Kennesaw State University DigitalCommons@Kennesaw State University
Faculty Publications
7-2011 End-User Computing Applications Mary C. Hill Kennesaw State University, [email protected]
W. Alan Barnes Assurant
Follow this and additional works at: http://digitalcommons.kennesaw.edu/facpubs Part of the Accounting Commons, and the Management Information Systems Commons
Recommended Citation Hill, Mary Callahan, and W. Alan Barnes. "End-User Computing Applications." The PC A Journal 81.7 (2011): 67-71.
This Article is brought to you for free and open access by DigitalCommons@Kennesaw State University. It has been accepted for inclusion in Faculty Publications by an authorized administrator of DigitalCommons@Kennesaw State University. For more information, please contact [email protected]. T ECHNOLOGY the cpa & the computer
End-User Computing Applications
Implications for Internal Auditors and Managers
By Mary Callahan Hill and W. Alan Barnes
usinesses today rely on the work being done by staff using internal control structures. Following is a review of the reasons personal computers. The proliferation of personal comput- for the prevalence of end-user applications and their inherent prob- ers has led to widespread implementation of end-user lems, as well as strategies for the internal control of these appli- B computing applications. As their name implies, end-user cations for various-sized businesses. applications are designed, implemented, and controlled by users rather than by IT professionals. End-user applications can be risky Background for organizations, both with respect to management decision mak- The following is a textbook definition of end-user computing: ing and to financial reporting. For public companies, the risk [A]n information system developed by the users themselves involved in these applications has been increased by the require- rather than IT professionals to meet company operational or ments of the Sarbanes-Oxley Act of 2002 (SOX), which call for management information needs. An end-user application often management to document end-to-end financial operations and extracts or transfers data from a corporate database as a start-
JULY 2011 / THE CPA JOURNAL 67 ing point. (Marshall Romney and Paul sheets have errors (Raymond R. Panko, understanding of the calculations required) Steinbart, Accounting Information “Spreadsheets and Sarbanes-Oxley: or in the creation of the application (e.g., Systems, 10th ed., 2006) Regulations, Risks, and Control incorrect specifications of a formula in End-user computing can result in appli- Frameworks,” Communications of the the software or incorrect report generation). cations such as spreadsheets, databases, data Association for Information Systems, vol. Increasing the risk of errors is the prob- extraction queries, specialized reports, and 17, 2006). These unintentional errors can lem that users tend to be overconfident in websites. End-user computing applications, lead to poor decision making or additional their system development abilities (Panko particularly spreadsheets, are essential to busi- costs. For example, in late 2008, Barclays 2006). The selection of the end-user tool ness processes: A recent survey indicates that Capital used a spreadsheet to determine can also be a source of errors. End users 70.1% of companies rely heavily on spread- which assets belonging to Lehman Brothers frequently select the tool they know best, sheets for critical portions of their business it wished to buy after Lehman’s bankrupt- rather than the best tool for the job. The processes or to complete their financial report- cy. In the rush to file before the bankrupt- most common example is when end users ing (“Spreadsheet Management: Not What cy court deadline, however, errors were develop applications using spreadsheets, You Figured,” Deloitte, www.deloitte. made in spreadsheet use and formatting that when a database tool would be better. (A com/assets/Dcom-UnitedStates/Local caused Barclays to list assets in the final pur- database tool is preferable when an appli- %20Assets/Documents/AERS/us_aers_ chase offer that it did not want to pur- cation contains a large number of records Spreadsheet_eBrochure_070710.pdf). chase. As a result of this error, Barclays had or when the application requires search- A do-it-yourself mentality is prevalent to file a legal motion to exclude 179 ing and sorting capabilities.) Another in society today, and end-user computing Lehman contracts worth several million dol- source of errors arises from the need to fits well with this mindset. End-user com- lars that were mistakenly included in the input data into the application; data can puting gives the user control over a tech- asset purchase agreement (Frank Hayes, be miskeyed or incorrectly or incomplete- nology project such that explaining subject “Frankly Speaking: No. 1 Rule for Users: ly extracted from a database. Finally, lack area or technical requirements to an IT spe- Keep It Simple,” Computerworld, of documentation of the application can be cialist is not