Control Objectives for End User Computing / Model Risk Management
There is a growing list of international regulatory and advisory organizations that have published guidance on the objectives for the control of financial models and end user computing (mostly spreadsheets) within critical business processes. These control objectives are usually extended across all important business End User Computing (EUC) assets or end User Developed Applications (UDA), although Excel spreadsheet control is usually the the most immediate target. Within this advice there is increasing recognition that the implementation of reliable, repeatable and demonstrable spreadsheet control will require electronic audit evidence (EAE) and therefore demand technology as part of the solution.
The main focus of these control objectives are those Excel spreadsheets and MS Access databases that have become embedded into the operational processes of the business to address data management/manipulation and reporting limitations in central applications. i.e. they are essentially business software applications.
In the past, control advice concerning software applications was generic - with little specific mention of Excel spreadsheets or MS Access databases. This often allowed businesses and IT to ignore these less formal applications. This is now changing - control guidance now commonly includes a prescriptive reference to spreadsheets.
ClusterSeven is at the forefront of helping organizations respond to these demands with solutions designed to help Internal Auditors and Information Security Officers locate and resolve vulnerabilities.
The following links and collateral are designed to enable readers to accelerate their assembly of control requirements that are relevant to their business sector.
The ClusterSeven solution set is regularly used to meet the demands contained in all of these mandates.
- Institute of Internal Auditors: Guidance for Auditing User Developed Applications
- PwC: Spreadsheet Control Objectives
- PwC: End User Computing for IFRS
- Spreadsheets & the Regulator by the FSA [UK financial services regulator]
- Spreadsheet & Solvency II by the FSA [UK financial services regulator]
- Protiviti: Spreadsheet Management FAQs
- Deloitte: Spreadsheet Management - Not what you figured
- Deloitte: End User Computing - Solving the Problem
- Deloitte: Improving Spreadsheet Audits in Six Steps
- Deloitte: NAIC Model Audit Rule & Implementation
- PCAOB Report on the First Year Implementation of Auditing Standard No.5 (p 8)
- PCAOB Guidance for Auditors of Smaller Public Companies
- FINRA 2010 Exam Priorities: Accounting & Spreadsheet Controls (p13)
“Because management relies on UDAs, which can be a significant part of financial reporting and operational processes, as well as related decision making, the internal auditor should determine and review UDA risks and build an audit of UDAs into the annual internal audit plan as appropriate.
The audit process includes a series of steps including identifying critical UDAs, evaluating the level of risk associated with each UDA, and testing the controls to determine whether they are sufficient to reduce associated risks to an acceptable level according to the organization's risk appetite and tolerance.”Global Technology Audit Guide 14 - Auditing User-developed Applications