadsheet Controls. As a government entity, to be prepared for an audit, you need to be able to answer a few questions with certainty and appropriate documentation:

  • Have you created an inventory of spreadsheets, Access databases and other end-user computing applications?
  • If so, have you performed a risk assessment to determine which ones are considered high risk (e.g. those that directly impact financial, regulatory and management reporting)?
  • For the high risk spreadsheets, what controls are currently in place?

If you can pass this test, then you have taken a proactive approach to mitigating the risks associated with uncontrolled spreadsheets. For more details on controls recommended by Big 4 auditors, I recommend reading my previous post on Spreadsheets and SOX 404 Compliance which references guidance from PwC.

Also, you can access the complete OMB Circular A-123 here.

Spreadsheets & Accounting Fraud – the Perfect Storm?

Published December 5, 2009 Auditor Guidance , Breaking News , Cases of Fraud & Errors , Press Articles Leave a Comment
Tags: , , , , , , ,

Accounting Fraud on the Rise
In November, PwC published a new report entitled The Global Economic Crime Survey: Economic Crime in a Downturn. Of 3,000 senior executives survey across 54 countries, 62% reported their organizations suffered a decline in revenues in the past year, and 40% reported the risk of economic crime has risen due to the recession. Given this 60-40 split, they expected organizations with increasing revenues would be immune to the increase in economic crime. However, this was not the case. To this end, economic crime remains a pervasive risk in today’s business environment where increasing pressures to perform, increased opportunities to commit fraud, and people’s attitude are skewed by survival instinct and personal motivation.

Spreadsheets & Fraud – The Perfect Storm?
One of the key findings from the survey is the sharp rise in accounting fraud, which contributed 38% of reported cases, which PwC claims is linked to the economic downturn. If we then link this trend with the ubiquity of spreadsheets used in financial and management reporting, we have the “perfect storm” conditions for fraud to occur. Spreadsheets, PC databases and other types of end-user computing applications (EUCs) are used to support many key financial and operational processes, including (but not limited to) journal entries, account reconciliations,  tracking and executing trades, revenue recognition, 401k contributions, executive compensation, actuarial processes, underwriting, budgeting, forecasting, and consolidation. Organizations are at risk and exposed when these mission critical spreadsheets are unmonitored and lack the proper IT controls such as change control, versioning, security and access control, segregation of duties, testing and validation, etc.

Is Your Organization at Risk?
So how do you know if your organization is at risk of spreadsheet accounting fraud? Clearly an assessment is needed which typically requires (at a minimum) performing an inventory and risk assessment of a sampling of key spreadsheets. This process can take several weeks or months to complete via manual means, but it can be accelerated by using Spreadsheet Management & Control software, domain expertise, and best practices from Prodiance. To read more about spreadsheets and fraud, I encourage readers to download my latest white paper entitled Fraud Detection & Prevention for Mission Critical Spreadsheets. For more details from the 2009 PwC Global Economic Crime Survey, you may download the full report here.

Your comments and thoughts?

PCAOB AS No. 5 Report Suggests Room for Improvement Over Testing of Spreadsheet Controls

Published October 21, 2009 Auditor Guidance , PCAOB AS5 , Regulatory Mandates Comments
Tags: , , , , , ,

On September 24, 2009 the Public Company Accounting Oversight Board (www.pcaob.com) issued their Report on the First-Year Implementation of Auditing Standard No. 5. The report provides an overview of the most common observations derived from inspections conducted during 2008 on registered firms’ first year implementation of AS No. 5. Because AS No. 5 is a follow-up to improving the implementation of the Sarbanes-Oxley Act of 2002, the focus is on internal controls over financial reporting (ICFR).

Spreadsheet Control Cited as Area for Improvement
Notable areas of focus for inspections conducted include risk assessment, fraud related risk, and focus for controls testing. Ironically, Spreadsheet Controls were cited among the suggested areas for improvement: “The inspectors also observed situations where auditors failed to test a relevant control appropriately or, in some cases, at all. For example, inspectors observed instances where the auditors’ testing of controls over financially significant applications was dependent on appropriate segregation of duties, but the auditors did not test to determine whether appropriate segregation of duties existed. Similarly, in some instances, the auditors tested certain controls without testing the system-generated data on which the tested controls depended; the auditors did not test controls over applications that processed financially significant transactions, including important manual spreadsheets; or the auditors observed evidence of review and approval controls (e.g. management sign-off evidencing review and approval) without testing the design or operating effectiveness of management’s controls.”

