Approximately 68% of an enterprise’s corporate data is managed in IT Department-controlled applications and 32% is stored in key Microsoft Excel spreadsheets(1), Microsoft Access and other databases(2) , business intelligence tools (e.g., reporting tools), Microsoft Word and other forms of documents, web-oriented architecture “mashup” approaches(3) and other end user computing applications. Often the 32% portion of corporate data exists in relatively uncontrolled environments and may lack the same safeguards and controls applied to the 68% portion of corporate data under IT Department control. This deficiency in safeguards and controls can result in negligent errors, as was the case with TransAlta Corp., which took a $24 million charge to earnings after a bidding error caused by a cut-and-paste mistake in an Excel spreadsheet(4). The lack of adequate safeguards and controls can also permit dishonest users to engage in fraud, as happened with AIB’s Allfirst Bank, where a trader hid a $700 million loss by substituting links in a company spreadsheet to his private manipulated spreadsheet(5). For regulated enterprises, this can lead to regulatory compliance issues(6).
The applications and tools created by end users which raise control issues as part of the 68% portion of enterprise data is commonly referred to as “End User Computing Applications (EUCs)”. Typical control issues with EUCs can include:
- Poor design or ineffective testing, resulting in misstatements in financial reports and/or poor investment decisions
- Little or no access controls, resulting in breaches of confidentiality and/or fraud
- Llack of adequate documentation, resulting in losses due to inability to maintain applications and/or inefficiencies
- EUC not on network or not part of disaster recovery plan, resulting in the application not being available when needed
- Data history not maintained, resulting in a loss of a required audit trail and the inability to back-track
- A lack of scalability, resulting in the application becoming unstable or unusable as the volume of transactions grow
- Linkages with data sources not maintained, resulting in the IT Department not having a line of sight into the operating environment
External auditors are increasingly requiring enterprises to adopt documented control processes and technical controls in order to reduce the risks associated with EUCs(7). Some of the possible controls include development and enforcement of policies(8) (together with user training), automation of workflows, enforcement of version and change controls(9), access controls by basing EUC’s on servers, and the application of e-signatures to workflow processes.
(1) See, e.g., Jay Heiser and David Furlonger, “Alleged Accounting Fraud Points to the Perils of Spreadsheet Abuse,” Gartner Research ID No. G00160229 (August 18, 2008); Protiviti, “Spreadsheet Risk Management: FAQ Guide”; Michael Hoye and Eric Perry, “Five Steps to Success for Spreadsheet Compliance”, Compliance Week (July 2006);
(2) See, e.g., Roger Cooper and Fred Wilson, “Access Databases (Out of) Control?”, ICAEW Chartech Magazine No. 149 (August 2007)
(3) See, e.g., Gene Phifer, “End-User Mashups Demand Governance (But Not Too Much Governance)”, Gartner Research ID No. G00161450 (September 26, 2008)
(4) See http://www.globeinvestor.com/servlet/ArticleNews/story/ROC/20030603/2003-06-03T232028Z_01_N03354432_RTRIDST_0_BUSINESS-ENERGY-TRANSALTA-COL.
(5) See http://www.eusprig.org/butler-aib-allfirst-fraud-2002.htm.
(6) See, e.g., PricewaterhouseCoopers, “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act”
(7) See, e.g., Jay Heiser, “Developing a Strategy to Control Spreadsheets”, Gartner Research ID No. G00138019 (September 22, 2006); see also Chambers and Hamill, “Controlling End User Computing Applications”, located at http://arxiv.org/abs/0809.3595.
(8) See http://web.smgworld.com/documents/ISConsulting-EndUserStandardsandGuidelines.doc.
(9) Microsoft partners with solutions for handling end user computing applications such as spreadsheets include Prodiance (http://www.prodiance.com) and ClusterSeven (http://www.clusterseven.com).
Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group., for the Microsoft Corporation. Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companies in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs. Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersection of law and technology. He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).