How Internal Auditors can win The War against Spreadsheet Fraud

To prevent another round of million dollar scandals due to fraudulent manipulations on spreadsheets, regulatory bodies have launched major offensives against these well-loved User Developed Applications (UDAs). Naturally, internal auditors are front and center in carrying out these offensives.

While regulations like the Sarbanes-Oxley Act, Dodd-Frank Act, and Solvency II can only be effective if end users are able to carry out the activities and practices required of them, auditors need to ascertain that they have. Sad to say, when it comes to spreadsheets, that is easier said than done.

Because spreadsheets are loosely distributed by nature, internal auditors always find it hard to: locate them, identify ownership, and trace their relationships with other spreadsheets. Now, we’re still talking about naturally occurring spreadsheets. How much more with files that have been deliberately tampered?

Spreadsheets can be altered in a variety of ways, especially if the purpose is to conceal fraudulent activities. Fraudsters can, for instance:

  • hide columns or rows,
  • perform conditional formatting, which changes the appearance of cells depending on certain values
  • replace cell entries with false values either through direct input or by linking to other spreadsheet sources
  • apply small, incremental changes in multiple cells or even spreadsheets to avoid detection
  • design macros and user defined functions to carry out fraudulent manipulations automatically

Recognising the seemingly insurmountable task ahead, the Institute of Internal Auditors released a guide designed specifically for the task of auditing user-developed applications, which of course includes spreadsheets.

But is this really the weapon internal auditors should be wielding in their quest to bring down spreadsheet fraud? Our answer is no. In fact, we believe no such weapon has to be wielded at all?because the only way to get rid of spreadsheet fraud is to eliminate spreadsheets once and for all.

Imagine how easy it would be for internal auditors to conduct their audits if data were kept in a centralised server instead of being scattered throughout the organisation in end-user hard drives.

And that’s not all. Because a server-based solution can be configured to have its own built-in controls, all your data will be under lock and key; unlike spreadsheet-based systems wherein storing a spreadsheet file inside a password-protected workstation does not guarantee equal security for all the other spreadsheets scattered throughout your company.

Learn more about Denizon’s server application solutions and discover a more efficient way for your internal auditors to carry out their jobs.

More Spreadsheet Blogs

 

Spreadsheet Risks in Banks

 

Top 10 Disadvantages of Spreadsheets

 

Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry

 

How Internal Auditors can win the War against Spreadsheet Fraud

 

Spreadsheet Reporting – No Room in your company in an age of Business Intelligence

 

Still looking for a Way to Consolidate Excel Spreadsheets?

 

Disadvantages of Spreadsheets

 

Spreadsheet woes – ill equipped for an Agile Business Environment

 

Spreadsheet Fraud

 

Spreadsheet Woes – Limited features for easy adoption of a control framework

 

Spreadsheet woes – Burden in SOX Compliance and other Regulations

 

Spreadsheet Risk Issues

 

Server Application Solutions – Don’t let Spreadsheets hold your Business back

 

Why Spreadsheets can send the pillars of Solvency II crashing down

?

Advert-Book-UK

amazon.co.uk

?

Advert-Book-USA

amazon.com

 

Check our similar posts

Is Change Management a Myth or a Possibility

The theory that it is possible to manage organisational change (Change Management) in a particular direction has done the rounds for quite some time, but is it true about Change Management. Was Barrack Obama correct when he said, ?Change will not come if we wait for some other person or some other time. We are the ones we have been waiting for. We are the change that we seek.?
Or, was business coach Kelly A Morgan more on the button when she commented, ?Changes are inevitable and not always controllable. What can be controlled is how you manage, react to, and work through the change process.? Let us consult the evidence and see what statisticians say.

What the Melcrum Report Tells Us

Melcrum are ?internal communication specialists who work alongside leaders and teams around the globe to build skills and best practice in internal communication.? They published a report after researching over 1,000 companies that attempted change management and advised:

? More than 50% report improved customer satisfaction

? 33% report higher productivity

? 28% report improvements in employee advocacy

? 27% improved status as a great place to work

? 27% report increased profitability

? 25% report improved absenteeism

Sounds great until we flip the mirror around and consider what the majority apparently said:

? 50% had no improvement in customer service

? 67% did not report increased productivity

? 72% did not note improvements in employee advocacy

? 73% had no improved status among job seekers

? 73% did not report increased profitability

? 75% did not report any reduction of employee absenteeism

This shows it is still a great idea to hear what all parties have to say before reaching a conclusion. You may be interested to know the Melcrum report gave rise to the legend that 70% of organisation change initiatives fail. This finding has repeated numerous times. Let’s hear what the psychologists have to say next.

