According to Baseline Consulting, approximately 32% of corporate data is contained in enduser computing (EUC) applications and approximately 68% is stored in IT controlled applications. These EUCs – primarily spreadsheets, PC databases (e.g. Access databases), BI reports, and word documents – are often stored on employee desktops and corporate file shares, and for the most part, are uncontrolled. They lack the proper safeguards and controls one would expect with IT controlled applications, including documentation, version control, back-up and archival, change control, testing, security and access control, and more.
Fraud Prevention & Detection
for Mission Critical Spreadsheets White Paper
October 2008 P-01513, Revision A
Prodiance White Paper
Table of Contents
Table of Contents ........................................................................................................................... 1
Uncontrolled UDAs Leave Door Open for Fraud ........................................................................... 2
Auditor Guidance ........................................................................................................................... 3
Preventing & Detecting Spreadsheet Fraud .................................................................................. 3
Prodiance Enterprise Spreadsheet Manager Solution .................................................................. 5
The Bottom Line ........................................................................................................................... 11
Take the Next Step! ..................................................................................................................... 11
About Prodiance .......................................................................................................................... 12
Fraud Prevention & Detection 1 Prodiance White Paper
Uncontrolled UDAs Leave Door Open for Fraud
According to Baseline Consulting, approximately 32% of corporate data is contained in end-user computing (EUC) applications and approximately 68% is stored in IT controlled applications. These EUCs - primarily spreadsheets, PC databases (e.g. Access databases), BI reports, and word documents - are often stored on employee desktops and corporate file shares, and for the most part, are uncontrolled. They lack the proper safeguards and controls one would expect with IT controlled applications, including documentation, version control, back-up and archival, change control, testing, security and access control, and more.
When these uncontrolled spreadsheets are used in key financial processes such as closing the books, account reconciliation, revenue recognition, and financial and management reporting, then organizations face significant risk and exposure. Aside from non-compliance, a high probability of error, and operational risk, uncontrolled spreadsheets and EUCs present a safe haven for fraud and even "cooking the books." There are many well documented stories of spreadsheet errors and fraud cases available on the internet. All one has to do is search Google using the keywords "spreadsheet error" and over 4,900,00 hits are returned.
In a recent fraud case involving spreadsheets, the CFO of a software technology company used hidden rows and columns of data and invisible cells (e.g. white font on white background) to conceal financial data and falsify financial statements. The fraud was undetected for a period of 5 years. The scam eventually cost the company more than $437 million in market capitalization and caused its stock price to drop from $29.41 to $12.31 per share between February and April 2006. You can read more on this story on the CFO Magazine web site at: http://www.cfo.com/article.cfm/11779964?f=related. Other cases of spreadsheet error and fraud have been documented by the European Spreadsheet Risks Interest Group (EuSpRIG): http://www.eusprig.org/stories.htm.
Fraud Prevention & Detection 2 Prodiance White Paper
Auditor Guidance
Leading tax and audit firms recommend that organizations automate the spreadsheet controls environment to help prevent and detect spreadsheet fraud, while establishing sustainable governance. Both preventative and detective controls are recommended, along with a lifecycle approach to managing spreadsheets. Organizations can certainly implement this lifecycle process via manual efforts, but this requires employees to take on additional tasks and often breaks down over time. By leveraging technology, organizations can automate many aspects of spreadsheet management and control, from discovery and inventory, to risk assessment, remediation, management and contro... [download for more]
