Auditing User-Developed
Applications (UDA)
End User Computing (EUC)
Global Technology Audit Guide
GTAG® 14
Adapted from
www.theiia.org
UDA/EUC Definition
• UDAs are applications that are developed by
end users, usually in a noncontrolled IT
environment.
• Examples
–
–
–
–
–
Spreadsheets
User databases
Queries
Scripts
Output from various reporting tools
• Used in EUC application
www.theiia.org
UDA/EUC Users
• Financial analysts creates spreadsheet to
analyze budget variances.
– Graphs would be nice as well!
•
•
•
•
Reconciliation functions in accounting
Computer assisted audit techniques (CAATs)
Project management
Management reports
– Fraud?
www.theiia.org
UDA/EUC Uses
• What-if? analysis using tools such as
– spreadsheet models or
– more specialized tools such as risk or financial
management packages, or
– business intelligence software,
• E.g., used for monitoring sales and marketing
performance of information stored in a data warehouse
www.theiia.org
Benefits of UDA
• Benefits of UDA
– Quicker to develop and use
– Readily available tools at a lower cost
• MS Excel ($500)
• Google sheet (Free)
– Configurable and flexible
• Simple to “power” developer / user
–
–
–
–
–
Tailored to user
Allows creativity
Competitive advantage (for the employee as well)
Puts decision maker “nearer” data/information
Relieves workload in IT
www.theiia.org
Risks of UDA
• The most significant risk is the integrity of
the data and information managed and
reported.
• Management may assume that reports
generated from UDA came from an ITdeveloped and controlled application
• UDAs typically do not follow a systems
development life cycle (SDLC) process.
www.theiia.org
Risks of UDA
• Control breakdowns can be traced to
– Lack of a structured development process.
– Data download issues
• Inaccurate data (GIGO)
– Increasing complexity of UDA over time
• Multiple “authors”
• Added analyses / worksheets
– Lack of developer experience
• “Hard” code data [Ctrl `]
• “What if” not repeatable
www.theiia.org
Risks of UDA
• Control breakdowns can be traced to
– Lack of version controls across users
– Lack of documentation
• Missing the worksheet that explains what the workbook
is for
www.theiia.org
Risks of UDA
• Control breakdowns can be traced to
– Lack of support
• Users self-train, develop own techniques
– Limited input and output controls
– Lack of formal, if any, testing
– Hidden data columns, rows, worksheets.
•
•
•
•
Compromise of confidentiality
Lack of DRP, backup.
Duplication of efforts
Lack of SOD:
– programming, data, output rest with one person
www.theiia.org
Review of UDA
• Has management identified critical UDAs?
• Highest significance
– Risk assessment?
– Mitigating controls
• Review documentation (if any)
• Access controls
–
–
–
–
Change management
Backup and recovery
Security
Data integrity.
www.theiia.org
Best practices
• Access guidelines
• Source data
– Data input area should not contain formulas
– Input should follow source document
– Lock formulas
• Source output
– Save separate workbook from each “what if” analysis
or periodic report.
– Standard format
– Control access to output
www.theiia.org
Best practices
• Testing guidelines
– Fraud detection
• Logic guidelines
• Version, backup, and archiving guidelines
• Documentation guidelines
– Document all the prior guidelines and practices
– Can someone else do the task based on this?
www.theiia.org