Вы находитесь на странице: 1из 34

End User Computing Application (EUCA) Training

End User Computing Application (EUCA) Training - Contents


Introduction Why End User Computing Application (EUCA) Controls ? Severe Corporate cases on inadequate or failed EUCA controls SOX Act & EUCA General Motor (GM) Policy on EUCA Controls CCL 3232 EUCA Controls EUCA Course in GM University EUCA Timelines Miscellaneous

EUCA - Training

End User Computing Application (EUCA) Training - Contents


Introduction Why End User Computing Application (EUCA) Controls ? Severe corporate cases on inadequate or failed EUCA controls SOX Act & EUCA General Motor (GM) Policy on EUCA Controls CCL 3232 EUCA Controls EUCA Course in GM University EUCA Timelines Miscellaneous

EUCA - Training

End User Computing Application (EUCA) Introduction


Many companies rely on spreadsheets as a key tool in their financial reporting and operational processes. As a result, the use of spreadsheets is an integral part of the information and decision-making framework for these companies. Spreadsheets once used to support simple functions such as logging, tracking and totaling information are now used to support such business functions as complex valuation models. The use of macros and multiple spreadsheets which are linked together allows users to build very complicatedand sometimes convolutedmodels and other business functions with minimal or no documentation. Spreadsheets are also the lowest cost business IT tool when stacked up against other functional tools. As a result, spreadsheets are used to support critical business processes in most organizations.

EUCA - Training

End User Computing Application (EUCA) Training - Contents


Introduction Why End User Computing Application (EUCA) Controls ? Severe corporate cases on inadequate or failed EUCA controls SOX Act & EUCA General Motor (GM) Policy on EUCA Controls CCL 3232 EUCA Controls EUCA Course in GM University EUCA Timelines Miscellaneous

EUCA - Training

Why End-User Computing Application (EUCA) Controls ?


Spreadsheets typically have a wide range of complexity and usage. Virtually all companies use spreadsheets in some part of the creation of their published accounts. In fact, research indicates that over half of financial management reporting is performed with spreadsheets by accounting and finance professional. As some companies have discovered, errors in relatively simple spreadsheets can result in potential material misstatements in their financial results. The Journal of Property Management on July 1, 2002 stated, 30% to 90% of all spreadsheets suffer from at least one major user error. The range in error rates depends on the complexity of the spreadsheet being tested. In addition, none of the tests included spreadsheets with more than 200 line items where the probability of error approaches 100%. Stephen Powell from the Tuck Business School at Dartmouth College in New Hampshire found that 15 workbooks contained a total of 117 errors. Seven of the errors uncovered were estimated to have cost impacts ranging from $4 million to $110 million.
EUCA - Training

Why End-User Computing Application (EUCA) Controls ?


A few years ago Professor Ray Panko, at the University of Hawaii, pulled together the available evidence from field audits of spreadsheets. These are the results he shows:
Study PwC KPMG Lukasic Butler (HMCE)

Number of Spreadsheets Percentage Spreadsheets with errors with errors 23 22 2 7 21 20 2 6 91% 91% 100% 86%

To a

54

49

91

EUCA - Training

EUCA Training - Contents


Introduction Why End User Computing Application (EUCA) Controls ? Severe corporate cases on inadequate or failed EUCA controls SOX Act & EUCA General Motor (GM) Policy on EUCA Controls CCL 3232 EUCA Controls EUCA Course in GM University EUCA Timelines Miscellaneous

EUCA - Training

Severe corporate cases on inadequate or failed EUCA controls


Mentioned below are some severe cases of inadequate or failed EUCA controls  A single wrong figure on a spreadsheet forced Credit Suisse to markdown its profits by 86m. The error came in the German subsidiary of the banks Winterthur arm, marking an embarrassing first year in charge for the insurers Lenny Fischer. It means fourthquarter income was lowered 16.7% to 430 million
Source - London Evening Standard 26th March 2004