There is a certain amount of truth in the old adage that says, ?You can lead a horse to water but you cannot make him drink.? Which of us has not said, ?Another flavour of the week ? better keep heads down until it passes? during a spell in the corporate world. You cannot change an organisation, but you can change an individual.

At the height of the Nazi occupation of 1942, French philosopher-writer Antoine de Saint-Exup?ry said, ?A rock pile ceases to be a rock pile the moment a single man contemplates it, bearing within him the image of a cathedral?. Psychology Today suggests five false assumptions change management rests upon, THAT ARE SIMPLY NOT TRUE.

1. The external world is orderly, stable, predictable and can be managed

2. Change managers are objective, and do not import their personal bias

3. The world is static and orderly and can be changed in linear steps

4. There is a neutral starting point where we can gather all participants

5. Change is worthy in itself, because all change is an improvement

Leo Tolstoy wrote, ?Everyone thinks of changing the world, but no one thinks of changing himself.? A prophet can work no miracles unless the people believe. From the foregoing, it is evident that change management of an organisation is a 70% impossibility, but encouraging an individual to grow is another matter.

A McKinsey Report titled Change Leader, Change Thyself fingers unbelieving managers as the most effective stumbling stones to change management. To change as individuals ? and perhaps collectively change as organisations ? we need to ?come to our own full richness?, and as shepherds lead our flock to their ?promised land?, whatever that may be. Conversely, herding our flock with a pack of sheepdogs extinguishes that most precious thing of all, human inspiration.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
What GDPR Means in Practice for Irish Business

The General Data Protection Regulation (GDPR) is a European directive aimed at ring-fencing consumer data against illegal or unnecessary access. There is nothing to discuss or debate with local politicians, or the Irish Data Protection Commissioner for that matter. As a European directive, it has over-riding power. To obtain an English version, please visit this link, and select ?EN? from the table of languages.

As you reach for your tea, coffee or Guinness after sighting it, you will be glad to know the Irish Data Protection Commissioner has the lead in turning this into business English we understand. The following diagram should assist you to obtain a quick overview of the process we all have to go through. In this article, we briefly describe what is inside Boxes 1 to 12. The regulation comes into force on 25 May 2018 so we have less than a year to get ready.

The 12 Essential Steps to Implementing the General Data Protection Act

1. Create awareness among your people of what is coming their way. The GDPR has given our regulator discretion to dish out fines up to ?20,000,000 (or 4% of total annual global turnover, whichever is greater) so there is determination to make this happen.

2. Become accountable by understanding the consumer data you hold. Why are you retaining it, how did you obtain it, and why did you originally collect it. Now you know it is there, how much longer will you still need it? How secure is it in your hands, have you ever shared it?

3. Open a communication channel with your staff, your customers, and anyone else using the data. Share how you feel about how accountable you have been with the information in the past. Explain how you plan to comply with the GDPR in future, and what needs to change.

4. Understand the personal privacy entitlement of the subjects of the information. They have rights to access it, correct mistakes, remove information, restrict its use, decline direct marketing, and copy it to their own files. What needs to change in your systems to assure these rights?

5. Issue a policy for allowing consumers access to their information you hold. You must process requests within a month, and you may not charge for the service unless your cost is excessive. You may decline unfounded or excessive demands within your policy guidelines.

6. Adapt to the requirement that you must have a legal basis for everything you do with, and to consumer data. You need to be in a position to justify your actions to the Irish Data Protection Commissioner in the event of a complaint. Having a legitimate interest is no longer sufficient.

7. Ensure that consumer consent to collect, use, and distribute their data is ?freely given, specific, informed, and unambiguous.? From 25 May 2018 onward, this consent will be your only ground to do so. You cannot force consent. Your benchmark becomes what the GDPR says.

8. Issue rules for managing data of underage subjects. This is currently under review and we are awaiting results. Put systems in place to verify age. Set triggers for where guardians must give consent. Make sure age is verifiable. Use language young people understand.

9. Introduce a culture of openness and honesty, whereby breaches of the GDPR are detected, reported, investigated, and resolved. You will have a duty to file a GDPR report with the Data Protection Commissioner within 72 hours, thus it is important to fast track the process.

10. Introduce a policy of conducting a privacy assessment before taking new initiatives. The GDPR calls for ?privacy by deign?, and we need to engineer it in. This may be the right time to appoint a data controller in your company, and start implementing the GDPR while you have time.

11. You may also need to appoint a data protection officer depending on the size of your business. Alternatively, you need to add managing data protection compliance to an employee?s duties, or appoint an external data-protection compliance consultant.

12. Finally, and you will be glad to know this is the end of the list, the GDPR has an international flavour in that multinational organisations will report into the EU Lead Supervisory Authority. This will manage the process centrally while consulting national data authorities.