required. Further, the end user October 20, 2008). End-user applications a source of errors. If the initial developer controls the time schedule of the develop- have also been known to cause errors in leaves the organization, other employees ment, which generally results in a quicker financial reporting; recently, large account- might not know how to use the applica- solution. The end user employs his own ing firms have issued client advisory docu- tion, which can result in errors (e.g., a resources (time and knowledge) in devel- ments that cite these applications as a sig- spreadsheet user enters data into a calcu- oping the application and, thus, does not nificant threat. An example of a financial lated field, overwriting a formula). have to wait for the funding and schedul- reporting error occurred in 2005, when Another risk is that companies will waste ing of the project through an IT depart- Eastman Kodak was forced to restate finan- scarce resources developing end-user appli- ment’s budgetary processes. End-user com- cial results due to a spreadsheet that incor- cations. Often, end users spend an inordi- puting tends to become even more preva- rectly calculated severance and pension- nate amount of time developing an appli- lent when budgets are tight and funds related termination benefits (Richard cation, only to find that there is existing cannot be spent to acquire new software, Morochove, “Tech at Work: Spreadsheet software that already performs the task and has become popular as users have Slip-ups Cause Financial Errors,” PCWorld, (Stanley Earl Jenne, “Audits of End-User grown more sophisticated and more con- September 2006). Computing,” Internal Auditor, December fident in their abilities to develop techni- End-user applications are prone to unin- 1996). Wasted resources also occur due cal solutions. tentional errors from a variety of sources. to duplication of applications within the One source is the lack of a systems same company, as individual departments Risks development process. Because end-user create similar end-user solutions for a com- End-user computing, however, can result applications are often developed in haste mon problem but do not share them across in four significant risks from an operational to meet an immediate need, the departmental boundaries. Another poten- or financial reporting standpoint. First, there user/developer may decide to prioritize tial waste of resources is when users spend is the risk that the end-user application will timeliness over the risk of errors (Jonathan hours developing an application that an have unintentional errors that result in poor P. Caulkins, Erica Layne Morrison, and expert could have developed in a few min- decision making or inaccurate financial Timothy Weidemann, “Spreadsheet Errors utes or using more efficient technology. reporting. Second is the risk that scarce and Decision Making: Evidence from Field Still another possible waste of resources resources (money or employee time) will Interviews,” Journal of Organizational and is when a user chooses unusual develop- be wasted on developing these applications. End User Computing, July–September ment software that does not communicate The third risk is that end-user applications 2007). These time pressures cause end with the company’s standard platform. The will be used to perpetuate fraud or hide users to omit standard systems develop- lack of documentation on these applica- losses. Finally, end-user applications ment activities, such as a program walk- tions means that if the initial developer increase the risk of data breaches. through, testing, documentation, and leaves the organization and other employ- A recent study of spreadsheets—one of independent review. Failure to utilize these ees do not know how to properly use it, the most popular end-user computing steps can cause errors either in the formu- the application can fall into disuse. When tools—has found that over 90% of spread- lation of the application (e.g., an incorrect an end-user application is disused, the orga-
68 JULY 2011 / THE CPA JOURNAL nization loses both the time spent devel- have few departmental classifications. policy is developed, it needs to be commu- oping it and the ability to perform an orga- Large companies with internal audit staff nicated to employees. IT staff (training spe- nizational task. are most likely to be aware of the risks cialists or help desk personnel) or internal End-user applications can be risky related to end-user computing applications. auditors who interface with users should be from a perspective of intentional misstate- Recently, the Institute of Internal Auditors aware of and promote the end-user com- ments and frauds. The separation of issued Global Technology Audit Guide 14 puting policy. duties that is built into systems developed on this topic (Christine A. Bellino, Douglas One portion of the policy should include via IT departments does not exist in end- Ochab, and Jeffery S. Rowland, Auditing a description of a process that users should user applications. In