2011 eucas training new
TRANSCRIPT
End User Computing Application (EUCA) Training
End User Computing Application (EUCA) Training - Contents
• Introduction• Why End User Computing Application (EUCA) Controls ?• Severe Corporate cases on inadequate or failed EUCA controls• SOX Act & EUCA• General Motor (GM) Policy on EUCA Controls• CCL 3232 – EUCA Controls• EUCA Course in GM University• EUCA Timelines• Miscellaneous
EUCA - Training
End User Computing Application (EUCA) Training - Contents
• Introduction• Why End User Computing Application (EUCA) Controls ?• Severe corporate cases on inadequate or failed EUCA controls• SOX Act & EUCA• General Motor (GM) Policy on EUCA Controls• CCL 3232 – EUCA Controls• EUCA Course in GM University• EUCA Timelines• Miscellaneous
EUCA - Training
End User Computing Application (EUCA) - Introduction
Many companies rely on spreadsheets as a key tool in their financial reporting and operational processes. As a result, the use of spreadsheets is an integral part of the information and decision-making framework for these companies.
Spreadsheets once used to support simple functions such as logging, tracking and totaling information are now used to support such business functions as complex valuation models. The use of macros and multiple spreadsheets which are linked together allows users to build very complicated—and sometimes convoluted—models and other business functions with minimal or no documentation.
Spreadsheets are also the lowest cost business IT tool when stacked up against other functional tools. As a result, spreadsheets are used to support critical business processes in most organizations.
EUCA - Training
End User Computing Application (EUCA) Training - Contents
• Introduction• Why End User Computing Application (EUCA) Controls ?• Severe corporate cases on inadequate or failed EUCA controls• SOX Act & EUCA• General Motor (GM) Policy on EUCA Controls• CCL 3232 – EUCA Controls• EUCA Course in GM University• EUCA Timelines• Miscellaneous
EUCA - Training
Why End-User Computing Application (EUCA) Controls ?
Spreadsheets typically have a wide range of complexity and usage. Virtually all companies use spreadsheets in some part of the creation of their published accounts. In fact, research indicates that over half of financial management reporting is performed with spreadsheets by accounting and finance professional. As some companies have discovered, errors in relatively simple spreadsheets can result in potential material misstatements in their financial results.
•The Journal of Property Management on July 1, 2002 stated, “30% to 90% of all spreadsheets suffer from at least one major user error. The range in error rates depends on the complexity of the spreadsheet being tested. In addition, none of the tests included spreadsheets with more than 200 line items where the probability of error approaches 100%. ”
•Stephen Powell from the Tuck Business School at Dartmouth College in New Hampshire found that 15 workbooks contained a total of 117 errors. Seven of the errors uncovered were estimated to have cost impacts ranging from $4 million to $110 million.
EUCA - Training
• A few years ago Professor Ray Panko, at the University of Hawaii, pulled together the available evidence from field audits of spreadsheets. These are the results he shows:
Why End-User Computing Application (EUCA) Controls ?
StudyNumber of
SpreadsheetsSpreadsheets
with errorsPercentage with errors
PwC 23 21 91%KPMG 22 20 91%Lukasic 2 2 100%Butler (HMCE) 7 6 86%
Total 54 49 91%
EUCA - Training
EUCA Training - Contents
• Introduction• Why End User Computing Application (EUCA) Controls ?• Severe corporate cases on inadequate or failed EUCA controls• SOX Act & EUCA• General Motor (GM) Policy on EUCA Controls• CCL 3232 – EUCA Controls• EUCA Course in GM University• EUCA Timelines• Miscellaneous
EUCA - Training
Severe corporate cases on inadequate or failed EUCA controls
Mentioned below are some severe cases of inadequate or failed EUCA controls –
“ A single wrong figure on a spreadsheet forced Credit Suisse to markdown its profits by £86m. The error came in the German subsidiary of the bank’s Winterthur arm, marking an embarrassing first year in charge for the insurer’s Lenny Fischer. It means … fourth-quarter income was lowered 16.7% to £430 million…”
Source - London Evening Standard 26th March 2004
Fidelity's Magellan Fund reportedly reversed a net capital gain of $1.3 billion dollars when it discovered that its accountant had omitted a minus sign while transferring financial data from one spreadsheet to another. As a result, the fund faced the embarrassment of abandoning its public plan to distribute dividends since the spreadsheet had resulted in the dividend estimate to be off by $2.6 million. Source: "Computing error at Fidelity's Magellan Fund", The Risks Digest, Volume 16, Issue 72
EUCA - Training
Canada's biggest publicly traded power generator, the TransAlta Corporation, said a clerical error in contract bidding cost it $24 million this quarter, setting off a sharp decline in its stock price. The company submitted an erroneous bid , the company spokesman said. The mistake will reduce earnings by the equivalent of 11 Canadian cents a share. TransAlta's shares fell 77 Canadian cents, to 17.98 Canadian dollars ($13.16) a share, on the Toronto Stock Exchange.
