End User Computing /

Desktop Apps Audit Process & Internal Control

December 11, 2013

Page 2

Agenda

What are they?

What about them?

What goes wrong?

What should be controlled?

Determining Your SOX Population

Inspection Requirements

Page 3

What are they?

EUC’s (sometimes referred to as desktop

applications) are tools developed and employed

by end-users to assist in facilitating judgments or

calculating numbers that impact financial

statements or related footnote disclosures.

These are usually in the form of desktop tools

such as spreadsheets, databases and other

reporting tools such as report writers.

Page 4

What about them?

Lack of adequate control mechanisms applied to EUC’s

may jeopardize the accuracy, integrity, and timely

availability of data. Reliance on inaccurate data can

result in poor management decisions and possibly lead

to inaccurate financial reporting.

EUCs often cover many assertions for SOX coverage.

Requires standards to be utilized in determining the

required control structure that should surround EUC’s

and what elements the control structure should

contemplate.

Page 5

What goes wrong?

Errors in the download from the company’s systems such as: a. An incomplete download (e.g., missing a G/L account or a region).

b. An out-of-date download / query.

c. A partial download, where transmission or other errors prevented completion of the entire download.

Use of an intermediate database (e.g., a data warehouse) that is not

complete, accurate, or current.

The incorrect population of the download data into the various cells in the

spreadsheet.

Errors in spreadsheet calculations, sorts, or other programmable elements.

Overwriting formulas with data.

Use of an out-of-date spreadsheet, including use of a current spreadsheet

where the calculations are not refreshed.

Changes to the data by the user.

Errors in the understanding or use of the spreadsheet (e.g., where the user is

not the developer and picks up the wrong total).

Changes to the spreadsheet by another user due to poor security controls.

Page 6

What should be controlled?

ITGC EUC

Security Security & Data Integrity

User Access User Access & Segregation of Duties

Change Management Input, Logic, Output Review & Approval

Backup and Recovery Backup

3rd Party Service Contracts

Data Center

Documentation

Page 7

Population Determination

Need Identification process for EUCs Leverage SOX process

Inventory of All EUCs

Classification of Complexity Simple, Moderate, Complex

Consider Complexity of Calculations, size of model, understanding / documentation of the

business process, uses of the model’s output, sources of model’s input, number of users,

frequency & extent of changes to model

Determination of In-Scope for SOX: Complex EUC used to determine financial statement transaction amounts or balances that are

populated into the general ledger and / or financial statements.

And

Any one or more of the following:

Used to calculate or record a Journal Entry in aggregate in any Quarter equal to or greater than

$5M.

Used to reconcile or support an Account Reconciliation with G/L balance equal to or greater

than $5M.

Used to support a footnote or other financial disclosure

Page 8

Desktop Applications (EUC)

Xerox has an Accounting policy for their Internal Control Framework

Sub policy relating to controls over End User Computing

Applications

Requirements and responsibilities documented

Purpose of the Accounting policy:

Provides guidelines and standards that EUCs should have in place to

support the development of accurate financial reporting data.

Outlines the standards to be utilized in determining the required control

structure that should surround EUCs and what elements the control

structure should consider.

NOTE:

• Lack of adequate control mechanisms applied to EUCs may jeopardize

the accuracy, integrity, and timely availability of data.

• Reliance on inaccurate data can result in poor management decisions

and possibly lead to inaccurate financial reporting.

Page 9

Desktop Applications (EUC)

Template #2 provides the

background for the

desktop application.

Page 10

Desktop Applications (EUC) Template 2 includes the following information:

Desktop Application ID #

Desktop Application Name

Application Type

Owner

Approver

SLT Member / XCS Sr. Mgr.

Frequency of Use

(ie. Monthly, Quarterly)

Frequency of Backup

Location of Application

Financial Statement Impacts Via (check all that apply):

Journal Entry (directly or downstream)

Account Reconciliation

Segment Reporting

Other (please describe)

Page 11

Desktop Applications (EUC) Template 2 includes the following background information:

a) PURPOSE

What activity is reflected in this application ? Why is it used?

b) KEY FACTORS

Examples include benefit rates, bonus accrual %

c) KEY ASSUMPTIONS

What assumptions are being made that impact the output?

d) KEY CALCULATIONS

What are the primary calculations in this application?

e) SOURCES OF INPUT / KEY INPUTS

What is the source(s) of the information used in this application?

What are the key inputs?

f) INPUT ACCESS

Who has access / authority to update the application?

g) TIMING

How often does the application impact the financial statements –

daily, weekly, monthly, quarterly, etc.?

Also documented: Prepared by, Date Prepared, Date Revised

Page 12

Desktop Applications (EUC) This template is useful for a variety of reasons:

• Good tool for training / cross training

Able to reperform / restate financials

• Facilitates approval

• Increases the ease of audit inspection

NOTE: It’s important to keep the data in the

template current

Page 13

Desktop Applications (EUC)

Page 14

Desktop Applications / (EUC)

Completed by both preparer and approver

Questions being acknowledged include:

Is Template #2 current and accurate?

Are all inputs validated?

Input is from a Sarbox tested area

Input is from an existing Desktop Application

Input is not Sarbox tested and does not come from an existing desktop application, but validation is performed to ensure information received is accurate and complete.

Are formulas, queries, macros, etc. that are part of the desktop application reviewed?

Is the output reasonable?

Is there a backup of the desktop application?

Is the application password protected if on a shared drive?

Template #1 – Desktop Applications Internal Controls Acknowledgement

Page 15

Inspection Requirements

Is there both a Template 1 and Template 2 provided?

Does the Template 2 make sense? Is it sufficiently written such that an outside reviewer could make sense of it?

Where do the inputs come from? Is the source of the input from a Sarbox application or an existing Desktop Application? If not, has evidence of the review of the input been supplied?

Independent inspection of spreadsheets are conducted by Internal Control – EXchecker software is utilized

Has the approver inspected and documented the inspection of some of the key formulas, macros and queries?

Locked spreadsheets (files that prevents any changes to the content)

Printout of access query detail signed by approver

Tools / Analyze / Documenter –query detail printed, noting it was reviewed. The last update date is noted.

Printout of spreadsheet noting which formulas were reviewed

Areas of Focus during Inspection:

Page 16

Inspection Requirements

Is there evidence the output is reasonable?

Examples include:

If the desktop application supports an account reconciliation, the fact the output ties to the account reconciliation balance is sufficient

Trend analysis, showing prior periods, expected amounts, and actual application amounts

Is there a backup copy? Where is it located?

Is the desktop application password protected if in a shared location?

Areas of Focus during Inspection:

Page 17

Inspection Requirements

Xerox currently has about 65 in-scope desktop applications

Most “key” desktop applications (as determined by PwC and I/C) are inspected annually

A sample selection of “non-key” applications are inspected annually

Any selections that failed a quarterly inspection will be inspected the following quarter

Quality of desktop applications impacts overall sample size. A change in overall quality will impact future sample size

Review current processes to identify potential desktop application adds

Review current desktop applications to identify potential removals

Final Comments

Page 18

Questions ?