2011 EUCAs Training New

End User Computing Application (EUCA) Training

End User Computing Application (EUCA) Training - Contents

• Introduction• Why End User Computing Application (EUCA) Controls ?• Severe Corporate cases on inadequate or failed EUCA controls• SOX Act & EUCA• General Motor (GM) Policy on EUCA Controls• CCL 3232 – EUCA Controls• EUCA Course in GM University• EUCA Timelines• Miscellaneous

EUCA - Training


• Introduction• Why End User Computing Application (EUCA) Controls ?• Severe corporate cases on inadequate or failed EUCA controls• SOX Act & EUCA• General Motor (GM) Policy on EUCA Controls• CCL 3232 – EUCA Controls• EUCA Course in GM University• EUCA Timelines• Miscellaneous

EUCA - Training

End User Computing Application (EUCA) - Introduction

Many companies rely on spreadsheets as a key tool in their financial reporting and operational processes. As a result, the use of spreadsheets is an integral part of the information and decision-making framework for these companies.

Spreadsheets once used to support simple functions such as logging, tracking and totaling information are now used to support such business functions as complex valuation models. The use of macros and multiple spreadsheets which are linked together allows users to build very complicated—and sometimes convoluted—models and other business functions with minimal or no documentation.

Spreadsheets are also the lowest cost business IT tool when stacked up against other functional tools. As a result, spreadsheets are used to support critical business processes in most organizations.

EUCA - Training



EUCA - Training

Why End-User Computing Application (EUCA) Controls ?

Spreadsheets typically have a wide range of complexity and usage. Virtually all companies use spreadsheets in some part of the creation of their published accounts. In fact, research indicates that over half of financial management reporting is performed with spreadsheets by accounting and finance professional. As some companies have discovered, errors in relatively simple spreadsheets can result in potential material misstatements in their financial results.

•The Journal of Property Management on July 1, 2002 stated, “30% to 90% of all spreadsheets suffer from at least one major user error. The range in error rates depends on the complexity of the spreadsheet being tested. In addition, none of the tests included spreadsheets with more than 200 line items where the probability of error approaches 100%. ”

•Stephen Powell from the Tuck Business School at Dartmouth College in New Hampshire found that 15 workbooks contained a total of 117 errors. Seven of the errors uncovered were estimated to have cost impacts ranging from $4 million to $110 million.

EUCA - Training

• A few years ago Professor Ray Panko, at the University of Hawaii, pulled together the available evidence from field audits of spreadsheets. These are the results he shows:

Why End-User Computing Application (EUCA) Controls ?

StudyNumber of

SpreadsheetsSpreadsheets

with errorsPercentage with errors

PwC 23 21 91%KPMG 22 20 91%Lukasic 2 2 100%Butler (HMCE) 7 6 86%

Total 54 49 91%

EUCA - Training

EUCA Training - Contents


EUCA - Training

Severe corporate cases on inadequate or failed EUCA controls

Mentioned below are some severe cases of inadequate or failed EUCA controls –

“ A single wrong figure on a spreadsheet forced Credit Suisse to markdown its profits by £86m. The error came in the German subsidiary of the bank’s Winterthur arm, marking an embarrassing first year in charge for the insurer’s Lenny Fischer. It means … fourth-quarter income was lowered 16.7% to £430 million…”

Source - London Evening Standard 26th March 2004

Fidelity's Magellan Fund reportedly reversed a net capital gain of $1.3 billion dollars when it discovered that its accountant had omitted a minus sign while transferring financial data from one spreadsheet to another. As a result, the fund faced the embarrassment of abandoning its public plan to distribute dividends since the spreadsheet had resulted in the dividend estimate to be off by $2.6 million. Source: "Computing error at Fidelity's Magellan Fund", The Risks Digest, Volume 16, Issue 72

EUCA - Training

Canada's biggest publicly traded power generator, the TransAlta Corporation, said a clerical error in contract bidding cost it $24 million this quarter, setting off a sharp decline in its stock price. The company submitted an erroneous bid , the company spokesman said. The mistake will reduce earnings by the equivalent of 11 Canadian cents a share. TransAlta's shares fell 77 Canadian cents, to 17.98 Canadian dollars ($13.16) a share, on the Toronto Stock Exchange.

Source: "World Business Briefing | Americas: Canada: Power Contract Error", The NY Times (June 5, 2003)

- Risk: Loss of Market Share, Loss of company market capitalization - Avoidance: Spreadsheet reconciliation with working papers, Spreadsheet Review


EUCA - Training

"Some aspiring police officers who took a government exam said they were told they passed a big test, but found out later that they had actually failed. A national company called AON administered the test and told the board someone incorrectly sorted the results on a spreadsheet, so the names and scores were mismatched", NBC 13's Kathy Times reported.

