End User Computing / Desktop Apps Audit Process & Internal Control December 11, 2013
Feb 12, 2016
End User Computing /
Desktop Apps Audit Process & Internal Control
December 11, 2013
Page 2
Agenda
What are they?
What about them?
What goes wrong?
What should be controlled?
Determining Your SOX Population
Inspection Requirements
Page 3
What are they?
EUC’s (sometimes referred to as desktop
applications) are tools developed and employed
by end-users to assist in facilitating judgments or
calculating numbers that impact financial
statements or related footnote disclosures.
These are usually in the form of desktop tools
such as spreadsheets, databases and other
reporting tools such as report writers.
Page 4
What about them?
Lack of adequate control mechanisms applied to EUC’s
may jeopardize the accuracy, integrity, and timely
availability of data. Reliance on inaccurate data can
result in poor management decisions and possibly lead
to inaccurate financial reporting.
EUCs often cover many assertions for SOX coverage.
Requires standards to be utilized in determining the
required control structure that should surround EUC’s
and what elements the control structure should
contemplate.
Page 5
What goes wrong?
Errors in the download from the company’s systems such as: a. An incomplete download (e.g., missing a G/L account or a region).
b. An out-of-date download / query.
c. A partial download, where transmission or other errors prevented completion of the entire download.
Use of an intermediate database (e.g., a data warehouse) that is not
complete, accurate, or current.
The incorrect population of the download data into the various cells in the
spreadsheet.
Errors in spreadsheet calculations, sorts, or other programmable elements.
Overwriting formulas with data.
Use of an out-of-date spreadsheet, including use of a current spreadsheet
where the calculations are not refreshed.
Changes to the data by the user.
Errors in the understanding or use of the spreadsheet (e.g., where the user is
not the developer and picks up the wrong total).
Changes to the spreadsheet by another user due to poor security controls.
Page 6
What should be controlled?
ITGC EUC
Security Security & Data Integrity
User Access User Access & Segregation of Duties
Change Management Input, Logic, Output Review & Approval
Backup and Recovery Backup
3rd Party Service Contracts
Data Center
Documentation
Page 7
Population Determination
Need Identification process for EUCs Leverage SOX process
Inventory of All EUCs
Classification of Complexity Simple, Moderate, Complex
Consider Complexity of Calculations, size of model, understanding / documentation of the
business process, uses of the model’s output, sources of model’s input, number of users,
frequency & extent of changes to model
Determination of In-Scope for SOX: Complex EUC used to determine financial statement transaction amounts or balances that are
populated into the general ledger and / or financial statements.
And
Any one or more of the following:
Used to calculate or record a Journal Entry in aggregate in any Quarter equal to or greater than
$5M.
Used to reconcile or support an Account Reconciliation with G/L balance equal to or greater
than $5M.
Used to support a footnote or other financial disclosure
Page 8
Desktop Applications (EUC)
Xerox has an Accounting policy for their Internal Control Framework
Sub policy relating to controls over End User Computing
Applications
Requirements and responsibilities documented
Purpose of the Accounting policy:
Provides guidelines and standards that EUCs should have in place to
support the development of accurate financial reporting data.
Outlines the standards to be utilized in determining the required control
structure that should surround EUCs and what elements the control
structure should consider.
NOTE:
• Lack of adequate control mechanisms applied to EUCs may jeopardize
the accuracy, integrity, and timely availability of data.
• Reliance on inaccurate data can result in poor management decisions
and possibly lead to inaccurate financial reporting.
Page 9
Desktop Applications (EUC)
Template #2 provides the
background for the
desktop application.
Page 10
Desktop Applications (EUC) Template 2 includes the following information:
Desktop Application ID #
Desktop Application Name
Application Type
Owner
Approver
SLT Member / XCS Sr. Mgr.
Frequency of Use
(ie. Monthly, Quarterly)
Frequency of Backup
Location of Application
Financial Statement Impacts Via (check all that apply):
Journal Entry (directly or downstream)
Account Reconciliation
Segment Reporting
Other (please describe)
Page 11
Desktop Applications (EUC) Template 2 includes the following background information:
a) PURPOSE
What activity is reflected in this application ? Why is it used?
b) KEY FACTORS
Examples include benefit rates, bonus accrual %
c) KEY ASSUMPTIONS
What assumptions are being made that impact the output?
d) KEY CALCULATIONS
What are the primary calculations in this application?
e) SOURCES OF INPUT / KEY INPUTS
What is the source(s) of the information used in this application?
What are the key inputs?
f) INPUT ACCESS
Who has access / authority to update the application?
g) TIMING
How often does the application impact the financial statements –
daily, weekly, monthly, quarterly, etc.?
Also documented: Prepared by, Date Prepared, Date Revised
Page 12
Desktop Applications (EUC) This template is useful for a variety of reasons:
• Good tool for training / cross training
Able to reperform / restate financials
• Facilitates approval
• Increases the ease of audit inspection
NOTE: It’s important to keep the data in the
template current
Page 13
Desktop Applications (EUC)
Page 14
Desktop Applications / (EUC)
Completed by both preparer and approver
Questions being acknowledged include:
Is Template #2 current and accurate?
Are all inputs validated?
Input is from a Sarbox tested area
Input is from an existing Desktop Application
Input is not Sarbox tested and does not come from an existing desktop application, but validation is performed to ensure information received is accurate and complete.
Are formulas, queries, macros, etc. that are part of the desktop application reviewed?
Is the output reasonable?
Is there a backup of the desktop application?
Is the application password protected if on a shared drive?
Template #1 – Desktop Applications Internal Controls Acknowledgement
Page 15
Inspection Requirements
Is there both a Template 1 and Template 2 provided?
Does the Template 2 make sense? Is it sufficiently written such that an outside reviewer could make sense of it?
Where do the inputs come from? Is the source of the input from a Sarbox application or an existing Desktop Application? If not, has evidence of the review of the input been supplied?
Independent inspection of spreadsheets are conducted by Internal Control – EXchecker software is utilized
Has the approver inspected and documented the inspection of some of the key formulas, macros and queries?
Locked spreadsheets (files that prevents any changes to the content)
Printout of access query detail signed by approver
Tools / Analyze / Documenter –query detail printed, noting it was reviewed. The last update date is noted.
Printout of spreadsheet noting which formulas were reviewed
Areas of Focus during Inspection:
Page 16
Inspection Requirements
Is there evidence the output is reasonable?
Examples include:
If the desktop application supports an account reconciliation, the fact the output ties to the account reconciliation balance is sufficient
Trend analysis, showing prior periods, expected amounts, and actual application amounts
Is there a backup copy? Where is it located?
Is the desktop application password protected if in a shared location?
Areas of Focus during Inspection:
Page 17
Inspection Requirements
Xerox currently has about 65 in-scope desktop applications
Most “key” desktop applications (as determined by PwC and I/C) are inspected annually
A sample selection of “non-key” applications are inspected annually
Any selections that failed a quarterly inspection will be inspected the following quarter
Quality of desktop applications impacts overall sample size. A change in overall quality will impact future sample size
Review current processes to identify potential desktop application adds
Review current desktop applications to identify potential removals
Final Comments
Page 18
Questions ?