Posts Tagged 'Best Practices'

White Paper: Automating Spreadsheet Controls for Solvency II Model Compliance

Published May 18, 2011 Best Practices , Regulatory Mandates , Solvency II Leave a Comment
Tags: , , , , , ,

Abstract
Spreadsheets, Access databases and other user-developed applications (UDAs) are front and center to Solvency II model development, providing flexibility and ample opportunities to optimize capital requirements. Absent the proper governance framework, these UDAs can be subject to a variety of unacceptable risks, including calculation errors due to faulty programming logic, non-compliance with the intent of the directive, and even fraudulent activity. This white paper examines the newly published governance mandates for Solvency II models, and offers a proven technology solution and best practices to help insurers and reinsurers in the European Union improve compliance while mitigating risk and driving significant process improvement.

Target Audience
CFOs, controllers, CIOs, COOs, CEOs, Chief Actuaries, VP IT Security & Risk, Certified Fraud Examiners, auditors, risk and compliance executives, spreadsheet developers, Solvency II project teams.

>>Download White Paper

Spreadsheet and UDA Control: 5 Do’s and Don’ts for Success in 2011

Published January 11, 2011 Best Practices , Regulatory Mandates Comments
Tags: , , , , ,

In September 2010, Prodiance held an annual user’s group conference in Orlando, Florida and we had an excellent turnout with representatives from several industries, including banking, insurance, capital markets, manufacturing, communications, oil and gas, and professional services. I thought a good way to share some of the key takeaways from the event was to summarize the best (and worst) practices for Spreadsheet and UDA control.

Top 5 Do’s for Successful UDA Management

1. Organize a UDA Steering Committee
To properly establish the tone at the top and send the message that controlling critical spreadsheets and user-developed applications (UDAs) is important to the business, you need to organize a steering committee. Members of the UDA Steering Committee should include an executive sponsor (e.g. CEO, CFO, CRO) and representatives from corporate governance, finance and accounting, tax, IT, internal audit, and any business lines using and developing the critical UDAs (e.g. in financial services LOBs typically include wealth management, asset management, investment banking, insurance, etc.).

2. Create a UDA Control Policy
I wrote about this in detail in a previous post and even offered to provide a sample template to anyone who requests it. Developing an effective UDA Control Policy is critical to the success of any project to help formalize the initiative, and to define expectations for users to follow when creating, updating, and working with UDAs that are considered mission critical. A good UDA Control Policy will define what a risky UDA is and list the key controls required. It will also list the minimum control requirements for users to follow for each level of risk. There are 12 key controls recommended by leading audit firms, but we have found that in practice most organizations implement 6 or 7 of these controls on average. The most common controls include back-up/archival, version control, change control, documentation, access control, segregation of duties, logic inspection. Advanced controls may include overall analytics, development lifecycle, security and data integrity (e.g. lock down), and input control.

3. Develop a UDA Operating Model
A UDA Operating Model is like a “controls cookbook” because it defines the required and optional controls to be implemented for mission critical UDAs, and provides guidance on how the controls will be satisfied/automated through the use of technology.  It also includes details on how the chosen technology solution will be implemented, including standard configuration options (for software) and any best practice policies. If you are choosing a technology vendor for UDA control, make sure they can provide a UDA Operating Model template to use as a starting point.

4. Leverage Technology for Sustainable Controls
In order to manage complex spreadsheets, Access databases, and other UDAs, you will need a technology solution. It is impossible to control complex applications such as spreadsheets manually. Leveraging technology embeds controls into everyday business processes so that mitigating UDA risk becomes part of doing business as usual. Ironically, many organizations embark on UDA control projects and immediately start creating a (manual) inventory, relying on various user groups to provide a list of critical UDAs. The problem with this approach is that the inventory becomes quickly outdated as users create new UDAs on an ongoing basis. In fact, it may be outdated even while it is being created. Many aspects of UDA control can either be fully or partially automated, including discovery, inventory management, risk assessment, diagnostics, change and preventative controls, policy checks, exception management, and reporting. Automation allows end users to keep their day jobs, and provides visibility into the control environment for managers and auditors.