- Risk: Public Embarrassment, Loss of Investor Confidence - Avoidance: Spreadsheet Data cross-check


EUCA - Training

Shares of RedEnvelope Inc. tumbled more than 25 percent Tuesday after the online retailer drastically reduced its fourth-quarter outlook and said its CFO will resign in April. Analyst Rebecca Jones Kujawa said in an interview. "...they were underestimating the cost of goods sold....it is likely CFO is being pushed out because of this error, which could demonstrate a material weakness in controls over financial reporting, an issue that usually leads to a lengthy review of accounting practices." RedEnvelope spokeswoman said the budgeting error was simply due to a number mis-recorded in one cell of a spreadsheet that then threw off the cost forecast and was unrelated to the CFO change.

- Risk: Loss of share value, Investor Confidence, Career Damage - Avoidance: Data Quality Control

For more severe cases on inadequate or failed EUCA controls, please click here


EUCA - Training



EUCA - Training

Applicability of Sarbanes-Oxley Act 2002 on EUCA

• In the past decade, accounting scandals and financial reporting errors have led to heightened awareness of the need for IT controls and legislation of control regimes. In the United States, the Sarbanes–Oxley Act of 2002 (SOX) was one of the early initiatives to legislate internal controls over financial reporting.

• Section 404 of SOX Act on ‘Internal Controls Over Financial Reporting’ requires all publicly traded companies to address the problem of spreadsheet management and to assume some accountability for generating accurate information from spreadsheets for financial reporting.

EUCA - Training



EUCA - Training

GM Policy on EUCA Controls

Controller’s Circular Letter 3232, revised on 10th September 2009, deals with GM policy relating to EUCA controls.

As per Controller’s Circular Letter (CCL) 3232, the term ‘End User Computing Application’ has been defined as ‘to encompass Excel Spreadsheets, Access databases, SQL Databases, Visual Basic (VB), Java, Lotus Notes databases and any other computer-based application that is NOT supported by IS&S.’

The CCL-3232 on EUCA Controls covers the following – 1.Identification of Key EUCA / Assessing Risk2.Common Errors3.Expected Controls4.Documentation Requirement

EUCA - Training

EUCA - Training

CCL 3232 – EUCA Controls

1. Identification of Key EUCA / Assessing Risk -

Management is ultimately responsible for a Key EUCA. Therefore, the controls within a Key EUCA must be reviewed by management prior to its use in a journal entry, disclosure, or performance of a SOX control.

Management is also responsible for verifying the completeness and accuracy of Key EUCAs as they are used during the ordinary course of business. It is essential that data from Key EUCAs used in financial reporting be accurate, complete, and timely.

A methodology has been developed to determine the complexity of spreadsheets, classifying them as High Risk or Other Risk. Decision tree on the following slide explains the methodology for identifying the key EUCA files -

EUCA - Training


Step # 1

No

If ‘Yes’ to any of the above

EUCA Decision Tree

Step # 2

Determine if EUCA is Key EUCA -•Results in creation of a Journal Entry (JE)•Used in performance of key SOX control•Supports disclosure information

Perform the following Action Items -•Implement Controls •Add EUCA to NST inventory•Maintain evidence of control performance•Create required documentation

Determine if EUCA identified is High Risk EUCA-•Impact of $10 Mn (Rs.45 Cr) per month or $25 Mn per year•Supports External Reporting (eg. Disclosures)•20 or more different variables require updation•Usage of over 100 Formulae or Macros•Multiple people involved in updating the file•Management decision that it is High Risk

If ‘Yes’ to any of the above

No

Optionally Follow ‘Action Items’Below

Optionally Follow ‘Action Items’Below

2. Common Errors

There are many common errors associated with EUCAs as described below :-

• Failure to check the accuracy of the calculations made by the formulas. • Failure to check the accuracy of the user's input back to the source information. • Creating formulas based upon certain assumptions that may be in error or later

change, causing calculation errors. • Having too many different areas/worksheet tabs within a Microsoft Excel

Spreadsheet or too many tables within a Microsoft Access Database for the user to fill in each month. This could result in data occasionally being missed or being significantly difficult to trace back to the source.

• Using more than one format for data entry (e.g., values, dates), causing errors when calculations or comparisons between data fields are performed. …continued


EUCA - Training

2. Common Errors• Failure to protect fields from unintended changes.• Not verifying that "linked" cells and workbook pages are current and still bringing in

the correct fields of information. Failure to perform EUCA independent verification sufficiently.

