The Hidden Risk of End User Computing - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

The Hidden Risk of End User Computing

Description:

Not just for Christmas. EUC has emerged as a significant SOX compliance issue ... Spreadsheet testing etc http://www.louisepryor.com/show.do?page=articles ... – PowerPoint PPT presentation

Number of Views:275
Avg rating:3.0/5.0
Slides: 32
Provided by: rogerc9
Category:
Tags: computing | end | hidden | risk | user

less

Transcript and Presenter's Notes

Title: The Hidden Risk of End User Computing


1
The Hidden Risk ofEnd User Computing
ISACA London Chapter 22nd March 2007
  • Roger Cooper

RJC Limited
Bringing End User Computing Under Control
2
(No Transcript)
3
(No Transcript)
4
AGENDA
  • What is the extent of our EUC problem?
  • How do we discover the compliance risks caused by
    EUC?
  • How can we control the seemingly uncontrollable?
  • How can IT Auditors help Business Functions
    minimise EUC risk?

5
What is End User Computing?
  • Any computing activity developed and/or managed
    outside a recognised formal IT environment
  • Typically MS Office tools
  • But also anything else an enthusiastic end user
    can get their hands on.(reporting tools,
    interrogation packages, data mining tools, SQL,
    VB etc)
  • A Business Unit Responsibility
  • Not just a Business Unit Problem

6
EUC Challenges
  • By definition, EUC operates outside of the normal
    IT control environment
  • Immature controls, processes and (especially)
    documentation
  • Often the bad use of a good tool
  • Its only a tactical fix until we get a proper IT
    solution sorted out IFRS team quote
  • It would cost too much to get IT to develop a
    solution
  • IT cant deliver what we need fast enough
  • Users PC literacy is increasing
  • Easy to manipulate to aid and hide fraud
  • Hidden costs
  • Easy to build complex and unstable systems that
    fail prudential control requirements

7
Food for Thought
  • Ray Panko, University of Hawaii
  • Human error rate floor 5
  • 94 of spreadsheets contain errors
  • Dean Buckner, Financial Services Authority, UK
  • UK has about 316,000 city workers and 30 of
    these use or develop spreadsheets
  • The entire credit derivatives market runs on
    spreadsheets
  • FSA will increase Capital requirement if they
    spot over-dependency on spreadsheets
  • Spreadsheets are integral to the function and
    operation of the global financial system

8
If (when) it goes wrong?
  • Fannie Mae - "honest mistakes made in a
    spreadsheet used in the implementation of IFRS
    drove the share price down 5, (4 billion)
  • TransAlta Corp. took a 24 million charge to
    earnings after a bidding error caused by a
    cut-and-paste error in an Excel spreadsheet
  • AIB Allfirst - A trader substituted links to his
    private manipulated spreadsheet. The total losses
    hidden by the fraud were almost 700M.
  • More horror stories at http//www.eusprig.org/sto
    ries.htm

9
General Ledger Accounts
SAR Lines
1m
1m
1m
10
(No Transcript)
11
Compliance?
  • SOX
  • IFRS
  • Basle
  • GxP
  • European Directive(s)
  • and any other standard, regulation or regulator
    you care to name including your company rules

12
Sarbanes Oxley
  • s404 demands detailed documentation and testing
    of key internal controls over financial reporting
    for US listed companies
  • Serious Issues for CEO/CFO
  • Not just for Christmas
  • EUC has emerged as a significant SOX compliance
    issue
  • Nothing breeds accuracy like accountability!

13
SOX The IT perspective
  • Business Applications that provide financial data
    and information that contribute to the numbers
    and notes in the Financial Accounts
  • General Computer Controls that support those
    applications
  • End User Computing both of the above

14
One Companys SOX EUC Approach
  • Financials Process Mapping
  • EUC Discovery
  • Evaluation
  • Remediation
  • EUC policy

15
An Alternative Approach
  • EUC Discovery
  • Data Ownership plus Confidentiality, Availability
    and Integrity assesment
  • Tools
  • EUC policy
  • Evaluation
  • Remediation

16
EUC Review Route Map
  • Governance Review
  • Project Scope and Objectives
  • EUC Discovery Tools, bottom up top down
    approach
  • EUC Definition what do they all do?
  • Risk Analysis

Awareness - Now you know what you have and its
importance
  • Risk Decision and Scoping
  • Initial Testing
  • Remediation Approach Definition
  • Actual Remediation and Acceptance Testing

Baseline The Key EUC systems work as intended
  • Change Control Process
  • EUC Validation initial compliance review
  • Monitoring ongoing compliance review process
  • Management Review completing the circle

Desired State - Ongoing Control and Compliance
17
Business Actions
  • Accept Ownership Take Control
  • Know what you have got
  • Know the risks
  • Apply Controls according to Risk
  • Adopt best practice for EUC Development and
    Control

18
IT Actions
  • Help business users establish a best practice
    culture around their EUC
  • Provide the lead by introducing strong,
    enforceable and generic EUC Policies, Standards
    and Guidelines
  • Help the business leverage the flexibility and
    speed of EUC in an effective and efficient way -
    without losing control or benefits
  • Provide a centre of excellence to provide
    practical expert technical guidance on EUC tools
    and practices.
  • Work closely with the business help them
    understand the IT related risks and to migrate
    key risk-critical EUC to more robust platforms -
    within timescales and at a cost acceptable to the
    enterprise.