many cases, the devel- User-developed Applications, June 2010). follow when developing applications. This oper is simultaneously sponsor, program- Smaller companies have less guidance on type of process is generally referred to as mer, tester, and user (Deloitte 2009). The this issue. a systems development life cycle (SDLC). tools used for end-user applications are Two efforts are required to make sure In general, SDLC processes include how meant to be user friendly and flexible, but that end-user applications are properly con- to define requirements for an application; these qualities make applications developed trolled and do not have a negative effect how to confirm the requirements by with the tools easy to manipulate. An on either financial reporting or opera- walking through the proposed application example of this risk is shown in the spread- tional decision making. The first effort is with another knowledgeable user; how to sheet fraud that was perpetuated by Allfirst to establish controls over the development select the appropriate software for the Bank trader John Rusnak. Rusnak lost of end-user computing applications. The application; how to conduct appropriate close to $700 million in bad trading deci- second is examining the end-user applica- testing; the type of documentation need- sions. To cover his losses, he substituted tions themselves. ed; and implementation standards, includ- a falsified spreadsheet as the input to a pro- Control over development includes a pol- ing backup and the need to cross-train at duction trading system that his supervisors icy on end-user applications, communication used for control (Gary Flood, “Spreading about end-user applications, and training on the Blame,” Financial Director, May 25, software to develop end-user applications. 2006). Below, we discuss each of these aspects of End-user applications are an issue Finally, end-user applications can be control over development of end-user risky with respect to data breaches. Many applications in general and then, more specif- end-user applications extract data from a ically, how that aspect might be put in for all sizes of companies, but the production database into the end-user appli- place for various sizes of companies. cation. The data then become much less secure, because the application can be Policy approach to controlling these stored on a user workstation, laptop, flash For all companies, a policy should be drive, or other portable device. A 2008 put in place and communicated to employ- study found that more than 800,000 lap- ees about the use of end-user applications applications depends on the size of tops are lost each year by users traveling (Morochove 2009). The goals of having a through airports in the United States and policy are to promote consistency in devel- Europe (Donna Fuscaldo, “Services Find opment of end-user applications, to the company, its resources, and the Lost, Stolen Laptops,” FoxBusiness, ensure that applications are developed with February 11, 2010). The press frequently some form of control, and to make cer- reports of data breaches due to lost or tain that the application is examined by at number of end-user applications. stolen laptops containing confidential data, least one other employee. Meeting these including Social Security or credit card goals should help to eliminate unintentional numbers. errors from the end-user applications. A policy to address end-user computing least one other user on the application Control is particularly important for large companies, (Romney and Steinbart 2006). Large com- End-user applications are an issue for all because some large companies have been panies are likely to already have an sizes of companies, but the approach to known to have hundreds of end-user appli- SDLC process in place in the IT depart- controlling these applications depends on cations (Panko 2006). Further, large com- ment, and for simplicity and efficiency, the the size of the company, its resources, panies are most likely to be subject to the end-user computing policy should utilize and the number of end-user applications. requirements of SOX or other regulations the same SDLC process. The importance Thus, we discuss control strategies for end- such as the Payment Card Industry Data of testing should be particularly empha- user computing based on size classifica- Security Standard. In large companies, the sized because end users have been found tions as follows: Large companies are policy would most effectively be developed to be overconfident about their technical defined as those that have internal audit as a joint effort between the internal audit competency (Panko 2006). and IT departments, midsized companies and IT departments. Policies may have to be Another portion of the policy should are those that have some designated IT spe- approved or conform to standards set by include internal controls surrounding end- cialists, and small companies are those that the companies’ external auditors. Once the user applications once they are developed.
