Auditing UserDeveloped Applications UDA End User Computing EUC

  • Slides: 12
Download presentation
Auditing User-Developed Applications (UDA) End User Computing (EUC) Global Technology Audit Guide GTAG® 14

Auditing User-Developed Applications (UDA) End User Computing (EUC) Global Technology Audit Guide GTAG® 14 Adapted from www. theiia. org

UDA/EUC Definition • UDAs are applications that are developed by end users, usually in

UDA/EUC Definition • UDAs are applications that are developed by end users, usually in a noncontrolled IT environment. • Examples – – – Spreadsheets User databases Queries Scripts Output from various reporting tools • Used in EUC application www. theiia. org

UDA/EUC Users • Financial analysts creates spreadsheet to analyze budget variances. – Graphs would

UDA/EUC Users • Financial analysts creates spreadsheet to analyze budget variances. – Graphs would be nice as well! • • Reconciliation functions in accounting Computer assisted audit techniques (CAATs) Project management Management reports – Fraud? www. theiia. org

UDA/EUC Uses • What-if? analysis using tools such as – spreadsheet models or –

UDA/EUC Uses • What-if? analysis using tools such as – spreadsheet models or – more specialized tools such as risk or financial management packages, or – business intelligence software, • E. g. , used for monitoring sales and marketing performance of information stored in a data warehouse www. theiia. org

Benefits of UDA • Benefits of UDA – Quicker to develop and use –

Benefits of UDA • Benefits of UDA – Quicker to develop and use – Readily available tools at a lower cost • MS Excel ($500) • Google sheet (Free) – Configurable and flexible • Simple to “power” developer / user – – – Tailored to user Allows creativity Competitive advantage (for the employee as well) Puts decision maker “nearer” data/information Relieves workload in IT www. theiia. org

Risks of UDA • The most significant risk is the integrity of the data

Risks of UDA • The most significant risk is the integrity of the data and information managed and reported. • Management may assume that reports generated from UDA came from an ITdeveloped and controlled application • UDAs typically do not follow a systems development life cycle (SDLC) process. www. theiia. org

Risks of UDA • Control breakdowns can be traced to – Lack of a

Risks of UDA • Control breakdowns can be traced to – Lack of a structured development process. – Data download issues • Inaccurate data (GIGO) – Increasing complexity of UDA over time • Multiple “authors” • Added analyses / worksheets – Lack of developer experience • “Hard” code data [Ctrl `] • “What if” not repeatable www. theiia. org

Risks of UDA • Control breakdowns can be traced to – Lack of version

Risks of UDA • Control breakdowns can be traced to – Lack of version controls across users – Lack of documentation • Missing the worksheet that explains what the workbook is for www. theiia. org

Risks of UDA • Control breakdowns can be traced to – Lack of support

Risks of UDA • Control breakdowns can be traced to – Lack of support • Users self-train, develop own techniques – Limited input and output controls – Lack of formal, if any, testing – Hidden data columns, rows, worksheets. • • Compromise of confidentiality Lack of DRP, backup. Duplication of efforts Lack of SOD: – programming, data, output rest with one person www. theiia. org

Review of UDA • Has management identified critical UDAs? • Highest significance – Risk

Review of UDA • Has management identified critical UDAs? • Highest significance – Risk assessment? – Mitigating controls • Review documentation (if any) • Access controls – – Change management Backup and recovery Security Data integrity. www. theiia. org

Best practices • Access guidelines • Source data – Data input area should not

Best practices • Access guidelines • Source data – Data input area should not contain formulas – Input should follow source document – Lock formulas • Source output – Save separate workbook from each “what if” analysis or periodic report. – Standard format – Control access to output www. theiia. org

Best practices • Testing guidelines – Fraud detection • Logic guidelines • Version, backup,

Best practices • Testing guidelines – Fraud detection • Logic guidelines • Version, backup, and archiving guidelines • Documentation guidelines – Document all the prior guidelines and practices – Can someone else do the task based on this? www. theiia. org