5. Remediate & Optimize!
Many organizations overlook the importance of making sure their critical UDAs are working properly, producing accurate results, and are free of any logic errors (a.k.a. logic inspection). There are a few keys to facilitating this process, including testing UDAs, documenting test results and remediating and/or optimizing UDAs. UDA testing can be automated to a large extent through the use of automated diagnostic tools such as Prodiance Spreadsheet IQ, alleviating manual hunting and pecking for errors and potential issues in UDA logic. Any results from the testing should be documented, and issues should be discussed with UDA owners along with any recommendations for remediation. Sometimes the results may indicate the UDA should be replaced with an IT controlled application (whether available off the shelf, custom or otherwise). In other cases, the UDA may require small corrections to formula logic or even complete redevelopment.

The Don’ts - 5 Surefire Ways to Fail

1. Don’t Boil the Ocean by Scoping 100% of UDAs
If you have 100,000 UDAs across multiple business units and geographies (as do many global firms), please don’t try to inventory and risk assess all of them. Many of these UDAs may be outdated and no longer used. The best approach to avoid boiling the ocean is to follow some best practices, including performing a search/scan for UDAs created or modified during the last financial close cycle. Any UDAs identified through this process are most likely mission critical to your business because they have a direct impact on financial reporting. Additional considerations include starting with one LOB (e.g. finance, tax, private investments, etc.), and de-duping spreadsheet versions created from the same template.

2. Don’t Overlook Training!
To sustain the work completed during remediation and optimization, you should also consider training users on spreadsheet and UDA development best practices. Many organizations overlook the importance of training because many spreadsheets and UDAs are developed outside the control of IT (i.e. software development lifecycle). However, there are some highly efficient, modular ways to develop spreadsheet models that provide built-in checks and balances where errors are much less likely to occur. Training on development best practices should be key component in any successful UDA control initiative.

 3. Don’t Implement Everything at Once!
As mentioned above, there are 12 key controls recommended by leading audit firms. PwC paved the way here in defining the required controls back in 2004, and the same control requirements still apply. However, now that we have been through several global implementations and technology adoption is ramping up, we are smarter and more sensible. To this end, implementing all 12 controls in a single project can be overwhelming. We have learned that implementing UDA controls in a phased approach leads to success. For example, try focusing on 6-7 key controls for phase one, and considering additional or advanced controls for phase two. The most critical (must have) UDA controls include: access control, version control, change control, and logic inspection. Tackle these first as they are likely to satisfy auditor requirements.

4. Don’t Forget to Involve the Auditors and Regulators!
There is now an ever increasing list of regulatory mandates impacting the use of spreadsheets and UDAs, including the Dodd Frank Act, Solvency II, Basel II, SOX 404, NAIC Model Audit Rule, 21 CFR Part 11, and OMB Circular A123. Although none of these mandates specifically call out the need for spreadsheet and UDA control, we know from experience that any spreadsheets and UDAs having a direct impact on financial, actuarial, and regulatory processes are being scrutinized heavily by internal and external auditors and regulators including the SEC, OCC and FSA. So as part of your Spreadsheet and UDA Control initiative, make sure these parties are briefed and on your control policy and environment and bless it before you implement a solution. Getting these parties on board early in the process will result in less time spent on spreadsheet control issues during ongoing audits and investigations. There is huge ROI to gain in shortening annual audit cycles regarding UDAs.

5. Don’t Follow – Be the Leader in Your Market!
Scott Dillman, partner at PriceWaterhouseCoopers in New York, predicted that regulators will look to the top 1 or 2 companies within each industry to set an example for the rest of the market when it comes to implementing UDA controls. Based on his recommendation, taking a proactive approach to implementing Spreadsheet & UDA Controls appears to be the best route to success. Laggards are likely to be left behind the curve when it comes to regulatory inspections, or unprepared when a material error is uncovered. Don’t follow – Lead the pack!

I hope these ideas and best practices are helpful for your spreadsheet or UDA control initiative. I’d love to hear your comments and feedback!