Spreadsheet Management Lifecycle

What it Means to Your Business
Based on this new report, the focus on scrutinizing Spreadsheet Controls for SOX 404 and AS No. 5 compliance is likely to continue, demanding that organizations take a proactive and sustainable approach to implementing policies, procedures, best practices and new technology to help automate the process. Best practices and auditor guidance suggest that following a lifecycle approach (including inventory, risk assessment, management and control, optimization, certification and reporting) leads to efficient risk mitigation, more efficient spreadsheet processes, reduced audit fees, faster audit cycles, and improved compliance.

Access the full report.

New E&Y Viewpoint Outlines Spreadsheet Risk in Automotive Industry

Published August 22, 2009 Auditor Guidance , Best Practices Leave a Comment
Tags: , , , , , ,

E&Y Viewpoint Spreadsheet GovernanceIn a recent Viewpoint, Dan Smith of E&Y highlighted the risks of using uncontrolled spreadsheets in the automotive industry. Smith suggests that the industry is currently undergoing extreme financial stress, and that automakers should actively manage the spreadsheet risk while putting the proper governance structure in place. Smith also offers some best practices and claims managing spreadsheet risk is among the top priorities for the current year.

You can download the article here.

Protiviti Says Unchecked Spreadsheets Can Lead to Major Accounting & Financial Reporting Problems

Published June 30, 2009 Auditor Guidance Leave a Comment
Tags: , , , , , , , , , , , ,

Yesterday Protiviti issued a press release and an update to their white paper entitled Spreadsheet Risk Management: Frequently Asked Questions. In the press release, Protiviti indicated that few organizations have properly addressed the risks associated with uncontrolled spreadsheets, but are now being forced to due to potential financial losses due to errors and fraud, regulatory pressures, and increasing scrutiny from auditors.

The white paper examines the risks associated with uncontrolled spreadsheets and EUCs, cites various cases of error and fraud, presents a framework for spreadsheet control, best practices for measuring risk, and a review of available technologies.

While the white paper is spot on for the type of information companies need now – how to get started, practical advice, frameworks, best practices – it is light on promoting technology. The main goal of any spreadsheet or EUC control initiative should be to embed the controls into everyday business processes and to make them sustainable. This cannot be achieved via manual processes and policies alone. It has to be driven by technology and automated controls.

You can view the press release here and the download the FAQ white paper here.

Enjoy, and please let me know your thoughts!

New Deloitte Podcast Highlights Uncontrolled Spreadsheets as a Key IT Concern

Published June 16, 2009 Auditor Guidance Leave a Comment
Tags: , , ,

This new podcast entitled Balancing Act – A Risk Management Solution for Spreadsheets by Sarah Adams and Tim Burdick of Deloitte urges companies to establish an effective risk management program for critical spreadsheets. It includes best practices on conducting an inventory, risk ranking, when conversion (into an IT application) is required, baselining, required preventive and detective controls, and business benefits of establishing an effective spreadsheet and EUC management framework.

View the podcast here

Spreadsheets & the NAIC Model Audit Rule – Are You Ready?

Published May 27, 2009 Auditor Guidance , Events , NAIC Model Audit Rule , Regulatory Mandates Leave a Comment
Tags: , , , , , , ,

Starting in 2011 (for the 2010 reporting period), many private insurance firms will have to submit reports to the NAIC to certify their internal control over financial reporting (ICFR). Similar to SOX 404 for public companies, the NAIC Model Audit Rule requires the CEO and CFO to certify the effectiveness of ICFR and disclose any material weaknesses. Although adoption of the Model Audit Rule will be on a state by state basis, one of the key areas of auditor scrutiny under SOX 404 has been over the effectiveness of Spreadsheet and End-user Computing (EUC) Controls.

Leading audit firms recommend that companies take a proactive approach to Spreadsheet & EUC Controls in preparing for the NAIC Model Audit Rule, and there are several resources available from Deloitte and Protiviti on the subject.

On the technology side, Prodiance recently hosted an online seminar on this topic entitledSpreadsheets and the NAIC Model Audit Ruleand published a complementary white paper:

Both the online seminar and white paper promote an automated approach using spreadsheet and EUC control software to help sustain compliance with NAIC Model Audit Rule mandates.

Additional Resources:

Next Page »

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 22 other followers

Follow Prodiance on Twitter

Prodiance on Twitter

Follow

Get every new post delivered to your Inbox.