JULY 2011 / THE CPA JOURNAL 69 These controls include version standards, make an effort to set up some policies to Communication documentation standards, and access con- avoid the risks noted above. In midsized Communication about end-user applica- trols. Version standards include the devel- companies, the responsibility for develop- tions is important in order to eliminate opment of a naming convention, the stor- ing a policy for end-user computing would waste. If end-user applications are devel- age and backup of versions of the applica- normally rest with the controller or account- oped without communication, there is more tion, and a method to ensure that only the ing manager. Department managers would likelihood of duplicate or overlapping latest version is being used. Documentation communicate the policy to their employees. applications within a company. Thus, com- standards should ensure that, to the greatest Midsized companies are less likely to have munication includes monitoring develop- extent possible, the application is self-docu- a formal SDLC process, but some aspects ment across departments or branch menting, using tools such as clear field labels of those processes should be included as part offices that might develop overlapping or and built-in instructions. Access controls of the end-user computing policy. Most redundant end-user applications. should require the application to have pass- importantly, the policy should emphasize Communication will help alleviate appli- words and storing applications, with critical how to conduct appropriate testing of an cation losses that occur when developers or sensitive data on secure servers that have application and that the application needs leave the company. End users should com- frequent backups performed. documentation. Policies for midsized com- municate the purpose of the application, For large companies, the policy should panies should also emphasize that end users the tool that is being used to develop the provide a checklist to determine the level should employ only standard and well- application, their contact information, the of risk in the application. Using the check- known application software packages (e.g., location of the application, and the loca- list, users should determine the risk in their Microsoft Excel and Microsoft Access) so tion of the application’s documentation. application and report the risk level to the that other users within the company will In large companies, communication internal audit department for determination be familiar with the development tool. should center on the IT support staff and of potential inclusion of the application in Controls over the developed application user help desk. IT support staff should act the internal audit staff audit plans. The should be similar to those for large compa- as a clearing house for the coordination of more “yes” answers to the questions below, nies and include version standards, docu- end-user applications. Communication to the the riskier the application. The following mentation standards, and access control. IT department and internal audit should factors increase risk: Small companies have even fewer occur at the beginning of the end-user devel- ■ Does the output of the end-user appli- resources available to develop and imple- opment. Communication to the IT staff also cation significantly impact decisions about ment formal policies. Further, in small com- facilitates any technical support that the user operations? If yes, what is the maximum panies with informal cultures, implement- might need during the development and test- dollar impact? ing policies and controls can imply a lack ing of an application. ■ Is the output used for accounting or of trust, thereby hurting morale and damp- In small and midsized companies, super- financial reporting purposes? If yes, what ing the initiative that is central to end-user visors should encourage staff members to accounts are affected? application development (Caulkins, discuss possible end-user applications with ■ Would the loss of the end-user appli- Morrison, and Weidemann 2007). A poli- them prior to initiating efforts to develop cation or its output have a detrimental oper- cy with respect to end-user applications the application. Supervisors should share ational, financial, or legal impact? If yes, should be part of a small company’s con- developments with peers in other depart- what losses would occur? trol environment; in fact, simply raising ments and with relevant IT support staff. ■ Do multiple users rely on the end-user awareness of the issue among staff mem- application or its output? If yes, list the bers will help reduce risk. Small companies Training downstream users. should also stipulate in their policies that Training on end-user application soft- ■ Are the data contained in the applica- end users utilize only well-known applica- ware is critical to successful implementa- tion confidential to the business or employ- tion software packages, that they use tem- tion of the end-user policy and the controls ees? If yes, specify the nature of the con- plates rather than starting from scratch on over the application itself. Training is fidential data. each new application, that they adhere to important in order to avoid waste in the ■ Is the application particularly complex reporting standards (such as using brackets development of the applications. Training with respect to calculations? If yes, briefly for negative amounts), and that they try to issues are the same for all sizes of com- describe the nature of the calculations. keep the application as simple as possible panies—the only difference would be ■ Does the input to the application rely by avoiding complex formulas. Small whether the training is offered within the on multiple applications, such as a database businesses might also find it valuable to des- company or by an outside vendor. End extraction query to input data into a spread- ignate an employee as the “technology users must know how to use the develop- sheet? If yes, then the application’s risk expert” and request that end-user applica- ment software, they must be able to eval- increases because either the end-user appli- tions be cleared with the company expert uate the complexity of the application they cation itself or the process for loading data (Caulkins, Morrison, and Weidemann 2007). are planning to develop, they must be could contain an error. Like other companies, small companies able to estimate the time involved, and they While small and midsized companies should have policies to control the devel- must know where to get help if they are have fewer resources to devote to control- oped application: version standards, docu- having trouble with the development soft- ling end-user applications, they must still mentation standards, and access control. ware. Supervisors should encourage
