The Certified Government Auditing Professional (CGAP) is one of three specialty certifications that are being phased out by the Institute of Internal Auditors (IIA)—and several government auditors who hold the CGAP aren’t very happy about it. “I’m disappointed but not surprised by the IIA’s short-sighted decision to phase out new applications to the CGAP,” Chris […]
Many finance departments would grind to a halt if forced to do without spreadsheets. They’re quick, easy and inexpensive tools for manipulating and analyzing data that just about anyone can master.
However, these attributes also mean that spreadsheets create a tremendous risk, particularly if their results are incorporated into the company’s financial reports or used to support a business’ operations.
With this in mind, the Institute of Internal Auditors (IIA) in June issued GTAG (global technology audit guide) 14, a guide for auditing what it calls “user-developed applications,” or UDAs. While spreadsheets are the most visible type of UDA, the term also can include applications like user-developed databases and reports. UDAs are “…created and used by end users to extract, sort, calculate, and compile organizational data to analyze trends, make business decisions or summarize operational and financial data,” the IIA states.
By their nature, UDAs present three types of risk. One is data integrity – the old “garbage in, garbage out.” User developed applications don’t follow a structured application development cycle, and lack any sort of change management or version controls – that is, any number of individuals may be able to update a spreadsheet. All this increases the risk of inaccurate data making its way into the application.
Next is the risk that confidential data is compromised. Many UDAs can easily be attached to an email and sent to someone who shouldn’t have access to the data.
Finally, there’s what the IIA calls “availability risk.” Because many UDAs reside on flash drives and individual PCs, they’re easy to overlook when the company is backing up data. Or, the information can easily be lost altogether.
Internal auditors can take several steps in their audits to reduce the risks any UDAs in use pose to their firms. A starting point is identifying key UDAs. These typically are those that are part of the financial or management reporting processes, or use to comply with regulations. One-off spreadsheets used on an ad-hoc basis probably aren’t key.
The auditors also need to assess the risks posed by the key UDAs. To understand this, they’ll need to know who uses the applications, and how. From this, they can estimate the financial, operational and regulatory risks the UDAs present. The more complex the applications are, the more embedded they are in organizational processes, and the greater their complexity, the more risk they present.
Next up is examining the controls in place around the UDAs to determine if they reduce the risks to an acceptable level for the organization.
Spreadsheets and other user-developed applications play a valuable role in many organizations. At the same time, they can expose companies to a great deal of risk. Appropriate management and control is critical to mitigating the risks they present.
Galleon’s Rajaratnam Said He Was Duped in Illegal Tax Shelter [Bloomberg Businessweek]
Raj Rajaratnam, who is awaiting trial in an insider trading case set to take place this fall, claimed that he was “tricked into investing in an illegal tax shelter,” that was developed by KPMG and “tax shelter promoter” Diversified Group, according to a lawsuit from 2005.
Rajaratnam and Galleon co-founder Gary Rosenbach won a $5.8 million in an arbitrator’s judgment against Diversified Group and its president in 2009. KPMG was not mentioned in the judgment and neither Rajaratnam’s attorney nor KPMG would comment on the current r if the firm had made a payment to Raj.
Rajaratnam and Rosenbach said they were induced to invest in a shelter called “OPS,” or Option Partnership Strategy, which was developed by KPMG and Diversified as a way to generate fees for the firms.
“The OPS shelter was essentially an illegal basis-shifting scheme which — unbeknownst to plaintiffs — relied upon a disingenuous reading of the federal tax code,” his lawyers wrote in the complaint.
Prosecutors will be interested to know what Rajaratnam said under oath in his suit against KPMG to determine if any of his statements will be useful in their insider trading case.
United, Continental Agree to Combine [WSJ]
United Airlines and Continental Airlines have agreed to combine, in a stock swap valued at $3 billion.
The “merger of equals” would create the world’s largest airline that would control 21% of the total domestic capacity and be 8% larger than Delta Air Lines in terms of miles flown, serving 370 destinations. Assuming the deal does not raise any antitrust concerns and contracts for employees are approved in a timely fashion, the companies plan to complete the transaction in the 4th quarter of this year.
iPad for business – the taste test [ZDNet]
Dennis Howlett tested out an iPad and since some of you have, at the very least, wondered about it for your own professional use, here’s his take on Numbers, a spreadsheet application that he says is “gorgeous to look at” but has several drawbacks:
I found it was possible to create a confusing error formula. Ahem. That will require fixing. While Numbers has masses of functions (see illustration), there is no ability to create Pivot Tables. Those are the accountant’s stand by for reporting and the like. It’s boring but essential stuff. Without Pivot Tables, the iPad won’t get a sniff in the hands of this powerful and influential group. There is an alternative for the future. Some smart developers out there will build reporting applications that can run over the Internet. It is one of the gaping holes in the SaaS/cloud story requiring urgent attention.
Any other thoughts on iPad for accountants? Weigh in.
IIA Proposes New Standards for Internal Auditors [Compliance Week]
The Institute of Internal Auditors is requested comment on proposals for new standards that would include a requirement for internal auditors to provide audit opinions and to additional explanation of the responsibility of internal auditors for the work of contractors.
Grant Thornton closing Triad office, moving operations to Charlotte [Triad Business Journal (subscription required for full article)]
Grant Thornton finally got around to announcing the closure of its Greensboro/Triad office. We reported on the closure back in February. The firm announced that the “vast majority” of its approximately 30 employees would be moving to the firm’s offices in either Charlotte or Raleigh. The TBJ reports National Director of Communications, John Vita’s comments: “We remain committed to the Triad marketplace, however, we believe it can be best served over the long term by attracting the highest quality professionals who wish to work out of our larger offices in Charlotte and Raleigh.”