Auditing UserDeveloped Applications UDA End User Computing EUC
- Slides: 12
Auditing User-Developed Applications (UDA) End User Computing (EUC) Global Technology Audit Guide GTAG® 14 Adapted from www. theiia. org
UDA/EUC Definition • UDAs are applications that are developed by end users, usually in a noncontrolled IT environment. • Examples – – – Spreadsheets User databases Queries Scripts Output from various reporting tools • Used in EUC application www. theiia. org
UDA/EUC Users • Financial analysts creates spreadsheet to analyze budget variances. – Graphs would be nice as well! • • Reconciliation functions in accounting Computer assisted audit techniques (CAATs) Project management Management reports – Fraud? www. theiia. org
UDA/EUC Uses • What-if? analysis using tools such as – spreadsheet models or – more specialized tools such as risk or financial management packages, or – business intelligence software, • E. g. , used for monitoring sales and marketing performance of information stored in a data warehouse www. theiia. org
Benefits of UDA • Benefits of UDA – Quicker to develop and use – Readily available tools at a lower cost • MS Excel ($500) • Google sheet (Free) – Configurable and flexible • Simple to “power” developer / user – – – Tailored to user Allows creativity Competitive advantage (for the employee as well) Puts decision maker “nearer” data/information Relieves workload in IT www. theiia. org
Risks of UDA • The most significant risk is the integrity of the data and information managed and reported. • Management may assume that reports generated from UDA came from an ITdeveloped and controlled application • UDAs typically do not follow a systems development life cycle (SDLC) process. www. theiia. org
Risks of UDA • Control breakdowns can be traced to – Lack of a structured development process. – Data download issues • Inaccurate data (GIGO) – Increasing complexity of UDA over time • Multiple “authors” • Added analyses / worksheets – Lack of developer experience • “Hard” code data [Ctrl `] • “What if” not repeatable www. theiia. org
Risks of UDA • Control breakdowns can be traced to – Lack of version controls across users – Lack of documentation • Missing the worksheet that explains what the workbook is for www. theiia. org
Risks of UDA • Control breakdowns can be traced to – Lack of support • Users self-train, develop own techniques – Limited input and output controls – Lack of formal, if any, testing – Hidden data columns, rows, worksheets. • • Compromise of confidentiality Lack of DRP, backup. Duplication of efforts Lack of SOD: – programming, data, output rest with one person www. theiia. org
Review of UDA • Has management identified critical UDAs? • Highest significance – Risk assessment? – Mitigating controls • Review documentation (if any) • Access controls – – Change management Backup and recovery Security Data integrity. www. theiia. org
Best practices • Access guidelines • Source data – Data input area should not contain formulas – Input should follow source document – Lock formulas • Source output – Save separate workbook from each “what if” analysis or periodic report. – Standard format – Control access to output www. theiia. org
Best practices • Testing guidelines – Fraud detection • Logic guidelines • Version, backup, and archiving guidelines • Documentation guidelines – Document all the prior guidelines and practices – Can someone else do the task based on this? www. theiia. org
- Auditing user developed applications
- End user application software
- End user computing controls
- Apa itu end user computing
- Ifta audit manual
- Manual auditing and computerized auditing
- Single user and multi user operating system
- Single user and multiple user operating system
- The cloud in cloud computing refers to
- Computing applications building
- Challenges of grid computing
- Cs 498 cloud computing applications
- Practitioner myths in software engineering