How Internal Auditors can win The War against Spreadsheet Fraud

To prevent another round of million dollar scandals due to fraudulent manipulations on spreadsheets, regulatory bodies have launched major offensives against these well-loved User Developed Applications (UDAs). Naturally, internal auditors are front and center in carrying out these offensives.

While regulations like the Sarbanes-Oxley Act, Dodd-Frank Act, and Solvency II can only be effective if end users are able to carry out the activities and practices required of them, auditors need to ascertain that they have. Sad to say, when it comes to spreadsheets, that is easier said than done.

Because spreadsheets are loosely distributed by nature, internal auditors always find it hard to: locate them, identify ownership, and trace their relationships with other spreadsheets. Now, we’re still talking about naturally occurring spreadsheets. How much more with files that have been deliberately tampered?

Spreadsheets can be altered in a variety of ways, especially if the purpose is to conceal fraudulent activities. Fraudsters can, for instance:

hide columns or rows,
perform conditional formatting, which changes the appearance of cells depending on certain values
replace cell entries with false values either through direct input or by linking to other spreadsheet sources
apply small, incremental changes in multiple cells or even spreadsheets to avoid detection
design macros and user defined functions to carry out fraudulent manipulations automatically

Recognising the seemingly insurmountable task ahead, the Institute of Internal Auditors released a guide designed specifically for the task of auditing user-developed applications, which of course includes spreadsheets.

But is this really the weapon internal auditors should be wielding in their quest to bring down spreadsheet fraud? Our answer is no. In fact, we believe no such weapon has to be wielded at all?because the only way to get rid of spreadsheet fraud is to eliminate spreadsheets once and for all.

Imagine how easy it would be for internal auditors to conduct their audits if data were kept in a centralised server instead of being scattered throughout the organisation in end-user hard drives.

And that’s not all. Because a server-based solution can be configured to have its own built-in controls, all your data will be under lock and key; unlike spreadsheet-based systems wherein storing a spreadsheet file inside a password-protected workstation does not guarantee equal security for all the other spreadsheets scattered throughout your company.

Learn more about Denizon’s server application solutions and discover a more efficient way for your internal auditors to carry out their jobs.

More Spreadsheet Blogs

Spreadsheet Risks in Banks

Top 10 Disadvantages of Spreadsheets

Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry

How Internal Auditors can win the War against Spreadsheet Fraud

Spreadsheet Reporting – No Room in your company in an age of Business Intelligence

Still looking for a Way to Consolidate Excel Spreadsheets?

Disadvantages of Spreadsheets

Spreadsheet woes – ill equipped for an Agile Business Environment

Spreadsheet Fraud

Spreadsheet Woes – Limited features for easy adoption of a control framework

Spreadsheet woes – Burden in SOX Compliance and other Regulations

Spreadsheet Risk Issues

Server Application Solutions – Don’t let Spreadsheets hold your Business back

Why Spreadsheets can send the pillars of Solvency II crashing down

amazon.co.uk

amazon.com

Check our similar posts

Authentication and Access Control

Threats to your data can come from external or internal sources.

There are individuals who don’t have the authorisation but are driven by malicious intentions to gain access to certain information. This may refer to individuals who already belong to your organisation (but don’t have the necessary access rights) as well as those who don’t.
There are individuals who have both the authorisation and, unfortunately, the malicious intentions over certain information.
Finally, there are individuals who have the authorisation, no malicious intentions, but have accidentally exposed the information in question to those without the proper authority.

While curbing threats 2 and 3 would require other methods, threat #1 can be countered if the right authentication and access control systems are in place.

Here’s what we can do for you:

Work with your key personnel to determine who gets access to what.
Help you decide whether a single factor or a two-factor authentication (2FA) is appropriate for your organisation and recommend which factors are most suitable. Login methods may include but are not limited to the following:
- biometric devices
- Kerberos tickets
- mobile phones
- passwords
- PKI certificates
- proximity cards
- smart cards
- tokens
Install the necessary infrastructure needed for the factors chosen. For instance, if you opt to use biometrics, then biometric scanners will be installed. We’ll make sure that the authentication terminals are situated in places where achieving optimal traffic and work flow has been taken into consideration.

Other defences we’re capable of putting up include:

Big Energy Data Management

Recent times have seen the advent of cloud based services and solutions where energy data is being stored in the cloud and being accessed from anywhere, anytime through remote mobile devices. This has been made possible by web-based systems that can usually bring real-time meter-data into clear view allowing for proactive business and facility management decisions. Some web based systems may even support multi utility metering points and come in handy for businesses operating multiple sites.

Whereas all this has been made possible by increased use of smart devices/ intelligent energy devices that capture data at more regular intervals; the challenge facing businesses is how to transform the large data/big volume of data into insights and action plans that would translate into increased performance in terms of increased energy efficiency or power reliability.