Prodiance and ThinkIT Join Forces to Deliver ERM Solutions through Lean First! Methodology

Published March 24, 2010 Breaking News Leave a Comment
Tags: , , , , ,

ThinkITPleasanton, Calif. and Norwalk, Conn.Prodiance Corporation, a leading provider of Governance, Risk and Compliance (GRC) software solutions, and ThinkIT, a leading IT strategy and consulting company that applies its Lean First! methodology to streamlining and automating business processes, today announced a formal partnership and comprehensive Enterprise Risk Management solution to automate internal controls for mission critical spreadsheets, Access databases, and other end-user computing (EUC) applications. The joint solution combines best of breed technology from Prodiance with professional services and domain expertise in LeanFirst! delivery methodology from ThinkIT to help firms improve internal controls while driving process efficiency.

“As an integration of Lean and SixSigma and other quality improvement programs, LeanFirst! is a methodology for aligning business and IT objectives, leveraging process improvement and reducing complexity and risk through simple metrics based outcomes,” said David Lee, Partner at ThinkIT. “We are very eager to combine Prodiance, the best of breed technology for spreadsheet control, with our unique experience in LeanFirst! to deliver faster results for clients.”

“The combination of ThinkIT’s leadership in process re-engineering and Prodiance’s experience in Enterprise Risk Management solutions made this the perfect partnership,” said Dr. Soheil Saadat, president and CEO at Prodiance. “By partnering with ThinkIT, we’re empowering customers to embed critical risk management controls into everyday business processes through best practices and technology automation.”

About Prodiance
Prodiance delivers Governance, Risk and Compliance (GRC) software solutions to help mitigate risk, increase transparency, and automate internal controls over End User Computing applications such as spreadsheets, databases and BI reports which comprise a significant portion of mission critical data within organizations. Prodiance leverages over 20 years experience in delivering innovative technology solutions for highly regulated markets. Leading global organizations in more than 15 countries across 5 continents representing a wide variety of industries – banking, insurance, capital markets, energy, telecommunications, manufacturing, media and entertainment, food and beverage, health care, pharmaceutical, and education – have chosen Prodiance as trusted partner to achieve their strategic goals. Prodiance Corporation is an independent, privately held company based in Pleasanton, California with offices in London, Chicago, Philadelphia, New York, The Netherlands, and Shanghai. Additional news and information about Prodiance solutions, products and services is available at www.prodiance.com or by calling +1.925.460.9191.

Prodiance PR Contact:
Eric Perry
Vice President, Marketing
Tel: +1-925-460-9191
Email: eric.perry@prodiance.com

About ThinkIT
ThinkIT is a global consulting company that specializes in the delivery of business solutions through innovative use of technology and process “lean-engineering.” Our philosophy is “Lean first then Digitize!” Whether your goals are to improve productivity, reduce costs, drive top line growth, increase customer loyalty, and/or instill strong controllership best practices, the ThinkIT team will deliver results backed by verifiable metrics and aligned to the goals of your business. For more information, please visit www.itthink.com.

ThinkIT PR Contact:
David Lee
Partner
Tel: +1-203-569-4142
Email: dlee@itthink.com

The Spreadsheet Risk Continuum

Published January 14, 2010 Best Practices , Breaking News , Press Articles Leave a Comment
Tags: , , , , , , , , ,

After more than 5 years of helping some of the world’s most successful global organizations reduce their risk and exposure due to uncontrolled spreadsheets, Access databases and other end-user computing (EUC) applications, it has become very clear that reducing the risk is as much about technology as it is about cultural change. Almost every company today is dealing with issues surrounding spreadsheet and EUC risk, all with varying levels of maturity. The way I see it, reducing the risk efficiently requires a few key ingredients for success, including: adopting a formal policy on End-user Computing, defining internal controls for critical spreadsheets and EUCs, incorporating best practices, and implementing new Spreadsheet Control technology. As these ingredients are put in place, the organization’s risk level eventually decreases along the Spreadsheet Risk Continuum.

