How Internal Auditors can win The War against Spreadsheet Fraud

To prevent another round of million dollar scandals due to fraudulent manipulations on spreadsheets, regulatory bodies have launched major offensives against these well-loved User Developed Applications (UDAs). Naturally, internal auditors are front and center in carrying out these offensives.

While regulations like the Sarbanes-Oxley Act, Dodd-Frank Act, and Solvency II can only be effective if end users are able to carry out the activities and practices required of them, auditors need to ascertain that they have. Sad to say, when it comes to spreadsheets, that is easier said than done.

Because spreadsheets are loosely distributed by nature, internal auditors always find it hard to: locate them, identify ownership, and trace their relationships with other spreadsheets. Now, we’re still talking about naturally occurring spreadsheets. How much more with files that have been deliberately tampered?

Spreadsheets can be altered in a variety of ways, especially if the purpose is to conceal fraudulent activities. Fraudsters can, for instance:

hide columns or rows,
perform conditional formatting, which changes the appearance of cells depending on certain values
replace cell entries with false values either through direct input or by linking to other spreadsheet sources
apply small, incremental changes in multiple cells or even spreadsheets to avoid detection
design macros and user defined functions to carry out fraudulent manipulations automatically

Recognising the seemingly insurmountable task ahead, the Institute of Internal Auditors released a guide designed specifically for the task of auditing user-developed applications, which of course includes spreadsheets.

But is this really the weapon internal auditors should be wielding in their quest to bring down spreadsheet fraud? Our answer is no. In fact, we believe no such weapon has to be wielded at all?because the only way to get rid of spreadsheet fraud is to eliminate spreadsheets once and for all.

Imagine how easy it would be for internal auditors to conduct their audits if data were kept in a centralised server instead of being scattered throughout the organisation in end-user hard drives.

And that’s not all. Because a server-based solution can be configured to have its own built-in controls, all your data will be under lock and key; unlike spreadsheet-based systems wherein storing a spreadsheet file inside a password-protected workstation does not guarantee equal security for all the other spreadsheets scattered throughout your company.

Learn more about Denizon’s server application solutions and discover a more efficient way for your internal auditors to carry out their jobs.

More Spreadsheet Blogs

Spreadsheet Risks in Banks

Top 10 Disadvantages of Spreadsheets

Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry

How Internal Auditors can win the War against Spreadsheet Fraud

Spreadsheet Reporting – No Room in your company in an age of Business Intelligence

Still looking for a Way to Consolidate Excel Spreadsheets?

Disadvantages of Spreadsheets

Spreadsheet woes – ill equipped for an Agile Business Environment

Spreadsheet Fraud

Spreadsheet Woes – Limited features for easy adoption of a control framework

Spreadsheet woes – Burden in SOX Compliance and other Regulations

Spreadsheet Risk Issues

Server Application Solutions – Don’t let Spreadsheets hold your Business back

Why Spreadsheets can send the pillars of Solvency II crashing down

amazon.co.uk

amazon.com

Check our similar posts

The Matrix Management Structure

Organizations exploit matrix management in various ways. A company, for instance, that operates globally uses it at larger scale by giving consistent products to various countries internationally. A business entity, having many products, does not assign its people to each product full-time but assign those to different ones on a part time basis, instead. And when it comes to delivering high quality and low cost products, companies overcome industry pressures with the help of many overseeing managers. In a rapidly changing environment, organizations respond quickly by sharing information through a matrix model.

Understanding the Matrix Management Structure

A basic understanding of matrix management starts with the three key roles and responsibilities that applies in the structure.

Matrix Leader ? The common person above all the matrix bosses is the matrix leader. He ensures that the balance of power is maintained in the entire organization by delegating decisions and promoting collaboration among the people.
Matrix Managers ? The managers cooperate with each other by defining the respective activities that they are responsible for.

Matrix Employees – The employees have lesser direct authority but has more responsibilities. They resolve differing demands from more than one matrix managers while they work things out upwards. Their loyalty must be dual and their relationships with managers must be maintained.

Characteristics of a Matrix Structure

Here are some features that define the matrix management structure:

Hybrid Structure ?The matrix structure is a mix of functional and project organization. Since it is a combination of these two, matrix management is hybrid in nature.

Functional Manager ? When it comes to the technical phases of the project, the functional manager assumes responsibility. The manager decides on how to get the project done, delegates the tasks to the subordinates and oversees the operational parts of the organization.

