Institute of Internal Auditors: Control Objectives for User Developed Applications

Print Version

The Institute of Internal Auditors (IIA) recently published a report on auditing user developed applications (UDAs) - also called end user computing (EUC). The report shows how to scope an internal audit of UDAs and how the internal auditor’s role can assist management to develop an effective UDA control framework. It also contains a sample UDA process flow and a UDA internal audit program to help internal auditors organize and execute an audit.

The table below shows how ClusterSeven meets these audit objectives.

Control ClusterSeven Description

A. System Security & Access

ClusterSeven enables the identification of critical UDAs, associated access rights and can ensure continuous or periodic review.

B. Audit Trails

ClusterSeven ensures the creation of tamper proof audit trails held in a secure database together with continuous or periodic review.

C.Inputs, Edits & Interfaces

ClusterSeven identifies input data sources and enables the application of automated data validation rules. ClusterSeven also supports the automated reconciliation of data with other spreadsheets or applications, plus the roll-back of erroneous entries.

D.Data Processing & Data Integrity

ClusterSeven reports by exception all manual over-rides with User ID and time stamps, together with associated corrective action(s) and approvals measured against business objectives. In addition a wide variety of risky practices are highlighted including inactive automated recalculation, poor quality logic/VBA and the absence of cell-locking, alongside misleading presentation such as conditional formatting or hidden information.

E.Reports & Output

ClusterSeven can automatically reconcile totals and verify that critical logic is periodically validated.

F.Data Retention

ClusterSeven provides secure retention and archiving of data with reports on document aging.

G.Backup & Recovery

ClusterSeven maintains a list of critical EUC/UDAs with automated backup in a secure location. One click recovery is available to authorized users.

H.Change Management

ClusterSeven provides an automated change management process for spreadsheets and MS Access databases with full approval workflow and associated segregation of duties.

Print Version

Click here to access IIA GTAG 14: Auditing UDAs (nominal charge for non-members)

The Benefits of EUC Management?

“We now have our spreadsheets in an environment where they can be monitored and managed. We can audit the changes, control, and check that the things that should be altered are altered. Everyone focuses on things that shouldn’t change, but you also have to look carefully at the things that need to be changing.”

Don Simpson, MD of Operations and Technology, MUSI

“ClusterSeven’s technology has functionality in a number of areas, but its core strength is that it gives a fully auditable view of each spreadsheet. We can configure the technology to take all the manual efforts away from ensuring only the right changes occur.”

Stephen Ashton, Head of IT business management, Dresdner Kleinwort