How Internal Auditors can win The War against Spreadsheet Fraud

To prevent another round of million dollar scandals due to fraudulent manipulations on spreadsheets, regulatory bodies have launched major offensives against these well-loved User Developed Applications (UDAs). Naturally, internal auditors are front and center in carrying out these offensives.

While regulations like the Sarbanes-Oxley Act, Dodd-Frank Act, and Solvency II can only be effective if end users are able to carry out the activities and practices required of them, auditors need to ascertain that they have. Sad to say, when it comes to spreadsheets, that is easier said than done.

Because spreadsheets are loosely distributed by nature, internal auditors always find it hard to: locate them, identify ownership, and trace their relationships with other spreadsheets. Now, we’re still talking about naturally occurring spreadsheets. How much more with files that have been deliberately tampered?

Spreadsheets can be altered in a variety of ways, especially if the purpose is to conceal fraudulent activities. Fraudsters can, for instance:

hide columns or rows,
perform conditional formatting, which changes the appearance of cells depending on certain values
replace cell entries with false values either through direct input or by linking to other spreadsheet sources
apply small, incremental changes in multiple cells or even spreadsheets to avoid detection
design macros and user defined functions to carry out fraudulent manipulations automatically

Recognising the seemingly insurmountable task ahead, the Institute of Internal Auditors released a guide designed specifically for the task of auditing user-developed applications, which of course includes spreadsheets.

But is this really the weapon internal auditors should be wielding in their quest to bring down spreadsheet fraud? Our answer is no. In fact, we believe no such weapon has to be wielded at all?because the only way to get rid of spreadsheet fraud is to eliminate spreadsheets once and for all.

Imagine how easy it would be for internal auditors to conduct their audits if data were kept in a centralised server instead of being scattered throughout the organisation in end-user hard drives.

And that’s not all. Because a server-based solution can be configured to have its own built-in controls, all your data will be under lock and key; unlike spreadsheet-based systems wherein storing a spreadsheet file inside a password-protected workstation does not guarantee equal security for all the other spreadsheets scattered throughout your company.

Learn more about Denizon’s server application solutions and discover a more efficient way for your internal auditors to carry out their jobs.

More Spreadsheet Blogs

Spreadsheet Risks in Banks

Top 10 Disadvantages of Spreadsheets

Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry

How Internal Auditors can win the War against Spreadsheet Fraud

Spreadsheet Reporting – No Room in your company in an age of Business Intelligence

Still looking for a Way to Consolidate Excel Spreadsheets?

Disadvantages of Spreadsheets

Spreadsheet woes – ill equipped for an Agile Business Environment

Spreadsheet Fraud

Spreadsheet Woes – Limited features for easy adoption of a control framework

Spreadsheet woes – Burden in SOX Compliance and other Regulations

Spreadsheet Risk Issues

Server Application Solutions – Don’t let Spreadsheets hold your Business back

Why Spreadsheets can send the pillars of Solvency II crashing down

amazon.co.uk

amazon.com

Check our similar posts

The Connection between Big Data and MDM

Master Data is information that is critical to your business. This could include contracts, proprietary information, intellectual capital and a whole lot more besides. Because this often reposes in a variety of different places, you need a master data management / MDM policy to control it. That way, you can link it all together in a single, secure, backed up file.

This Sounds Like Big Data

Not necessarily: big data refers to extremely large data sets that are best stored and analysed on a cloud using big technology, in order to uncover trends, patterns and associations often relating to human behaviour. Of course, if you run a niche restaurant your critical master data might be limited to a few recipes and the books you do not care to show your accountant.

The distinction is largely a question of size: think of your master data as the subset of big data that you already have your mind around. According to John Case of IBM this is probably already in a structured format and available to share. He goes on to present a cogent case for using this as a peg point around which to systematise the rest. This is because the average organisation already has master data recording customers? and prospects? behaviour.

Do I Still Need My Master Data?

Yes you do, because real people created it with the benefit of human insight. Retain it as a separate set. Then compare it with the results of big data processing for even richer insights. Two heads are better that one and that goes for data processing too.

Trends in CRM Big Data

Adding data via location-aware devices like smartphones and tablets is adding a new dimension to customer information. We now know where they were when they made the enquiry or punched in the information. Use this geo-location data to hone the way you interact with customers and service their accounts. Do not phone a customer who makes decisions at work when they are at home.

Does My Master Data Belong on a Cloud?

There are a number of ?ifs? to consider. How comfortable are you with your service provider. What would happen if someone hacked their server? There are many advantages to cloud technology. Denizon knows of solutions you can rely on, and makes sure its clients have contingency plans to protect them at all times.

Contact Us

(+353)(0)1-443-3807 – IRL
(+44)(0)20-7193-9751 – UK

Authentication and Access Control

Threats to your data can come from external or internal sources.

There are individuals who don’t have the authorisation but are driven by malicious intentions to gain access to certain information. This may refer to individuals who already belong to your organisation (but don’t have the necessary access rights) as well as those who don’t.
There are individuals who have both the authorisation and, unfortunately, the malicious intentions over certain information.
Finally, there are individuals who have the authorisation, no malicious intentions, but have accidentally exposed the information in question to those without the proper authority.

While curbing threats 2 and 3 would require other methods, threat #1 can be countered if the right authentication and access control systems are in place.

Here’s what we can do for you:

Work with your key personnel to determine who gets access to what.
Help you decide whether a single factor or a two-factor authentication (2FA) is appropriate for your organisation and recommend which factors are most suitable. Login methods may include but are not limited to the following:
- biometric devices
- Kerberos tickets
- mobile phones
- passwords
- PKI certificates
- proximity cards
- smart cards
- tokens
Install the necessary infrastructure needed for the factors chosen. For instance, if you opt to use biometrics, then biometric scanners will be installed. We’ll make sure that the authentication terminals are situated in places where achieving optimal traffic and work flow has been taken into consideration.

Other defences we’re capable of putting up include:

Data Replication

These days, not many companies can continue to operate once their entire computer system goes down. All the information needed in daily operations are stored in databases while the interfaces that make use of them all come in the form of software applications.

Software applications can be rapidly reinstalled and configured for as long as the necessary programs are available. Data, however, cannot be reconstructed as quickly even with hard copies available. It is therefore necessary to store your data in a replicated setup so that when one section goes down, operations can proceed without interruption.

For instance, if a category 5 hurricane renders your main office useless, you can simply rent workstations elsewhere, connect to the Internet and continue with your usual transactions for as long as data is readily accessible.

So how do we ensure the accessibility and reliability of your data? Here’s what we’ll do:

Activate data replication on your database management system. If your DBMS does not support replication, we’ll migrate all your data to one that does.
If absolutely necessary, we can allow modernised systems to run parallel to your legacy systems and prepare both for full modernisation when you’re ready.
Implement fail-over technologies where applicable to provide for automatic switching to a backup data server or network from one that has just failed.

We can also assist you with the following: