Auditing User-Developed Applications (UDA) End User Computing (EUC) Global Technology Audit Guide GTAG® 14 Adapted from www.theiia.org UDA/EUC Definition • UDAs are applications that are developed by end users, usually in a noncontrolled IT environment. • Examples – – – – – Spreadsheets User databases Queries Scripts Output from various reporting tools • Used in EUC application www.theiia.org UDA/EUC Users • Financial analysts creates spreadsheet to analyze budget variances. – Graphs would be nice as well! • • • • Reconciliation functions in accounting Computer assisted audit techniques (CAATs) Project management Management reports – Fraud? www.theiia.org UDA/EUC Uses • What-if? analysis using tools such as – spreadsheet models or – more specialized tools such as risk or financial management packages, or – business intelligence software, • E.g., used for monitoring sales and marketing performance of information stored in a data warehouse www.theiia.org Benefits of UDA • Benefits of UDA – Quicker to develop and use – Readily available tools at a lower cost • MS Excel ($500) • Google sheet (Free) – Configurable and flexible • Simple to “power” developer / user – – – – – Tailored to user Allows creativity Competitive advantage (for the employee as well) Puts decision maker “nearer” data/information Relieves workload in IT www.theiia.org Risks of UDA • The most significant risk is the integrity of the data and information managed and reported. • Management may assume that reports generated from UDA came from an ITdeveloped and controlled application • UDAs typically do not follow a systems development life cycle (SDLC) process. www.theiia.org Risks of UDA • Control breakdowns can be traced to – Lack of a structured development process. – Data download issues • Inaccurate data (GIGO) – Increasing complexity of UDA over time • Multiple “authors” • Added analyses / worksheets – Lack of developer experience • “Hard” code data [Ctrl `] • “What if” not repeatable www.theiia.org Risks of UDA • Control breakdowns can be traced to – Lack of version controls across users – Lack of documentation • Missing the worksheet that explains what the workbook is for www.theiia.org Risks of UDA • Control breakdowns can be traced to – Lack of support • Users self-train, develop own techniques – Limited input and output controls – Lack of formal, if any, testing – Hidden data columns, rows, worksheets. • • • • Compromise of confidentiality Lack of DRP, backup. Duplication of efforts Lack of SOD: – programming, data, output rest with one person www.theiia.org Review of UDA • Has management identified critical UDAs? • Highest significance – Risk assessment? – Mitigating controls • Review documentation (if any) • Access controls – – – – Change management Backup and recovery Security Data integrity. www.theiia.org Best practices • Access guidelines • Source data – Data input area should not contain formulas – Input should follow source document – Lock formulas • Source output – Save separate workbook from each “what if” analysis or periodic report. – Standard format – Control access to output www.theiia.org Best practices • Testing guidelines – Fraud detection • Logic guidelines • Version, backup, and archiving guidelines • Documentation guidelines – Document all the prior guidelines and practices – Can someone else do the task based on this? www.theiia.org