Question:

How would I go about auditing a user developed spreadsheet?

Answer:

To audit a user developed spreadsheet you first need to understand the nature of the risks, the likelihood of them occurring and their impact. These will be different for every spreadsheet so you have to discuss with the owner of the spreadsheet why the spreadsheet is being kept in the first place, how it works and what happens to the results. There are generic issues that can be used as a starting point for this discussion, including:

The need for availability – do other people need access to the spreadsheet to do their job and how is this managed?

The need for confidentiality – is this required and how is this maintained?

The need for integrity – do fields, calculations and macros need to be protected and how is this done?

The most challenging of these issues is likely to be integrity as spreadsheets are often created outside the normal system development process with a lack of documentation and support. This may not be the case in your organization so it is important to determine whether or not there is a policy and a set of supporting procedures regarding the use spreadsheets. If so you can check that these have been applied.

The need for confidentiality will be influenced by the sensitivity and importance of the data contained within the spreadsheet. If it contains personal data or if it is business critical then the question needs to asked whether a spreadsheet is the best solution in the first place and to what extent Information Services have been involved in this decision. At the very least the risk of unauthorized access that opens up the possibility of modifications needs to be considered with appropriate controls introduced where necessary.

Furthermore, if the spreadsheet is held on a computer’s hard drive rather than the organisation’s network they will not be part of the backup process and data could be lost. This may be done to restrict availability and secure confidentiality but is worth asking how continuity is maintained.

Depending on what the spreadsheet does and its importance a formal risk identification and assessment may be needed using the recognized risk management methodology – requirements may or may not be specified in the policy and procedures around this subject. Either way it is relevant to discuss this with the owner of the spreadsheet and the Information Services. The way risk management is applied in the organization will determine whether the risks need to be documented or not for this particular spreadsheet but as an internal auditor you at least need to ensure that they are fully assessed.

Once the risks are fully explored (either discussed and/or documented) and the severity of the threats understood the audit can move on to the adequacy of risk mitigation and testing whether control are working. Here are some examples of possible controls around availability, confidentiality and integrity that may be applicable:

Control areas Examples of control areasSystem security and access Password protection on the MS Excel fileAudit trails The last modified date of the MS Excel fileInputs, Edits, and Interfaces While the MS Excel file can be opened by anyone, only

selected cells are unlocked to allow for changes. The rest of cells are locked.

Data Processing and Data IntegrityChange Management

If MS Excel marcos are used, only authorised personnel can access or change the macros codes. All changes to the macros codes must be supported with documentation.

Key formulas in the MS Excel files are locked down. Only authorised personnel can access or change them.

RetentionBackup and Recovery

Backups are performed regularly for the MS Excel file. The backups are stored on a portable hard-disk or on a shared drive folder.

Appendix

The internal auditor can use the following basic technical approach to check on whether the calculations and macros have been protected by the business user.

Calculations)

1) Once the internal auditor selects the “Protect Sheet” button, a pop-up screen will appear.

2) The internal auditor can ascertain on whether the worksheet is currently protected from unauthorized changes. In the above scenario, the worksheet has not been protected.

3) If the worksheet is already protected, the internal auditor can see the following settings:

4) The internal auditor can perform testing on the contents of the spreadsheet to ascertain that the protection control on the calculation formula is put in place by the business user.

Macros)

An Excel macro is put in place by the business user to perform automated summation on the key amounts.

1) As shown in the above diagram, a ‘Summation’ macro has been created by the business user to add up the figures under the ‘Value’ column.

2) Once the ‘Run’ button has been executed, the summation amount of 143 will appear.

3) The internal auditor can click the ‘Visual Basic’ button to assess whether protection controls have been placed on the macro visual basic codes to prevent unauthorized access or modification of codes.

4) Under the Microsoft Visual Basic explorer, select ‘Tools’ -> ‘VBAProject Properties’

5) The above diagram shows that the visual basic codes have been locked down for unauthorized access or modification. Only business users who have the relevant password can access or modify the codes.