70 JULY 2011 / THE CPA JOURNAL employees to attend training classes. It is “.mdb”). Each method has limitations: The Midsized companies might want to keep important also for supervisors to be knowl- survey relies on user responses, while the a list of critical end-user applications, along edgeable about software in order to scan excludes laptops, other nonnetworked with the developer name. In midsized com- appropriately direct their employees’ appli- computers, flash drives, and other portable panies, another employee should be cation development efforts. media. assigned to both examine and be cross- As part of each application’s training, Once the critical end-user applications trained on the application. The training users must be made aware of the appro- are identified, internal auditors should would include how to access the applica- priate—and inappropriate—tasks for perform tests on them. In large companies, tion, how data is input to the application the application. Training should include testing might start with the following: and how to verify that the input is correct, the control attributes that are built into ■ A review of the application documen- the critical calculation in the application, the application, such as how to protect tation or a review of the self-documenting a review of the documentation for the the application using passwords; how to features of the application application, and the backup and storage prevent input errors using locked data ■ A review of the version control pro- processes for the application. The testing fields, embedded edits, or drop-down cesses in place surrounding the application would occur by assigning the cross-trained lists; and how to use any embedded and consistent use of naming conventions employee to utilize the application in the auditing tools (e.g., Microsoft Excel ■ A review of the distribution list for absence of the original developer. comes with an auditing tool that shows the application or its output For small companies, examination of end- cell dependencies). Users also need to be ■ A review of the output of the applica- user applications will primarily rest with trained in how to use the self-documen- tion, such as making sure that the reports the developer’s supervisor. Companies may tation features of the application, such as are transmitted as PDF files rather than as want to develop a checklist of things to look track changes and printing application copies of the application itself (unless the for in end-user applications, such as critical structures. Finally, end users should be application will require further downstream calculations or locked fields. Further, it is made aware of software that helps debug input) important that the supervisor perform a “sniff applications, such as Spreadsheet ■ A comparison of input data to source test” that examines both any critical assump- Detective or OpenGate Software for material tions used to develop the application and the Microsoft Access. ■ A review of the backup process for the bottom-line reasonableness of any output most current version of the application of the application (Caulkins, Morrison, and Examining End-User Applications ■ A review of the termination control pro- Weidemann 2007). For all companies, examining end-user cess, if an employee who “owns” a critical applications consists of two activities. end-user application leaves the company. Controlling Risk The first is gaining knowledge of the appli- These steps will also help an auditor gain End-user applications are a critical busi- cations that exist and their purpose; the sec- an understanding of the application. The ness resource and a fact of life in today’s ond is testing the application for accurate examination of the application would organizations. While end-user computing has processing. Examining end-user applica- continue by having the auditor use the many benefits, there are risks involved in it tions is important in order to avoid all four application itself. Some tests include the that need to be recognized and controlled. potential risks associated with these appli- following: Some audit staff and IT professionals argue cations: errors, waste, fraud, and data ■ Testing the access control to the that, given the spontaneous nature of the breaches. application by trying to log on using a pass- development of end-user applications and In large companies, examining end-user word and user ID their immense number, these applications are applications would most naturally be per- ■ Recomputation of critical calculations impossible to control. However, uncontrolled formed by the internal audit staff. Internal ■ Testing field edits or drop-down lists development of end-user applications leaves audit would first conduct an inventory to ■ Trying to enter data into locked fields an organization open to error, waste, and identify end-user applications that are cur- ■ Generation of critical reports. fraud. Therefore, even the smallest compa- rently being used. An inventory can be Test results should be documented, along nies must make some effort to control them. conducted using either of two methods or with suggested remediation efforts. Steps to control the development and use a combination of both methods. One In small and midsized companies, which of end-user applications include imple- method is to survey users about their use generally do not have internal audit depart- menting policies that govern their develop- of end-user applications to complete busi- ments, examination of end-user applica- ment, increasing communication about the ness processes or financial reporting. The tions would be conducted less formally. applications, training users, and independent survey would include questions on the pur- However, inspection is almost more impor- examination of critical applications. ❑ pose of an application, how frequently it tant for small companies than large com- is used, the number of copies or versions panies because large companies will cre- of the application, and whether there is ade- ate processes to build quality into end-user Mary Callahan Hill, PhD, CPA, is a pro- quate documentation of the application. applications, while smaller companies tend fessor of accounting at Kennesaw State The other option for conducting an inven- to try and “inspect” quality into the appli- University, Kennesaw, Ga. W. Alan Barnes, tory is to scan the company network for cations (Caulkins, Morrison, and CPA, CIA, is a director of risk and adviso- specific file extensions (e.g., “.xls” or Weidemann 2007). ry services at Assurant, Atlanta, Ga.
JULY 2011 / THE CPA JOURNAL 71