The Hidden Risk of End User Computing

1
The Hidden Risk ofEnd User Computing
ISACA London Chapter 22nd March 2007

• Roger Cooper

RJC Limited
Bringing End User Computing Under Control
2
(No Transcript)
3
(No Transcript)
4
AGENDA

• What is the extent of our EUC problem?
• How do we discover the compliance risks caused by
  EUC?
• How can we control the seemingly uncontrollable?
• How can IT Auditors help Business Functions
  minimise EUC risk?

5
What is End User Computing?

• Any computing activity developed and/or managed
  outside a recognised formal IT environment
• Typically MS Office tools
• But also anything else an enthusiastic end user
  can get their hands on.(reporting tools,
  interrogation packages, data mining tools, SQL,
  VB etc)
• A Business Unit Responsibility
• Not just a Business Unit Problem

6
EUC Challenges

• By definition, EUC operates outside of the normal
  IT control environment
• Immature controls, processes and (especially)
  documentation
• Often the bad use of a good tool
• Its only a tactical fix until we get a proper IT
  solution sorted out IFRS team quote
• It would cost too much to get IT to develop a
  solution
• IT cant deliver what we need fast enough
• Users PC literacy is increasing
• Easy to manipulate to aid and hide fraud
• Hidden costs
• Easy to build complex and unstable systems that
  fail prudential control requirements

7
Food for Thought

• Ray Panko, University of Hawaii
• Human error rate floor 5
• 94 of spreadsheets contain errors
• Dean Buckner, Financial Services Authority, UK
• UK has about 316,000 city workers and 30 of
  these use or develop spreadsheets
• The entire credit derivatives market runs on
  spreadsheets
• FSA will increase Capital requirement if they
  spot over-dependency on spreadsheets
• Spreadsheets are integral to the function and
  operation of the global financial system

8
If (when) it goes wrong?

• Fannie Mae - "honest mistakes made in a
  spreadsheet used in the implementation of IFRS
  drove the share price down 5, (4 billion)
• TransAlta Corp. took a 24 million charge to
  earnings after a bidding error caused by a
  cut-and-paste error in an Excel spreadsheet
• AIB Allfirst - A trader substituted links to his
  private manipulated spreadsheet. The total losses
  hidden by the fraud were almost 700M.
• More horror stories at http//www.eusprig.org/sto
  ries.htm

9
General Ledger Accounts
SAR Lines
1m
1m
1m
10
(No Transcript)
11
Compliance?

• SOX
• IFRS
• Basle
• GxP
• European Directive(s)
• and any other standard, regulation or regulator
  you care to name including your company rules

12
Sarbanes Oxley

• s404 demands detailed documentation and testing
  of key internal controls over financial reporting
  for US listed companies
• Serious Issues for CEO/CFO
• Not just for Christmas
• EUC has emerged as a significant SOX compliance
  issue
• Nothing breeds accuracy like accountability!

13
SOX The IT perspective

• Business Applications that provide financial data
  and information that contribute to the numbers
  and notes in the Financial Accounts
• General Computer Controls that support those
  applications
• End User Computing both of the above

14
One Companys SOX EUC Approach

• Financials Process Mapping
• EUC Discovery
• Evaluation
• Remediation
• EUC policy

15
An Alternative Approach

• EUC Discovery
• Data Ownership plus Confidentiality, Availability
  and Integrity assesment
• Tools
• EUC policy
• Evaluation
• Remediation

16
EUC Review Route Map

• Governance Review
• Project Scope and Objectives
• EUC Discovery Tools, bottom up top down
  approach
• EUC Definition what do they all do?
• Risk Analysis

Awareness - Now you know what you have and its
importance

• Risk Decision and Scoping
• Initial Testing
• Remediation Approach Definition
• Actual Remediation and Acceptance Testing

Baseline The Key EUC systems work as intended

• Change Control Process
• EUC Validation initial compliance review
• Monitoring ongoing compliance review process
• Management Review completing the circle

Desired State - Ongoing Control and Compliance
17
Business Actions

• Accept Ownership Take Control
• Know what you have got
• Know the risks
• Apply Controls according to Risk
• Adopt best practice for EUC Development and
  Control

18
IT Actions

• Help business users establish a best practice
  culture around their EUC
• Provide the lead by introducing strong,
  enforceable and generic EUC Policies, Standards
  and Guidelines
• Help the business leverage the flexibility and
  speed of EUC in an effective and efficient way -
  without losing control or benefits
• Provide a centre of excellence to provide
  practical expert technical guidance on EUC tools
  and practices.
• Work closely with the business help them
  understand the IT related risks and to migrate
  key risk-critical EUC to more robust platforms -
  within timescales and at a cost acceptable to the
  enterprise.