 Fidelity's Magellan Fund reportedly reversed a net capital gain of $1.3 billion dollars when it discovered that its accountant had omitted a minus sign while transferring financial data from one spreadsheet to another. As a result, the fund faced the embarrassment of abandoning its public plan to distribute dividends since the spreadsheet had resulted in the dividend estimate to be off by $2.6 million.
Source: "Computing error at Fidelity's Magellan Fund", The Risks Digest, Volume 16, Issue 72

EUCA - Training

Severe corporate cases on inadequate or failed EUCA controls


 Canada's biggest publicly traded power generator, the TransAlta Corporation, said a clerical error in contract bidding cost it $24 million this quarter, setting off a sharp decline in its stock price. The company submitted an erroneous bid , the company spokesman said. The mistake will reduce earnings by the equivalent of 11 Canadian cents a share. TransAlta's shares fell 77 Canadian cents, to 17.98 Canadian dollars ($13.16) a share, on the Toronto Stock Exchange.
Source: "World Business Briefing | Americas: Canada: Power Contract Error", The NY Times (June 5, 2003)

- Risk: Loss of Market Share, Loss of company market capitalization - Avoidance: Spreadsheet reconciliation with working papers, Spreadsheet Review

EUCA - Training

Severe corporate cases on inadequate or failed EUCA controls


 "Some aspiring police officers who took a government exam said they were told they passed a big test, but found out later that they had actually failed. A national company called AON administered the test and told the board someone incorrectly sorted the results on a spreadsheet, so the names and scores were mismatched", NBC 13's Kathy Times reported. - Risk: Public Embarrassment, Loss of Investor Confidence - Avoidance: Spreadsheet Data cross-check

EUCA - Training

Severe corporate cases on inadequate or failed EUCA controls


 Shares of RedEnvelope Inc. tumbled more than 25 percent Tuesday after the online retailer drastically reduced its fourth-quarter outlook and said its CFO will resign in April. Analyst Rebecca Jones Kujawa said in an interview. "...they were underestimating the cost of goods sold....it is likely CFO is being pushed out because of this error, which could demonstrate a material weakness in controls over financial reporting, an issue that usually leads to a lengthy review of accounting practices." RedEnvelope spokeswoman said the budgeting error was simply due to a number mis-recorded in one cell of a spreadsheet that then threw off the cost forecast and was unrelated to the CFO change. - Risk: Loss of share value, Investor Confidence, Career Damage - Avoidance: Data Quality Control For more severe cases on inadequate or failed EUCA controls, please click here

EUCA - Training

EUCA Training - Contents


Introduction Why End User Computing Application (EUCA) Controls ? Severe corporate cases on inadequate or failed EUCA controls SOX Act & EUCA General Motor (GM) Policy on EUCA Controls CCL 3232 EUCA Controls EUCA Course in GM University EUCA Timelines Miscellaneous

EUCA - Training

Applicability of Sarbanes-Oxley Act 2002 on EUCA


In the past decade, accounting scandals and financial reporting errors have led to heightened awareness of the need for IT controls and legislation of control regimes. In the United States, the SarbanesOxley Act of 2002 (SOX) was one of the early initiatives to legislate internal controls over financial reporting. Section 404 of SOX Act on Internal Controls Over Financial Reporting requires all publicly traded companies to address the problem of spreadsheet management and to assume some accountability for generating accurate information from spreadsheets for financial reporting.

EUCA - Training

EUCA Training - Contents


Introduction Why End User Computing Application (EUCA) Controls ? Severe corporate cases on inadequate or failed EUCA controls SOX Act & EUCA General Motor (GM) Policy on EUCA Controls CCL 3232 EUCA Controls EUCA Course in GM University EUCA Timelines Miscellaneous

EUCA - Training

GM Policy on EUCA Controls


Controllers Circular Letter 3232, revised on 10th September 2009, deals with GM policy relating to EUCA controls. As per Controllers Circular Letter (CCL) 3232, the term End User Computing Application has been defined as to encompass Excel Spreadsheets, Access databases, SQL Databases, Visual Basic (VB), Java, Lotus Notes databases and any other computerbased application that is NOT supported by IS&S. The CCL-3232 on EUCA Controls covers the following 1. Identification of Key EUCA / Assessing Risk 2. Common Errors 3. Expected Controls 4. Documentation Requirement