A solution to this dilemma facing businesses that do not know how to process big energy data, may lie in energy management software. Energy management software?s have the capability to analyse energy consumption for, electricity, gas, water, heat, renewables and oil. They enable users to track consumption for different sources so that consumers are able to identify areas of inefficiency and where they can reduce energy consumption, Energy software also helps in analytics and reporting. The analytics and reporting features that come with energy software are usually able to:

? Generate charts and graphs ? some software?s give you an option to select from different graphs

? Do graphical comparisons e.g. generate graphs of the seasonal average for the same season and day type

? Generate reports that are highly customisable

While choosing from the wide range of software available, it is important for businesses to consider software that has the capacity to support their data volume, software that can support the frequency with which their data is captured and support the data accuracy or reliability.

Energy software alone may not make the magic happen. Businesses may need to invest in trained human resources in order to realise the best value from their big energy data. Experts in energy management would then apply human expertise to leverage the data and analyse it with proficiency to make it meaningful to one?s business.

Do you really need a Cloud Broker?

A cloud broker is someone who can serve as your trusted adviser when it comes to your dealings with a cloud service provider. Sort of an IT consultant who: is familiar with cloud computing, can negotiate a mutually beneficial relationship between you and a provider, and help you manage usage, performance and delivery of cloud services.?But do you need one?

Is it even time for cloud adoption?

Of course, if you haven’t even started considering moving your IT systems to the cloud, what’s the point of reading this article, right? Well, if you’re running a business in Ireland or the UK maybe you should start thinking about it. The benefits (of moving to the cloud) are simply overwhelming. But then that’s for another post.

For now, let’s just briefly talk about the rate of cloud adoption so far. This should give you an idea what other decision makers nearby think about cloud computing and what they’ve done in this regard so far.

According to research conducted by the Cloud Industry Forum (CIF), the number of first-time users of cloud computing in the United Kingdom has risen by about 27% compared to last year.

The study, which was carried out by research company Vanson Bourne and which involved IT decision-makers from both the private and public sector in UK, also showed that 61% of companies are subscribing to cloud-based services. A similar research conducted last year (2011) revealed only 48%.

In Ireland, plans are underway to adopt cloud computing. According to Pricewaterhouse Coopers, 75% of Ireland’s CIOs and IT directors are already adopting a cloud computing strategy.

Definitely, the number of cloud adopters is growing. If that number already includes your hottest competitor, then perhaps there’s no time to waste.

But while a migration to the cloud should be in your pipeline, it shouldn’t be something you should rush into. Generally speaking, there are at least three kinds of services offered by cloud service providers: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service).

Some providers offer variations of these services. You might only need one type of service or a little of everything. There are also technical and regulatory compliance issues that need consideration.

Obviously, if you have no idea where or how to start, you’ll need someone who can help you. But what kind of help do you need?

Let’s proceed by talking about the kinds of services cloud brokers offer as these are obviously indicative of the needs of current cloud customers.

What cloud brokers do?

Cloud brokers offer three main types of services.

Cloud?inter-mediation

Cloud inter-mediation services are designed to add value to existing services and improve capabilities. ?Examples of cloud inter-mediation include managing access to cloud-based services, carrying out performance reporting, and establishing stronger security.

Cloud aggregation

As mentioned earlier, some cloud customers may end up subscribing to multiple cloud services; most likely from different cloud service providers. To get optimal return on their various cloud subscriptions, these customers will need to apply data integration and make these disparate systems work together. They will also have to make sure data flowing from one system to another is kept secure. This is where cloud aggregation comes into play.

Cloud arbitrage

This entails finding the best cloud service provider(s) to solve a particular problem. One example is comparing different providers offering data storage services and identifying the one offering the most competitive rates.

Other cloud arbitrage brokers develop new solutions by combining the services of different cloud service providers and then offer them to cloud customers. While there are similarities between cloud arbitrage and cloud aggregation, the former is more flexible and allows the customer to transfer from one provider to another where conditions are more favourable.

Problems a cloud broker can help you solve

Just like with natural clouds, your experiences in cloud computing won’t be all white and fluffy. You’ll also encounter gray and uncertain (or even stormy) clouds.

One major issue in cloud computing is cloud security. In fact, cloud security (or the apparent lack of it) is the one thing that’s really clouding up the sky of cloud computing. But that doesn’t mean the cloud is totally insecure. Besides, there are certain types of information that really don’t require a high level of security. These types you can easily migrate to the cloud.

For sensitive information, you really need to conduct due diligence to make sure your cloud service providers’ data centres are secure enough.

Where exactly will your data be stored? Are there enough provisions for regulatory compliance? How will your data be segregated? Does the infrastructure readily support ?data forensics? Is there a sound disaster recovery/business continuity plan? These are just some of the questions that need clear answers before you sign a contract with a cloud service provider.

Also, before you sign, you need to study the SLA (Service Level Agreement) very carefully. Look at the guaranteed uptime. Is it enough to meet your own desired service levels?

Bear in mind that the answers to these questions may be too technical. This is one of those instances when a cloud broker can come in handy. As your trusted adviser, your cloud broker can break down the technical jargon and present everything in a language that you can make intelligent decisions from.

A cloud broker will also be able to study the cloud provider’s security architecture and policies and determine whether they’re sufficient to meet your own security requirements. Basically, a cloud broker will not only help you obtain answers to your questions.

He will also know exactly what vital information to extract from providers in order to ensure that you find the best deal possible.

Contact Us

(+353)(0)1-443-3807 – IRL
(+44)(0)20-7193-9751 – UK