Policies & Controls
In a previous post, I discussed the merits and basics of adopting a formal EUC policy. I have also discussed the latest auditor guidance on spreadsheet controls from the famous white paper published in 2004 by PwC. There about 10 key controls to consider, including: access control, version control, change control, backup and archival, input control, documentation, segregation of duties, logic inspection/analytics, development lifecycle and data integrity.

Best Practices
There are many best practices, but I will mention a few here. The first requires following a formal process when implementing Spreadsheet Control. At Prodiance, we have developed a methodology we call the Spreadsheet Management Lifecycle, which involves inventory, risk assessment, control, remediation and reporting. In addition, it is important to have users properly trained on how to efficiently develop spreadsheets. This can result in models that have have less margin for error because they are developed properly and are well documented.

Technology
The final stage in the Spreadsheet Risk Continuum involves implementing a technology solution to help make the earlier stages sustainable. Without technology, the tasks and controls  in the earlier stages become one-off projects, requiring end users to do extra work to follow policies. This manual approach often breaks down over time. So my point in all of this is the following:

To efficiently mitigate spreadsheet and EUC risk within an organization, there is a Spreadsheet Risk Continuum leading to success which requires a cultural change (e.g. policies, controls, best practices) and adoption of new technology.

What are your thoughts on this assertion?

Case Study: Improving Visibility & Control for Mission Critical Spreadsheets in Energy

Published November 6, 2009 Best Practices , Case Studies Comment
Tags: , , , , , ,

energyIn 2006, a leading US energy provider performed an audit of spreadsheets and end-user computing applications and recognized the need to establish tighter IT controls. Many key spreadsheets used within finance and accounting operations were used in financial, regulatory and management reporting, and were considered in-scope for SOX 404 compliance. At the time, SOX testing for spreadsheets was a manual process evaluating access controls and security, documentation, change management and formula and link verification.

The Need for Automated Controls
Initial testing results concluded that although spreadsheets controls were adequate, they were very manual in nature and difficult to sustain. The director of internal audit and team lead for the project identified a variety of spreadsheet risks, including:

  • Widespread use of spreadsheets
  • Security access issues
  • No audit trail for changes and management review
  • Outdated documentation
  • New users did not always understand the impact of changes made
  • Manually intensive and error-prone review and approval processes

Business Drivers
Operating within a highly-regulated industry, the company had many compelling reasons to automate and improve spreadsheet controls, including mitigating operational risk, reducing audit cycles, and enabling compliance with corporate, regulatory and legal mandates. As a public company, they are subject to SOX 404, SEC and industry-specific regulations. They maintain an active operational risk program and are driven by continual process and quality improvements on a year over year basis. In addition, the company manages hundreds of contracts and has an aggressive M&A strategy. As such, automating controls over critical spreadsheets affected by these mandates represented an opportunity to take a proactive approach to sustaining compliance.

Adopting a Lifecycle Approach
To mitigate these risks, the director of internal audit and his team set out to establish a new methodology for spreadsheet and EUC control by leveraging best practices, the latest guidance from auditors, and software technology to make the new process sustainable. The new spreadsheet control lifecycle included creating a spreadsheet inventory, performing a risk assessment to identify critical spreadsheet tied to financial reporting, and applying automated controls to help track and manage changes.

As a best practice, the project team established risk assessment criteria to help categorize spreadsheets as financial, analytical and operational. Some examples include spreadsheets used in revenue accruals, journal entries (e.g. balance sheet flux analysis, income statement flux analysis, etc.), power controls for plant operations, and management reporting. In addition, the team evaluated spreadsheet complexity, including the number of formulas and spreadsheet size (in MB), number of external links or data sources, and any formula or structural errors.

Identifying Risky Spreadsheets
Risk assessment criteria included:

  • Application or use of the spreadsheet
  • Dollar amount impacted or controlled
  • Number of formulas
  • Complexity of the formulas
  • Number and extent of external links

Any spreadsheets that were deemed critical became candidates for monitoring and control. Risk levels for linked spreadsheets were determined through a relational risk assessment process, where any dependent spreadsheets deemed critical also became part of the controlled spreadsheet population.