• Storing files where others may accidentally or intentionally delete or change them. • Failure to maintain a second copy of the EUCA as back-up.

Implementing controls like the ones addressed in the Section 3- ‘Expected Controls’ will assist in preventing the above mentioned common errors.


EUCA - Training


3. Expected ControlsCCL 3232 identifies below mentioned five categories of controls that users must incorporate into all Key EUCA spreadsheets -

EUCA - Training

S. No. Type of Documentation High Risk Other Risk

4.1 Overview and Instructions Required Optional4.2 Accounting example and related footnotes Required Optional4.3 Documentation of Controls Required Optional4.4 Process Flow Chart Required Optional4.5 Change Log Required Optional

See following 4 slides for details on above


4. Documentation Requirement –

It is essential that certain documentation be maintained so that the purpose and use of the EUCA is clearly ascertainable (this information should be within the EUCA, for example, on a separate tab in the Excel workbook). The following are required for Key EUCAs classified as high risk and recommended for all other EUCAs:

EUCA - Training

4.1 Overview -Provides an overview of file• Purpose served by the File• Nature of information/ data it contains• Frequency to update the data• Data that remains constant & data updated frequently• Kind of JV / Management decision supported by file

Instruction – • Brief description of contents• If the file contains different variables, provide brief idea of the same

EUCA Documentation Requirements

EUCA - Training

Overview & Instructions

4.2 Accounting Example & Related Footnote • Accounting entry passed – along with amount• Entry passed by whom / when, etc.• GL heads affected by entry• Effect on Revenue/ Expense/ Balance sheet• Underlying assumptions, if any


EUCA - Training

Accounting Example

4.3 Documentation of ControlsFour types of controls are required to be in incorporated & documented in every High Risk EUCA spreadsheet. Mentioned below are the four types of control -

Attached is the Checklist as prescribed in CCL – 3232 for ‘Documentation of Controls’ which needs to be addressed.

Type of Controls High Risk Other RiskInput controls Required OptionalCalculation controls Required OptionalReporting controls Required OptionalGeneral controls Required Optional


EUCA - Training

Checklist

4.4 Process Flowchart – Provide a pictorial view as to • Source(s) of the input data• Source(s) of data updates• End use of data / EUCA file

4.5 Change Log – • Any changes made in the EUCA is required to be captured in the change log in the

prescribed format as given below. • All the changes made to existing EUCA file must be approved by concerned EUCA

owner & reviewed by a independent person.


EUCA - Training

Change Log

Process Flow Chart



EUCA - Training

EUCA Course in GM University (GMU)

• A training course on EUCA (GMU course number 33541) has been created in order to enhance the control environment over Microsoft Excel Spreadsheets and Microsoft Access Databases. This course is required to be taken by all GM Finance Staff employees. It is also encouraged for non-finance employees.

• Mentioned below are several other related courses available through the GM University website offering more information on MS Excel and MS Access:

- Microsoft Excel 2003 Fundamentals (Course Number 28422) - Microsoft Excel 2003 Proficient User (Course Number 28423) - Microsoft Excel 2003 Expert Part 1 (Course Number 28420) - Microsoft Excel 2003 Expert Part 2 (Course Number 28421) - Microsoft Excel 2003 Fundamentals (Course Number 28418) - Microsoft Excel 2003 Proficient User (Course Number 28423)

EUCA - Training



EUCA - Training

EUCA Timelines

Timelines for EUCA Risk Ranking & Related activities

S No Activity Responsibility Frequency Time Line

1

Completion of EUCA inventory or Assessment of High Risk & Other Risk EUCA files. Ranking to be reviewed by reporting authority and CFO.

Functional Manager Once in a year Q1

2 Confirmation of controls implemented (signature on the check sheet) Functional Manager

Once for every spreadsheet unless

revised

Within one month from end of Quarter in which

inventory is updated

3 Update Inventory & risk ranking – submit changes using “EUCA Inventory form" Functional Manager Every Six months

Within one month after the lapse of 6 month

period

4 Review of EUCA controls by IC Local IC Team Once a year Annual with SOX/PRM

Functional EUCA coordinator is responsible for the timely completion of above.

EUCA - Training

Risk Ranking Template



EUCA - Training

Miscellaneous

• For the purpose of helping in implementation & strengthening of existing EUCA controls, attached are two excel sheets containing the numerous formulaes and their functionality –

More on the type & functionality of MS Excel formuleas can be searched on Google

EUCA - Training

MS Excel Formulaes

Learn Functions in MS Excel

EUCA Training

Thank You

Date post:	12-Mar-2015
Category:	Documents
Upload:	deep-rustagi
View:	58 times
Download:	0 times

2011 EUCAs Training New

Documents