The GDPR is a project we all need to complete. If we are out of line, it is in our interests to get things straightened out. Once everything is in place, the task should not be too onerous. Getting there could be the pain.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Do you really need a Cloud Broker?

A cloud broker is someone who can serve as your trusted adviser when it comes to your dealings with a cloud service provider. Sort of an IT consultant who: is familiar with cloud computing, can negotiate a mutually beneficial relationship between you and a provider, and help you manage usage, performance and delivery of cloud services.?But do you need one?

Is it even time for cloud adoption?

Of course, if you haven’t even started considering moving your IT systems to the cloud, what’s the point of reading this article, right? Well, if you’re running a business in Ireland or the UK maybe you should start thinking about it. The benefits (of moving to the cloud) are simply overwhelming. But then that’s for another post.

For now, let’s just briefly talk about the rate of cloud adoption so far. This should give you an idea what other decision makers nearby think about cloud computing and what they’ve done in this regard so far.

According to research conducted by the Cloud Industry Forum (CIF), the number of first-time users of cloud computing in the United Kingdom has risen by about 27% compared to last year.

The study, which was carried out by research company Vanson Bourne and which involved IT decision-makers from both the private and public sector in UK, also showed that 61% of companies are subscribing to cloud-based services. A similar research conducted last year (2011) revealed only 48%.

In Ireland, plans are underway to adopt cloud computing. According to Pricewaterhouse Coopers, 75% of Ireland’s CIOs and IT directors are already adopting a cloud computing strategy.

Definitely, the number of cloud adopters is growing. If that number already includes your hottest competitor, then perhaps there’s no time to waste.

But while a migration to the cloud should be in your pipeline, it shouldn’t be something you should rush into. Generally speaking, there are at least three kinds of services offered by cloud service providers: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service).

Some providers offer variations of these services. You might only need one type of service or a little of everything. There are also technical and regulatory compliance issues that need consideration.

Obviously, if you have no idea where or how to start, you’ll need someone who can help you. But what kind of help do you need?

Let’s proceed by talking about the kinds of services cloud brokers offer as these are obviously indicative of the needs of current cloud customers.

What cloud brokers do?

Cloud brokers offer three main types of services.

Cloud?inter-mediation

Cloud inter-mediation services are designed to add value to existing services and improve capabilities. ?Examples of cloud inter-mediation include managing access to cloud-based services, carrying out performance reporting, and establishing stronger security.

Cloud aggregation

As mentioned earlier, some cloud customers may end up subscribing to multiple cloud services; most likely from different cloud service providers. To get optimal return on their various cloud subscriptions, these customers will need to apply data integration and make these disparate systems work together. They will also have to make sure data flowing from one system to another is kept secure. This is where cloud aggregation comes into play.

Cloud arbitrage

This entails finding the best cloud service provider(s) to solve a particular problem. One example is comparing different providers offering data storage services and identifying the one offering the most competitive rates.

Other cloud arbitrage brokers develop new solutions by combining the services of different cloud service providers and then offer them to cloud customers. While there are similarities between cloud arbitrage and cloud aggregation, the former is more flexible and allows the customer to transfer from one provider to another where conditions are more favourable.

Problems a cloud broker can help you solve

Just like with natural clouds, your experiences in cloud computing won’t be all white and fluffy. You’ll also encounter gray and uncertain (or even stormy) clouds.

One major issue in cloud computing is cloud security. In fact, cloud security (or the apparent lack of it) is the one thing that’s really clouding up the sky of cloud computing. But that doesn’t mean the cloud is totally insecure. Besides, there are certain types of information that really don’t require a high level of security. These types you can easily migrate to the cloud.

For sensitive information, you really need to conduct due diligence to make sure your cloud service providers’ data centres are secure enough.

Where exactly will your data be stored? Are there enough provisions for regulatory compliance? How will your data be segregated? Does the infrastructure readily support ?data forensics? Is there a sound disaster recovery/business continuity plan? These are just some of the questions that need clear answers before you sign a contract with a cloud service provider.

Suggested reading: 9 Cloud Security Questions You Need To Ask Service Providers

Also, before you sign, you need to study the SLA (Service Level Agreement) very carefully. Look at the guaranteed uptime. Is it enough to meet your own desired service levels?

Bear in mind that the answers to these questions may be too technical. This is one of those instances when a cloud broker can come in handy. As your trusted adviser, your cloud broker can break down the technical jargon and present everything in a language that you can make intelligent decisions from.

A cloud broker will also be able to study the cloud provider’s security architecture and policies and determine whether they’re sufficient to meet your own security requirements. Basically, a cloud broker will not only help you obtain answers to your questions.

He will also know exactly what vital information to extract from providers in order to ensure that you find the best deal possible.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today