The Solution
To automate the spreadsheet controls environment, the company chose the Prodiance Enterprise Spreadsheet Manager (ESM) system, including Prodiance Spreadsheet Compare and Prodiance Spreadsheet IQ. “We selected Prodiance because of their robust set of tools, their credibility with industry analysts, and their responsiveness to meet our needs,” said the director of internal audit.

eDiscovery_largeProdiance ESM provided pervasive monitoring (24x7x365) of all changes to critical spreadsheets and automated change control through cell level audit trails and versioning. Prodiance Spreadsheet Compare was utilized by business analysts to compare changes between spreadsheet versions in a side-by-side fashion to help speed review and approval cycles. Prodiance Spreadsheet IQ provided automated spreadsheet diagnostics to help internal auditors accelerate spreadsheet error checking and the evaluation of links.

SSIQ_large

 The Bottom Line
“By automating internal controls over critical spreadsheets with Prodiance technology, we have realized significant business benefits, including improved data integrity, fewer spreadsheet errors, reduced SOX testing of spreadsheets, reduced change control review, reduced remediation activity due to errors, reduced audit fees, and improved review and approval processes,” said the Chief Financial Officer for the company.

>>Download the Case Study (pdf)

EUC Best Practice #2: Implement an EUC Control Policy

Published September 14, 2009 Best Practices Leave a Comment
Tags: , , , , , , , ,

I’m pleased to introduce the 2nd post in my EUC Best Practices Series. This one introduces the operational side of the equation. Although technology is required to mitigate EUC risk on a sustainable basis, having an operational model is also a critical success factor.

Why Your Organization Needs an EUC Control Policy
Putting technology aside, perhaps the most critical element to any EUC Control initiative is to first ensure that a corporate policy is in place to govern the lifecycle of critical spreadsheets, Access databases and EUCs. Without a corporate policy, there is no indication that mitigating EUC risk is important to the business, and no way to ensure the proper safeguards are in place. Mitigating EUC risk is as much about technology as it is about business process, so an EUC Control Policy is a must have for any successful project.

Who Gets Involved?
Typically, an EUC Control policy is created in collaboration with various business lines that develop, use, and monitor EUCs – the CFO or controller, managers in various lines of business, IT, and internal audit.

Manual vs. Automated Controls
It should be written to support the type of controls being put in place (i.e. manual vs. automated). For manual controls, keep in mind that users will likely be required to perform additional manual tasks to comply with the policy, and that there may breakdowns in the process over time. These additional tasks can include things like periodic verification of proper access controls, creation and maintenance of the EUC inventory, risk assessment, documentation of critical EUCs, documentation and sign-off of significant changes, manual archiving of old versions, and periodic validation of high risk models.

Spreadsheet and EUC Management Software can automate many of these tasks. Keep in mind that if automated controls are being implemented with the deployment of new software, then the policy should be written to support and leverage the new software. This approach will ensure sustainable controls are embedded into everyday business operations.

So what goes into an EUC Control Policy?

Key Elements of an EUC Control Policy

  • Definition- A definition of EUCs along with some examples used within business lines (e.g. within finance examples may include account reconciliations, journal entries, financial statements, etc.). 
  • Categorization- Provide a taxonomy for users to identify and rank EUCs according to use (e.g. operational, financial, analytical) and risk levels (e.g. L1, L2, L3 or High, Medium, Low). 
  • Risk Assessment – Provide a methodology for determining what a risky spreadsheet is within your business. This can be based on a variety of criteria and factors, including complexity, financial significance (i.e. materiality), use, business process, regulatory process, or any number of criteria.Deloitte defines EUC risk based on Complexity and Materiality per the following example:

EUC Risk model based on Materiality and Complexity   A simplistic approach is to consider only Complexity as a first pass. The following is a simple algorhithm and for scoring EUCs based on Complexity. As mentioned above, other risk factors may include financial significance, business impact/use, and whether an EUC contains sensitive data or not.

