Many finance departments would grind to a halt if forced to do without spreadsheets. They’re quick, easy and inexpensive tools for manipulating and analyzing data that just about anyone can master.
However, these attributes also mean that spreadsheets create a tremendous risk, particularly if their results are incorporated into the company’s financial reports or used to support a business’ operations.
With this in mind, the Institute of Internal Auditors (IIA) in June issued GTAG (global technology audit guide) 14, a guide for auditing what it calls “user-developed applications,” or UDAs. While spreadsheets are the most visible type of UDA, the term also can include applications like user-developed databases and reports. UDAs are “…created and used by end users to extract, sort, calculate, and compile organizational data to analyze trends, make business decisions or summarize operational and financial data,” the IIA states.
By their nature, UDAs present three types of risk. One is data integrity – the old “garbage in, garbage out.” User developed applications don’t follow a structured application development cycle, and lack any sort of change management or version controls – that is, any number of individuals may be able to update a spreadsheet. All this increases the risk of inaccurate data making its way into the application.
Next is the risk that confidential data is compromised. Many UDAs can easily be attached to an email and sent to someone who shouldn’t have access to the data.
Finally, there’s what the IIA calls “availability risk.” Because many UDAs reside on flash drives and individual PCs, they’re easy to overlook when the company is backing up data. Or, the information can easily be lost altogether.
Internal auditors can take several steps in their audits to reduce the risks any UDAs in use pose to their firms. A starting point is identifying key UDAs. These typically are those that are part of the financial or management reporting processes, or use to comply with regulations. One-off spreadsheets used on an ad-hoc basis probably aren’t key.
The auditors also need to assess the risks posed by the key UDAs. To understand this, they’ll need to know who uses the applications, and how. From this, they can estimate the financial, operational and regulatory risks the UDAs present. The more complex the applications are, the more embedded they are in organizational processes, and the greater their complexity, the more risk they present.
Next up is examining the controls in place around the UDAs to determine if they reduce the risks to an acceptable level for the organization.
Spreadsheets and other user-developed applications play a valuable role in many organizations. At the same time, they can expose companies to a great deal of risk. Appropriate management and control is critical to mitigating the risks they present.