19
Where can IT Auditors add Value?
  • Raise awareness of the EUC risks
  • Work with Business Auditors to identify risky EUC
  • Help the business develop sensible EUC controls
  • Help IT understand the issues around EUC and how
    to support the Business

20
EUC Remediation Challenges
  • Mindset Culture
  • Access Control
  • Version control
  • Backup/Recovery
  • Audit Trail
  • Development Lifecycle
  • Baselining

21
Control Frameworks
  • Cobit
  • 4 Domains, PO, AI, DS, M
  • 34 Control Objectives
  • End User Computing?
  • ITGI - Cobit Framework for SOX
  • New version published in September 2006
  • Slightly more help but not much

22
(No Transcript)
23
EUC Lifecycle Lite
Develop
Change Required
BAU
24
EUC Lifecycle (Ideal)
DEV
Authorise
System Test
TEST
UAT
Specify
Ref Copy
PROD
Release
Change Required
BAU
25
Food for Thought
  • Human error rate floor 5
  • 94 of spreadsheets contain errors
  • Nuclear Power Station Design
  • Aircraft Design
  • Rail Safety Design
  • Life Sciences

26
Reference Sources
  • EuSpRIG - http//www.eusprig.org/
  • PwC Spreadsheet Guidance http//www.pwc.com/extweb
    /service.nsf/docid/CD287E403C0AEB7185256F08007F8CA
    A
  • Spreadsheet modelling Guidance (IBM)
    http//www.eusprig.org/smbp.pdf
  • Spreadsheet testing etc http//www.louisepryor.com
    /show.do?pagearticles
  • IT Governance Institute (ITGI) Cobit based
    guidelines
  • http//www.isaca.org/Template.cfm?SectionHomeTem
    plate/ContentManagement/ContentDisplay.cfmConten
    tID12406

27
Discovery Tools
  • Server/Workstation Searches
  • CS EXchecker - http//www.compassoft.com
  • Compassoft Enterprise http//www.compassoft.com/
  • Integrity (MS Access) http//www.spiritcomputing.c
    o.uk/

28
Testing Tools
  • Native Excel Audit Tools
  • CS EXchecker - http//www.compassoft.com
  • XLSpell - http//www.sheetware.com/
  • Rainbow Analyst - http//www.themodelanswer.com
  • XLAnalyst - http//www.xlanalyst.co.uk/
  • Spreadsheet Pro -http//www.spreadsheetinnovations
    .com
  • Spreadsheet Detective http//www.spreadsheetdetect
    ive.com/
  • XLsior - http//www.xlsior.com/show.do?pagedownlo
    ads
  • SPACE - http//www.hmce.gov.uk/channelsPortalWebAp
    p/channelsPortalWebApp.portal?_nfpbtrue_pageLabe
    lpageSupport_Software
  • Integrity (MS Access) http//www.spiritcomputing.c
    o.uk/

29
Logic Test Tools
  • IDEA http//www.caseware-idea.com/fsh.asp?surl
    2Fdefault2Easp
  • ACL http//www.acl.com/solutions/audit.aspx

30
Control Monitoring Tools
  • Native Excel Change Tracking
  • CS EXchecker - http//www.compassoft.com
  • ClusterSeven - http//www.clusterseven.com/
  • CS Dacs http//www.compassoft.com/
  • Prodiance http//www.prodiance.com/solutions/spre
    adsheet.html
  • Agilent RSME http//www.chem.agilent.com/scripts/p
    ds.asp?lPage36995
  • Spirit Integrity (MS Access) http//www.spiritcomp
    uting.co.uk/

31
Contact Details
  • Roger Cooper
  • RJC Limited
  • 21 Montgomery Road
  • Havant
  • Hampshire
  • United Kingdom
  • PO9 2RH
  •  
  • Telephone  (44) 2392 349955
  • Mobile     (44) 771 896 8478
  • Skype rogerjcooper
  • Email roger_at_rjclimited.co.uk

32
?
?
Write a Comment
User Comments (0)
About PowerShow.com