 

 

risk_complexity_criteria

  • Control Requirements-  Define the IT controls required for critical vs. non-critical EUCs. Controls recommended by leading tax and audit firms include: development lifecycle, segregation of duties, access control, documentation, change control, testing/diagnostics, version control, back-up and archival. A complete set of EUC controls and definitions can be found in the PwC white paper entitled The Use of Spreadsheets: Considerations for Section for 404 of the Sarbanes-Oxley Act. Again, if automated controls are being implemented, make sure the policy is written per software usage guidelines and users are required to leverage the software to satisfy control requirements.
  • Compliance Requirements- Define what the minimum requirements are to comply with the policy. For example, you may require business lines to ensure end users be trained on the new policy as well as any new control software, that business lines be required to inventory and risk rank their EUCs annually, and that business segments be required to comply within a 12 month timeframe.
  • Ownership – Define who is responsible for owning and maintaining the policy. This is a typically risk and control function.
  • Policy Review Schedule – Define how often the policy will be updated or revised.
  • Definitions- Be sure to define any new terms or acronyms like EUC, UDA, risk assessment, etc.

Remember, the goal of the EUC Control policy is to set the minimum standards for managing the lifecycle of EUCs within the organization to effectively mitigate risk, prevent fraud, and improve business processes, while enabling compliance.

Feel free to email me to request a sample EUC Control Policy that you can customize for your organization.

Good luck and let’s hear your comments!

Executive Forums: Financial End-User Computing Risks & Controls

Published August 27, 2009 Events Leave a Comment
Tags: , , , , ,

Executive Forums - September 16 & 18, 2009

When:

  • September 16, 2009 (Philadelphia, PA)
  • September 18, 2009 (Washinton D.C.)

End-user computing risks and controls are key components in sustaining compliance under Bill 198, Sarbanes-Oxley, and the Model Audit Rule for private insurers. Please join Prodiance and Jefferson Wells for an interactive presentation and discussion on spreadsheet compliance and the issues surrounding end user computing risks and controls.

Event Details:

  • 7:30 am – 8:00 am: Registration & Breakfast
  • 8:00 am – 11:00 am: Executive Forum, Discussion & Demonstration

CPE Credit: 3 hours

Who should attend: CFO’s, Controllers, Compliance Officers, Internal Audit and Risk & Control Directors and Managers who have the responsibility for ensuring their organizations are complying with this key Bill 198 and Sarbanes-Oxley component.

Register Today Blue

For questions concerning these events, please contact Jennifer Lanigan at Jefferson Wells at (215) 399-2074.

Protiviti Says Unchecked Spreadsheets Can Lead to Major Accounting & Financial Reporting Problems

Published June 30, 2009 Auditor Guidance Leave a Comment
Tags: , , , , , , , , , , , ,

Yesterday Protiviti issued a press release and an update to their white paper entitled Spreadsheet Risk Management: Frequently Asked Questions. In the press release, Protiviti indicated that few organizations have properly addressed the risks associated with uncontrolled spreadsheets, but are now being forced to due to potential financial losses due to errors and fraud, regulatory pressures, and increasing scrutiny from auditors.

The white paper examines the risks associated with uncontrolled spreadsheets and EUCs, cites various cases of error and fraud, presents a framework for spreadsheet control, best practices for measuring risk, and a review of available technologies.

While the white paper is spot on for the type of information companies need now – how to get started, practical advice, frameworks, best practices – it is light on promoting technology. The main goal of any spreadsheet or EUC control initiative should be to embed the controls into everyday business processes and to make them sustainable. This cannot be achieved via manual processes and policies alone. It has to be driven by technology and automated controls.

You can view the press release here and the download the FAQ white paper here.

Enjoy, and please let me know your thoughts!

Spreadsheet Controls: Easy-to-apply techniques to mitigate risks (Jefferson Wells)

Published February 25, 2009 Auditor Guidance Leave a Comment
Tags: ,

This article by Mike Hoye, Subject Matter Expert at Jefferson Wells includes several pragmatic, yet easy to apply remediation techniques for critical spreadsheets. Techniques include the use of color schemes, worksheet protection, data validation, and use of table for numeric constants. Read the full article here.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 22 other followers

Follow Prodiance on Twitter

Prodiance on Twitter

Follow

Get every new post delivered to your Inbox.