EUCA - Training

CCL 3232 EUCA Controls


1. Identification of Key EUCA / Assessing Risk Management is ultimately responsible for a Key EUCA. Therefore, the controls within a Key EUCA must be reviewed by management prior to its use in a journal entry, disclosure, or performance of a SOX control. Management is also responsible for verifying the completeness and accuracy of Key EUCAs as they are used during the ordinary course of business. It is essential that data from Key EUCAs used in financial reporting be accurate, complete, and timely. A methodology has been developed to determine the complexity of spreadsheets, classifying them as High Risk or Other Risk. Decision tree on the following slide explains the methodology for identifying the key EUCA files -

EUCA - Training

CCL 3232 EUCA Controls


EUCA D
D t r
St #1

Tr
K EUCA Optionally Follow Action Items Below

f EUCA

Results in creation of a Journal Entr (JE) Used in perfor ance of key SOX control Supports disclosure infor ation

If Y

ft

Determine if EUCA identified is High Risk EUCA Impact of $10 Mn (Rs.45 Cr) per month or $25 Mn per year Supports External Reporting (eg. Disclosures) 20 or more different variables require updation Usage of over 100 Formulae or Macros Multiple people involved in updating the file Management decision that it is High Risk If Yes to any of the above No Optionally Follow Action Items Below

St

#2

Perfor

t e following Action Items -

Implement Controls Add EUCA to NST inventory Maintain evidence of control performance Create required documentation

EUCA - Training

CCL 3232 EUCA Controls


2. Common Errors
There are many common errors associated with EUCAs as described below : Failure to check the accuracy of the calculations made by the formulas. Failure to check the accuracy of the user's input back to the source information. Creating formulas based upon certain assumptions that may be in error or later change, causing calculation errors. Having too many different areas/worksheet tabs within a Microsoft Excel Spreadsheet or too many tables within a Microsoft Access Database for the user to fill in each month. This could result in data occasionally being missed or being significantly difficult to trace back to the source. Using more than one format for data entry (e.g., values, dates), causing errors when calculations or comparisons between data fields are performed. continued

EUCA - Training

CCL 3232 EUCA Controls


2. Common Errors
Failure to protect fields from unintended changes. Not verifying that "linked" cells and workbook pages are current and still bringing in the correct fields of information. Failure to perform EUCA independent verification sufficiently. Storing files where others may accidentally or intentionally delete or change them. Failure to maintain a second copy of the EUCA as back-up. Implementing controls like the ones addressed in the Section 3- Expected Controls will assist in preventing the above mentioned common errors.

EUCA - Training

CCL 3232 EUCA Controls


3. Expected Controls
CCL 3232 identifies below mentioned five categories of controls that users must incorporate into all Key EUCA spreadsheets -

EUCA - Training

CCL 3232 EUCA Controls


4. Documentation Requirement
It is essential that certain documentation be maintained so that the purpose and use of the EUCA is clearly ascertainable (this information should be within the EUCA, for example, on a separate tab in the Excel workbook). The following are required for Key EUCAs classified as high risk and recommended for all other EUCAs:
S. No. 4.1 4.2 4.3 4.4 4.5 Type of Documentation Overview and Instructions Accounting example and related footnotes Documentation of Controls Process Flow Chart Change Log High Risk Required Required Required Required Required Other Risk Optional Optional Optional Optional Optional

See following 4 slides for details on above

EUCA - Training

EUCA Documentation Requirements


4.1 Overview Provides an overview of file Purpose served by the File Nature of information/ data it contains Frequency to update the data Data that remains constant & data updated frequently Kind of JV / Management decision supported by file

Instruction
Brief description of contents If the file contains different variables, provide brief idea of the same
Overview & Instructions

EUCA - Training

EUCA Documentation Requirements


4.2 Accounting Example & Related Footnote Accounting entry passed along with amount
Entry passed by whom / when, etc. G heads affected by entry Effect on Revenue/ Expense/ Balance sheet Underlying assumptions, if any

