To prevent another round of million dollar scandals due to fraudulent manipulations on spreadsheets, regulatory bodies have launched major offensives against these well-loved User Developed Applications (UDAs). Naturally, internal auditors are front and center in carrying out these offensives.
While regulations like the Sarbanes-Oxley Act, Dodd-Frank Act, and Solvency II can only be effective if end users are able to carry out the activities and practices required of them, auditors need to ascertain that they have. Sad to say, when it comes to spreadsheets, that is easier said than done.
Because spreadsheets are loosely distributed by nature, internal auditors always find it hard to: locate them, identify ownership, and trace their relationships with other spreadsheets. Now, we’re still talking about naturally occurring spreadsheets. How much more with files that have been deliberately tampered?
Spreadsheets can be altered in a variety of ways, especially if the purpose is to conceal fraudulent activities. Fraudsters can, for instance:
- hide columns or rows,
- perform conditional formatting, which changes the appearance of cells depending on certain values
- replace cell entries with false values either through direct input or by linking to other spreadsheet sources
- apply small, incremental changes in multiple cells or even spreadsheets to avoid detection
- design macros and user defined functions to carry out fraudulent manipulations automatically
Recognizing the seemingly insurmountable task ahead, the Institute of Internal Auditors released a guide designed specifically for the task of auditing user-developed applications, which of course includes spreadsheets.
But is this really the weapon internal auditors should be wielding in their quest to bring down spreadsheet fraud? Our answer is no. In fact, we believe no such weapon has to be wielded at all because the only way to get rid of spreadsheet fraud is to eliminate spreadsheets once and for all.
Imagine how easy it would be for internal auditors to conduct their audits if data were kept in a centralized server instead of being scattered throughout the organization in end-user hard drives.
And that’s not all. Because a server-based solution can be configured to have its own built-in controls, all your data will be under lock and key; unlike spreadsheet-based systems wherein storing a spreadsheet file inside a password-protected workstation does not guarantee equal security for all the other spreadsheets scattered throughout your company.
Learn more about Denizon’s server application solutions and discover a more efficient way for your internal auditors to carry out their jobs.