19
Where can IT Auditors add Value?

• Raise awareness of the EUC risks
• Work with Business Auditors to identify risky EUC
• Help the business develop sensible EUC controls
• Help IT understand the issues around EUC and how
  to support the Business

20
EUC Remediation Challenges

• Mindset Culture
• Access Control
• Version control
• Backup/Recovery
• Audit Trail
• Development Lifecycle
• Baselining

21
Control Frameworks

• Cobit
• 4 Domains, PO, AI, DS, M
• 34 Control Objectives
• End User Computing?
• ITGI - Cobit Framework for SOX
• New version published in September 2006
• Slightly more help but not much

22
(No Transcript)
23
EUC Lifecycle Lite
Develop
Change Required
BAU
24
EUC Lifecycle (Ideal)
DEV
Authorise
System Test
TEST
UAT
Specify
Ref Copy
PROD
Release
Change Required
BAU
25
Food for Thought

• Human error rate floor 5
• 94 of spreadsheets contain errors
• Nuclear Power Station Design
• Aircraft Design
• Rail Safety Design
• Life Sciences

26
Reference Sources

• EuSpRIG - http//www.eusprig.org/
• PwC Spreadsheet Guidance http//www.pwc.com/extweb
  /service.nsf/docid/CD287E403C0AEB7185256F08007F8CA
  A
• Spreadsheet modelling Guidance (IBM)
  http//www.eusprig.org/smbp.pdf
• Spreadsheet testing etc http//www.louisepryor.com
  /show.do?pagearticles
• IT Governance Institute (ITGI) Cobit based
  guidelines
• http//www.isaca.org/Template.cfm?SectionHomeTem
  plate/ContentManagement/ContentDisplay.cfmConten
  tID12406

27
Discovery Tools

• Server/Workstation Searches
• CS EXchecker - http//www.compassoft.com
• Compassoft Enterprise http//www.compassoft.com/
• Integrity (MS Access) http//www.spiritcomputing.c
  o.uk/

28
Testing Tools

• Native Excel Audit Tools
• CS EXchecker - http//www.compassoft.com
• XLSpell - http//www.sheetware.com/
• Rainbow Analyst - http//www.themodelanswer.com
• XLAnalyst - http//www.xlanalyst.co.uk/
• Spreadsheet Pro -http//www.spreadsheetinnovations
  .com
• Spreadsheet Detective http//www.spreadsheetdetect
  ive.com/
• XLsior - http//www.xlsior.com/show.do?pagedownlo
  ads
• SPACE - http//www.hmce.gov.uk/channelsPortalWebAp
  p/channelsPortalWebApp.portal?_nfpbtrue_pageLabe
  lpageSupport_Software
• Integrity (MS Access) http//www.spiritcomputing.c
  o.uk/

29
Logic Test Tools

• IDEA http//www.caseware-idea.com/fsh.asp?surl
  2Fdefault2Easp
• ACL http//www.acl.com/solutions/audit.aspx

30
Control Monitoring Tools

• Native Excel Change Tracking
• CS EXchecker - http//www.compassoft.com
• ClusterSeven - http//www.clusterseven.com/
• CS Dacs http//www.compassoft.com/
• Prodiance http//www.prodiance.com/solutions/spre
  adsheet.html
• Agilent RSME http//www.chem.agilent.com/scripts/p
  ds.asp?lPage36995
• Spirit Integrity (MS Access) http//www.spiritcomp
  uting.co.uk/

31
Contact Details

• Roger Cooper
• RJC Limited
• 21 Montgomery Road
• Havant
• Hampshire
• United Kingdom
• PO9 2RH
•  
• Telephone  (44) 2392 349955
• Mobile     (44) 771 896 8478
• Skype rogerjcooper
• Email roger_at_rjclimited.co.uk

32
?
?