Project Manager ? The project manager has full authority in the administrative phases, including the physical and financial resources needed to complete the project. The responsibilities of a project manager comprise deciding on what to do, scheduling the work, coordinating the activities to diverse functions and evaluating over-all project performance.

Specialization ?As the functional managers concentrate on the technical factors, the project managers focus on administrative ones. Thus, in matrix management, there is specialization.

Challenge in Unity of Command ? Companies that employs matrix management usually experience a problem when it comes to the unity of command. This is largely due to the conflicting orders from the functional and project managers.

Types of Matrix Structure

The matrix management structure can be classified according to the level of power of the project manager. Here are three distinct types of matrix structures that are widely used by organizations.

Weak Matrix ? The project manager has limited authority and power as the functional manager controls the budget of the project. His role is only part-time and more like a coordinator.

Strong Matrix ? Here, the project manager has almost all the authority and power. He controls the budget, holds the full time administrative project management and has a full time role.

Balanced Matrix ? In this structure type, both the project and functional managers control the budget of the project. The authority and power is shared by the two as well. Although the project manager has a full time role, he only has a part time authority for the administrative staff to report under his leadership.

Successful companies of today venture more on enhancing the abilities, skills, behavior and performances of their managers than the pursuit of finding the best physical structure. Indeed, learning the fundamentals of the matrix structure is essential to maximize its efficiency. A senior executive pointed out that one of the challenges in matrix management is not more of building a structure but in creating the matrix to the mind of the managers. This comes to say that matrix management is not just about the structure, it is a frame in the mind.

IT Systems Implementation

Are you ready to find out how your newly accepted IT system fares in the real world? Although a rigorous Acceptance testing process can spot a wide spectrum of flaws in a newly constructed IT system, there is no way it can identify all possible defects. The moment the IT system is delivered into the hands of actual end users and other stakeholders, it is effectively stepping out of a controlled and secure environment.

Thus, it is during this phase wherein issues having direct impact on the business can arise.

It is our duty to ensure that the Systems Implementation phase is carried out as thoroughly, professionally, and efficiently as possible.

Thoroughly, because we need to include all relevant data and other deliverables, eliminate hard-to-detect miscalculated results, and substantially reduce the probability of business and mission critical issues popping up in the future;

Professionally, because it is the best way to address the sensitive process of turning over a new system to users who have gotten used to the old one;

And efficiently, because we want to minimise the duration over which all stakeholders have to adapt to the new system and allow them to move on to the process of growing the business.

Preparation

Louis Pasteur once said, “Luck favours the mind that is prepared.”

While we certainly won’t leave anything to chance, we do put substantial weight on the Preparation stage of Systems Implementation. We’re so confident with the strategies we employ in Preparation, that we can assure you of an utterly seamless Deployment and Transition phase.

By this we mean that issues that may arise during Deployment and Transition will be handled smoothly and efficiently because your people will know exactly what to do.

Here’s how we will prepare your organisation for Deployment:

Identify all key players for the Systems Implementation phase and orient them on their specific roles. We’ll make sure they know what possible hitches may come their way and how to deal with them.
Identify all end users and their corresponding functions, then assign appropriate access rights.
Draw multi-layered contingency plans to capture and address each possible concern that may crop up during Deployment.
Prepare a systematic step-by-step procedure and checklist for the entire Deployment stage. Both of them should have been copied from a similar procedure and checklist used in the Acceptance testing phase.
Make all stakeholders understand the conditions required before Deployment can commence.
Set the appropriate environment so that all stakeholders know what to expect and when to expect them the moment Deployment commences.
Prepare Technical Services and Technical Support personnel for the gruelling mission ahead.
Make sure all communication processes are well coordinated so that everyone affected will know who to contact and how to get in touch with them when a problem arises.
Plan and schedule training sessions so that they can be conducted “just in time”. Training sessions conducted way ahead of Deployment are often useless because the trainees tend to forget about what they learned when the time comes to apply them. Similarly, training sessions conducted way after Deployment also become useless because trainees are seldom able to internalise instructions delivered during crash courses.

Deployment

There are two sets of issues to keep an eye on during Deployment:

Issues directly related to the technology itself, e.g. application functionality and data integrity, and
Issues emanating from the end users, i.e., their unwillingness to use the new system. One reason may be because they find the interface and procedures too confusing. Another would be due to other inconveniences that come with adapting to a new set of procedures.

Despite all the meticulous scrutiny employed during Acceptance testing, there are just some problems that are made obvious only during Deployment. Issues belonging to the first set are dealt with easily because of the plans and procedures we put in place during the Preparation stage. As an added measure, our team will be on hand to make sure contingency plans are executed accordingly.

While the second set of issues is often neglected by many IT consultancy companies, we choose to meet it head on.

We fully understand that end users are most sensitive to the major changes that accompany a new system. It is precisely for this reason why our training activities during Deployment are designed not only to educate them but also to make them fully appreciate the necessity of both the new system and the familiarisation phase they will need to go through.

The faster we can bring your end users to accept the new system, the faster they can refocus on your company’s business objectives.

Here’s what we’ll do to guarantee the smoothest Deployment process you’ve ever experienced.

Employ the procedure and checklist formulated during the Preparation stage.
Ensure all end users are well acquainted with any additional tasks they would need to perform (e.g. filling up manual logs).
Assess which legacy systems can still be used alongside the new technology and which ones have to be retired.
Supervise the installation and optimal configuration of all supporting hardware and software to make sure the likelihood of errors originating from them are brought to near-zero levels.
Supervise the installation and optimal configuration of the products themselves.
Carry out data migration tasks if necessary.
Organise and oversee parallel runs to check for data and report inconsistencies.
Conduct training sessions in a professional and well-timed manner to eliminate end-users’ feelings of agitation and to take advantage of memory absorption and retention duration as with regards to their assigned duties and responsibilities.

Transition

Do you often feel uneasy whenever the reins to a newly purchased IT system are handed over to you? Perhaps there are some issues that you feel haven’t been fully settled but, at the same time, find it too late to back out, having already invested so much time and resources.

Alright, so maybe the thought of “backing up” never crossed your mind. However, the concern of being “not yet ready” is raised by many organisations towards the tail end of most Deployment stages. This usually drags the Deployment stage into a never-ending process.

Our team of highly experienced specialists will make sure you reach this point with utmost confidence to proceed on your own.

To wrap up our comprehensive IT Systems Implementation offering, we’ll take charge of the following:

Verify that all deliverables, including training materials and other technical documentation, are accomplished and expected outcomes are realised.
Make sure all technical documentation are placed in a secure and accessible location.
Institute best practices to ensure the IT system becomes fully utilised and to reduce its exposure to avoidable risks.
Establish open communication lines with the Technical Support team to enable quick resolution of issues.
Ensure complete knowledge transfer has been fully achieved so that your people will spend less time calling Technical Support and more on operations contributory to business growth.

A Business Case for Sharing

We blogged about sharing services in a decentralised business context recently, and explained why we think why these should be IT-Based for speedy delivery. This is not to say that all shared services projects worldwide have been resounding successes. This is often down to the lack of a solid business case up front. We decided to lay out the logic behind this process.

Management Overview ? The overview includes a clear definition of why the current situation is unacceptable, the anticipated benefits of sharing, and an implementation plan were it to go ahead. The project should not proceed until the stakeholders have considered and agreed on this.

Alternatives Considered ? The next stage is to get closer to the other options in order to determine whether an alternative might perhaps be preferable. Substitutes for shared services are often doing nothing, improving the current method, and outsourcing the service to a third party.

The Bottom Line in Business ? Sharing services comes at an initial cost of infrastructure changes, and the impact on human capital (the latter deserves its own blog). The following need careful consideration from the financial angle:

Numbers to Work Through

Manpower to design and roll the project out in parallel with the existing organisation.

Capital for creating facilities at the central point including civil works, furniture and equipment and IT infrastructure.

The costs of travel, feeding and accommodation. These can be significant depending on the time that implementation takes.

The opportunity loss of diverting key staff – and the cost of temporary replacements – if appointing line staff to the project team.

Crystal-clear project metrics including (a) the direct, realisable savings (b) the medium and long-term effects on profit and (c) where to deploy the savings

Risk Management

Shared services projects don’t go equally smoothly, although planning should reduce the risk to manageable levels. Nonetheless it is important to imagine potential snags, decide how to mitigate them and what the cost might be.

We believe in implementing shared services on a pilot basis in the business unit that eventually provides them. We recommend building these out to other branches only when new processes are working smoothly.

Moving On From a Decision

We recommend you revisit your management overview, the logic behind it, the assumptions you made, and the costs and benefits you envisage before deciding to go ahead

The final step in proving a business case is doable should be fleshing out your roadmap into a detailed operations plan with dependencies on a spreadsheet.