Accoun ing Example

EUCA - Training

EUCA Documentation Requirements


4.3 Documentation of Controls
Four types of controls are required to be in incorporated & documented in every High Risk EUCA spreadsheet. Mentioned below are the four types of control y p e o f C o n tr o l s
nput controls C alculation controls R eporting controls eneral controls

Hig h Risk
R equired R equired R equired R equired

th er R i s k
ptional ptional ptional ptional

Attached is the Checklist as prescribed in CCL 3232 for Documentation of Controls which needs to be addressed.
Checklist

EUCA - raining

EUCA Documentation Requirements


4.4 Process Flowchart
Provide a pictorial view as to Source(s) of the input data Source(s) of data updates End use of data / EUCA file
Process Flow Chart

4.5 Change Log


Any changes made in the EUCA is required to be captured in the change log in the prescribed format as given below. All the changes made to existing EUCA file must be approved by concerned EUCA owner & reviewed by a independent person.
Change Log

EUCA - Training

EUCA Training - Contents


Introduction Why End User Computing Application (EUCA) Controls ? Severe corporate cases on inadequate or failed EUCA controls SOX Act & EUCA General Motor (GM) Policy on EUCA Controls CCL 3232 EUCA Controls EUCA Course in GM University EUCA Timelines Miscellaneous

EUCA - Training

EUCA Course in GM University (GMU)


A training course on EUCA (GMU course number 33541) has been created in order to enhance the control environment over Microsoft Excel Spreadsheets and Microsoft Access Databases. This course is required to be taken by all GM Finance Staff employees. It is also encouraged for non-finance employees. Mentioned below are several other related courses available through the GM University website offering more information on MS Excel and MS Access: - Microsoft Excel 2003 Fundamentals (Course Number 28422) - Microsoft Excel 2003 Proficient User (Course Number 28423) - Microsoft Excel 2003 Expert Part 1 (Course Number 28420) - Microsoft Excel 2003 Expert Part 2 (Course Number 28421) - Microsoft Excel 2003 Fundamentals (Course Number 28418) - Microsoft Excel 2003 Proficient User (Course Number 28423)
EUCA - Training

EUCA Training - Contents


Introduction Why End User Computing Application (EUCA) Controls ? Severe corporate cases on inadequate or failed EUCA controls SOX Act & EUCA General Motor (GM) Policy on EUCA Controls CCL 3232 EUCA Controls EUCA Course in GM University EUCA Timelines Miscellaneous

EUCA - Training

EUCA Timelines
Timelines for EUCA Risk Ranking & Related activities
S No Activity Completion of EUCA inventory or Assessment of High Risk & Other Risk EUCA files. Ranking to be reviewed by reporting authority and CFO.
Risk Ranking Te plate

Responsibility

Frequency

Time Line

Functional Manager

Once in a year

Q1

Confirmation of controls implemented (signature on the check sheet)

3 4

Update Inventory & risk ranking submit changes using EUCA Inventory form" Review of EUCA controls by IC

 Functional EUCA coordinator is responsible for the timely completion of above.

Once for every Within one month from Functional Manager spreadsheet unless end of Quarter in which revised inventory is updated Within one month after the lapse of 6 month period Annual with SOX/PRM

Functional Manager Local IC Team

Every Six months Once a year

EUCA - Training

EUCA Training - Contents


Introduction Why End User Computing Application (EUCA) Controls ? Severe corporate cases on inadequate or failed EUCA controls SOX Act & EUCA General Motor (GM) Policy on EUCA Controls CCL 3232 EUCA Controls EUCA Course in GM University EUCA Timelines Miscellaneous

EUCA - Training

Miscellaneous
For the purpose of helping in implementation & strengthening of existing EUCA controls, attached are two excel sheets containing the numerous formulaes and their functionality

More on the type & functionality of MS Excel formuleas can be searched on Google

EUCA - Training

MS E cel For ulaes


Learn Func ions in MS E cel

EUCA Training

Thank You