How Internal Auditors can win The War against Spreadsheet Fraud

To prevent another round of million dollar scandals due to fraudulent manipulations on spreadsheets, regulatory bodies have launched major offensives against these well-loved User Developed Applications (UDAs). Naturally, internal auditors are front and center in carrying out these offensives.

While regulations like the Sarbanes-Oxley Act, Dodd-Frank Act, and Solvency II can only be effective if end users are able to carry out the activities and practices required of them, auditors need to ascertain that they have. Sad to say, when it comes to spreadsheets, that is easier said than done.

Because spreadsheets are loosely distributed by nature, internal auditors always find it hard to: locate them, identify ownership, and trace their relationships with other spreadsheets. Now, we’re still talking about naturally occurring spreadsheets. How much more with files that have been deliberately tampered?

Spreadsheets can be altered in a variety of ways, especially if the purpose is to conceal fraudulent activities. Fraudsters can, for instance:

  • hide columns or rows,
  • perform conditional formatting, which changes the appearance of cells depending on certain values
  • replace cell entries with false values either through direct input or by linking to other spreadsheet sources
  • apply small, incremental changes in multiple cells or even spreadsheets to avoid detection
  • design macros and user defined functions to carry out fraudulent manipulations automatically

Recognising the seemingly insurmountable task ahead, the Institute of Internal Auditors released a guide designed specifically for the task of auditing user-developed applications, which of course includes spreadsheets.

But is this really the weapon internal auditors should be wielding in their quest to bring down spreadsheet fraud? Our answer is no. In fact, we believe no such weapon has to be wielded at all?because the only way to get rid of spreadsheet fraud is to eliminate spreadsheets once and for all.

Imagine how easy it would be for internal auditors to conduct their audits if data were kept in a centralised server instead of being scattered throughout the organisation in end-user hard drives.

And that’s not all. Because a server-based solution can be configured to have its own built-in controls, all your data will be under lock and key; unlike spreadsheet-based systems wherein storing a spreadsheet file inside a password-protected workstation does not guarantee equal security for all the other spreadsheets scattered throughout your company.

Learn more about Denizon’s server application solutions and discover a more efficient way for your internal auditors to carry out their jobs.

More Spreadsheet Blogs

 

Spreadsheet Risks in Banks

 

Top 10 Disadvantages of Spreadsheets

 

Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry

 

How Internal Auditors can win the War against Spreadsheet Fraud

 

Spreadsheet Reporting – No Room in your company in an age of Business Intelligence

 

Still looking for a Way to Consolidate Excel Spreadsheets?

 

Disadvantages of Spreadsheets

 

Spreadsheet woes – ill equipped for an Agile Business Environment

 

Spreadsheet Fraud

 

Spreadsheet Woes – Limited features for easy adoption of a control framework

 

Spreadsheet woes – Burden in SOX Compliance and other Regulations

 

Spreadsheet Risk Issues

 

Server Application Solutions – Don’t let Spreadsheets hold your Business back

 

Why Spreadsheets can send the pillars of Solvency II crashing down

?

Advert-Book-UK

amazon.co.uk

?

Advert-Book-USA

amazon.com

 

Check our similar posts

How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Using Pull Systems to Optimise Work Flows in Call Centres

When call centres emerged towards the end of the 20th century, they deserved their name ?the sweatshops of the nineties?. A new brand of low-paid workers crammed into tiny cubicles to interact with consumers who were still trying to understand the system. Supervisors followed ?scientific management? principles aimed at maximising call-agent activity. When there was sudden surge in incoming calls, systems and customer care fell over.

The flow is nowadays in the opposite direction. Systems borrowed from manufacturing like Kanban, Pull, and Levelling are in place enabling a more customer-oriented approach. In this short article, our focus is on Pull Systems. We discuss what are they, and how they can make modern call centres even better for both sets of stakeholders.

