Please ensure Javascript is enabled for purposes of website accessibility

Tag: Internal Auditors

No One Is Giving Up Spreadsheets, So The IIA Figured It Better Put Some Audit Guidance Out There

This story is republished from CFOZone, where you’ll find news, analysis and professional networking tools for finance executives.

Many finance departments would grind to a halt if forced to do without spreadsheets. They’re quick, easy and inexpensive tools for manipulating and analyzing data that just about anyone can master.

However, these attributes also mean that spreadsheets create a tremendous risk, particularly if their results are incorporated into the company’s financial reports or used to support a business’ operations.

With this in mind, the Institute of Internal Auditors (IIA) in June issued GTAG (global technology audit guide) 14, a guide for auditing what it calls “user-developed applications,” or UDAs. While spreadsheets are the most visible type of UDA, the term also can include applications like user-developed databases and reports. UDAs are “…created and used by end users to extract, sort, calculate, and compile organizational data to analyze trends, make business decisions or summarize operational and financial data,” the IIA states.


By their nature, UDAs present three types of risk. One is data integrity – the old “garbage in, garbage out.” User developed applications don’t follow a structured application development cycle, and lack any sort of change management or version controls – that is, any number of individuals may be able to update a spreadsheet. All this increases the risk of inaccurate data making its way into the application.

Next is the risk that confidential data is compromised. Many UDAs can easily be attached to an email and sent to someone who shouldn’t have access to the data.

Finally, there’s what the IIA calls “availability risk.” Because many UDAs reside on flash drives and individual PCs, they’re easy to overlook when the company is backing up data. Or, the information can easily be lost altogether.

Internal auditors can take several steps in their audits to reduce the risks any UDAs in use pose to their firms. A starting point is identifying key UDAs. These typically are those that are part of the financial or management reporting processes, or use to comply with regulations. One-off spreadsheets used on an ad-hoc basis probably aren’t key.

The auditors also need to assess the risks posed by the key UDAs. To understand this, they’ll need to know who uses the applications, and how. From this, they can estimate the financial, operational and regulatory risks the UDAs present. The more complex the applications are, the more embedded they are in organizational processes, and the greater their complexity, the more risk they present.

Next up is examining the controls in place around the UDAs to determine if they reduce the risks to an acceptable level for the organization.

Spreadsheets and other user-developed applications play a valuable role in many organizations. At the same time, they can expose companies to a great deal of risk. Appropriate management and control is critical to mitigating the risks they present.

Accounting News Roundup: Rajaratnam Claims KPMG “Tricked” Him into Illegal Tax Shelter; United, Continental Agree to ‘Merger of Equals’; Some Thoughts on iPad for Accountants | 05.03.10

Galleon’s Rajaratnam Said He Was Duped in Illegal Tax Shelter [Bloomberg Businessweek]
Raj Rajaratnam, who is awaiting trial in an insider trading case set to take place this fall, claimed that he was “tricked into investing in an illegal tax shelter,” that was developed by KPMG and “tax shelter promoter” Diversified Group, according to a lawsuit from 2005.

Rajaratnam and Galleon co-founder Gary Rosenbach won a $5.8 million in an arbitrator’s judgment against Diversified Group and its president in 2009. KPMG was not mentioned in the judgment and neither Rajaratnam’s attorney nor KPMG would comment on the current r if the firm had made a payment to Raj.

Rajaratnam and Rosenbach said they were induced to invest in a shelter called “OPS,” or Option Partnership Strategy, which was developed by KPMG and Diversified as a way to generate fees for the firms.

“The OPS shelter was essentially an illegal basis-shifting scheme which — unbeknownst to plaintiffs — relied upon a disingenuous reading of the federal tax code,” his lawyers wrote in the complaint.

Prosecutors will be interested to know what Rajaratnam said under oath in his suit against KPMG to determine if any of his statements will be useful in their insider trading case.

United, Continental Agree to Combine [WSJ]
United Airlines and Continental Airlines have agreed to combine, in a stock swap valued at $3 billion.

The “merger of equals” would create the world’s largest airline that would control 21% of the total domestic capacity and be 8% larger than Delta Air Lines in terms of miles flown, serving 370 destinations. Assuming the deal does not raise any antitrust concerns and contracts for employees are approved in a timely fashion, the companies plan to complete the transaction in the 4th quarter of this year.

iPad for business – the taste test [ZDNet]
Dennis Howlett tested out an iPad and since some of you have, at the very least, wondered about it for your own professional use, here’s his take on Numbers, a spreadsheet application that he says is “gorgeous to look at” but has several drawbacks:

I found it was possible to create a confusing error formula. Ahem. That will require fixing. While Numbers has masses of functions (see illustration), there is no ability to create Pivot Tables. Those are the accountant’s stand by for reporting and the like. It’s boring but essential stuff. Without Pivot Tables, the iPad won’t get a sniff in the hands of this powerful and influential group. There is an alternative for the future. Some smart developers out there will build reporting applications that can run over the Internet. It is one of the gaping holes in the SaaS/cloud story requiring urgent attention.

Any other thoughts on iPad for accountants? Weigh in.

IIA Proposes New Standards for Internal Auditors [Compliance Week]
The Institute of Internal Auditors is requested comment on proposals for new standards that would include a requirement for internal auditors to provide audit opinions and to additional explanation of the responsibility of internal auditors for the work of contractors.

Grant Thornton closing Triad office, moving operations to Charlotte [Triad Business Journal (subscription required for full article)]
Grant Thornton finally got around to announcing the closure of its Greensboro/Triad office. We reported on the closure back in February. The firm announced that the “vast majority” of its approximately 30 employees would be moving to the firm’s offices in either Charlotte or Raleigh. The TBJ reports National Director of Communications, John Vita’s comments: “We remain committed to the Triad marketplace, however, we believe it can be best served over the long term by attracting the highest quality professionals who wish to work out of our larger offices in Charlotte and Raleigh.”

Fraud Risk, Staffing Reductions, and OJ Logic at CFO.com

orangejuice_Full.jpgEditor’s Note: Robert Stewart is a former Big 4 auditor and ex-Marine who has since served in several executive management roles in both Internal Audit and Corporate Finance. He is also the founder and chief contributor to the online accounting and audit community, The Accounting Nation. Outside of work, he is a husband, father, brother, writer,uate aspiring triathlete.
You can always count on CFO.com for logic flaws and surface reporting. It’s like drinking that concentrated orange juice in a can when you add three parts too much water and then put ice cubes in it because it’s warm, which makes it even more watery which… Where was I going with this?
Oh yeah. In one of their latest articles, entitled “As Internal Audit Staffs Shrink, Will Fraud Rise?“, the author portends — based on a Deloitte survey and subsequent interview — that the decrease in internal audit personnel somehow increases the risk of organizational exposure to fraud. What? Ever hear the phrase “Correlation is not Causation”? Symptom or cause.


Here’s my $0.02: such staffing reductions may increase the risk that fraud will go undetected (though only nominally given that IA only uncovers about 12% percent of frauds according to the ACFE’s Report to the Nation), but the risk to the organization more than likely remains constant, right? Am I missing something here?
After all, Internal Audit is a downstream event unless you make the argument that the organizational perception of being “watched” has diminished with the reductions in internal audit/compliance staffing, thus emboldening would-be fraudsters (i.e. strengthening the “opportunity” leg of Cressey’s Fraud Triangle). But this article doesn’t make that argument.
The article further states that:

Despite the reduction in compliance personnel, 50% of respondents to the Deloitte survey, who included CFOs, CEOs, board members, and middle managers in finance and risk management, said their compliance and ethics programs are strong. Another 36% said they are adequate. Many public companies and some private companies invested significantly in their compliance programs after the passage of Sarbox in 2002, notes Francis, and they may now feel confident that those programs are effective even with a reduced staff. But that confidence may not always be justified.

Confidence? I would hardly call the above percentages “confidence” on the part of the respondents. If I told you that 50% of the airline pilots felt that their pre-flight checklist procedures were strong, how would you feel about flying? No F*#$ing way I’m getting on that plane.
The words wrapped around the survey results and subsequent interview quotes don’t at all support the conclusion that this article is trying to draw. Perhaps it’s because the survey was designed and administered by a firm (Deloitte) that has a vested interest in drumming up some business through fear tactics? After all, you’re never going to hear a burglar alarm company extolling the improvements in public safety.
And you’re never going to hear a company that sells risk-related services conducting and publicly releasing results that don’t support their strategic objectives. Or perhaps it’s just bad writing at CFO.com in order to satisfy a quota? The World may never know (I think the World will be fine with this). Either way, I’ve wasted double the amount of time that I should have on this topic (i.e. read it and wrote about it). And so with that…I bid you adieu.

Review Comments | 12.10.09

welcome.jpgBreaking Media, LLC Announces Jonah Bloom, Editor of Advertising Age, Will Join Company as Chief Executive Officer and Editor in Chief – Welcome to Jonah and our new Executive Editor, Matt Creamer! [Breaking Media Press Release]
Haddrill: We don’t need a Big Five – One man’s opinion. [Accountancy Age]
S Corporation Basis: Is It Time for an S Corporation Holding Company? – Consider this if you have multiple S-Corps tossing money back in forth. Joe Kristan explains. [Tax Update Blog]
As Internal Audit Staffs Shrink, Will Fraud Rise? – More with less is a trend everywhere. [CFO]
Chart of the day, hedonic treadmill edition – For those of you doing the debits and credits at hedge funds, apparently you’re paid the least but happiest with your comp. Who knew it was possible? [Felix Salmon]
Sarbanes-Oxley for Everyone: To Be or Not To Be? – Check out Francine’s latest contribution to HuffPo. [Huffington Post]