Pull Systems from a Manufacturing Perspective

Manufacturing has traditionally been push-based. Sums are done, demand predicted, raw materials ordered and the machines turned on. Manufacturers send out representatives to obtain orders and push out stock. If the sums turn out wrong inventories rise, and stock holding costs increase. The consumer is on the receiving end again and the accountant is irritable all day long.

Just-in-time thinking has evolved a pull-based approach to manufacturing. This limits inventories to anticipated demand in the time it takes to manufacture more, plus a cushion as a trigger. When the cushion is gone, demand-pull spurs the factory into action. This approach brings us closer to only making what we can sell. The consumer benefits from a lower price and the accountant smiles again.

Are Pull Systems Possible in Dual Call Centres

There are many comments in the public domain regarding the practicality of using lean pull systems to regulate call centre workflow. Critics point to the practical impossibility of limiting the number of incoming callers. They believe a call centre must answer all inbound calls within a target period, or lose its clients to the competition.

In this world-view customers are often the losers. At peak times, operators can seem keen to shrug them off with canned answers. When things are quiet, they languidly explain things to keep their occupancy levels high. But this is not the end of the discussion, because modern call centres do more than just take inbound calls.

Using the Pull System Approach in Dual Call Centres

Most call centre support-desks originally focused are handling technical queries on behalf of a number of clients. When these clients? customers called in, their staff used operator?s guides to help them answer specific queries. Financial models?determined staffing levels and the number of ?man-hours? available daily. Using a manufacturing analogy, they used a push-approach to decide the amount of effort they were going to put out, and that is where they planted their standard.

Since these early 1990 days, advanced telephony on the internet has empowered call centres to provide additional remote services in any country with these networks. They have added sales and marketing to their business models, and increased their revenue through commissions. They have control over activity levels in this part of their business. They have the power to decide how many calls they are going to make, and within reason when they are going to make them.

This dichotomy of being passive regarding incoming traffic on the one hand, and having active control over outgoing calls on the other, opens up the possibility of a partly pull-based lean approach to call centre operation. In this model, a switching mechanism moves dual trained operators between call centre duties and marketing activities, as required by the volume of call centre traffic, thus making a pull system viable in dual call centres.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Migrating from CRM to Big Data

Big data moved to centre stage from being just another fad, and is being punted as the latest cure-all for information woes. It may well be, although like all transitions there are pitfalls. Denizon decided to highlight the major ones in the hope of fostering better understanding of what is involved.

Accurate data and interpretation of it have become increasingly critical. Ideas Laboratory reports that 84% of managers regard understanding their clients and predicting market trends essential, with accelerating demand for data savvy people the inevitable result. However Inc 5000 thinks many of them may have little idea of where to start. We should apply the lessons learned from when we implemented CRM because the dynamics are similar.

Be More Results Oriented

Denizon believes the key is focusing on the results we expect from Big Data first. Only then is it appropriate to apply our minds to the technology. By working the other way round we may end up with less than optimum solutions. We should understand the differences between options before committing to a choice, because it is expensive to switch software platforms in midstream. data lakes, hadoop, nosql, and graph databases all have their places, provided the solution you buy is scalable.

Clean Up Data First

The golden rule is not to automate anything before you understand it. Know the origin of your data, and if this is not reliable clean it up before you automate it. Big Data projects fail when executives become so enthused by results that they forget to ask themselves, ?Does this make sense in terms of what I expected??

Beware First Impressions

Big Data is just that. Many bits of information aggregated into averages and summaries. It does not make recommendations. It only prompts questions and what-if?s. Overlooking the need for the analytics that must follow can have you blindly relying on algorithms while setting your business sense aside.

Hire the Best Brains

Big Data?s competitive advantage depends on what human minds make with the processed information it spits out. This means tracing and affording creative talent able to make the shift from reactive analytics to proactive interaction with the data, and the customer decisions behind it.

If this provides a d?j? vu moment then you are not alone. Every iteration of the software revolution has seen vendors selling while the fish were running, and buyers clamouring for the opportunity. Decide what you want out first, use clean data, beware first impressions and get your analytics right. Then you are on the way to migrating successfully from CRM to Big Data.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today