Source: "World Business Briefing | Americas: Canada: Power Contract Error", The NY Times (June 5, 2003)
- Risk: Loss of Market Share, Loss of company market capitalization - Avoidance: Spreadsheet reconciliation with working papers, Spreadsheet Review
Severe corporate cases on inadequate or failed EUCA controls
EUCA - Training
"Some aspiring police officers who took a government exam said they were told they passed a big test, but found out later that they had actually failed. A national company called AON administered the test and told the board someone incorrectly sorted the results on a spreadsheet, so the names and scores were mismatched", NBC 13's Kathy Times reported.
- Risk: Public Embarrassment, Loss of Investor Confidence - Avoidance: Spreadsheet Data cross-check
Severe corporate cases on inadequate or failed EUCA controls
EUCA - Training
Shares of RedEnvelope Inc. tumbled more than 25 percent Tuesday after the online retailer drastically reduced its fourth-quarter outlook and said its CFO will resign in April. Analyst Rebecca Jones Kujawa said in an interview. "...they were underestimating the cost of goods sold....it is likely CFO is being pushed out because of this error, which could demonstrate a material weakness in controls over financial reporting, an issue that usually leads to a lengthy review of accounting practices." RedEnvelope spokeswoman said the budgeting error was simply due to a number mis-recorded in one cell of a spreadsheet that then threw off the cost forecast and was unrelated to the CFO change.
- Risk: Loss of share value, Investor Confidence, Career Damage - Avoidance: Data Quality Control
For more severe cases on inadequate or failed EUCA controls, please click here
Severe corporate cases on inadequate or failed EUCA controls
EUCA - Training
EUCA Training - Contents
• Introduction• Why End User Computing Application (EUCA) Controls ?• Severe corporate cases on inadequate or failed EUCA controls• SOX Act & EUCA• General Motor (GM) Policy on EUCA Controls• CCL 3232 – EUCA Controls• EUCA Course in GM University• EUCA Timelines• Miscellaneous
EUCA - Training
Applicability of Sarbanes-Oxley Act 2002 on EUCA
• In the past decade, accounting scandals and financial reporting errors have led to heightened awareness of the need for IT controls and legislation of control regimes. In the United States, the Sarbanes–Oxley Act of 2002 (SOX) was one of the early initiatives to legislate internal controls over financial reporting.
• Section 404 of SOX Act on ‘Internal Controls Over Financial Reporting’ requires all publicly traded companies to address the problem of spreadsheet management and to assume some accountability for generating accurate information from spreadsheets for financial reporting.
EUCA - Training
EUCA Training - Contents
• Introduction• Why End User Computing Application (EUCA) Controls ?• Severe corporate cases on inadequate or failed EUCA controls• SOX Act & EUCA• General Motor (GM) Policy on EUCA Controls• CCL 3232 – EUCA Controls• EUCA Course in GM University• EUCA Timelines• Miscellaneous
EUCA - Training
GM Policy on EUCA Controls
Controller’s Circular Letter 3232, revised on 10th September 2009, deals with GM policy relating to EUCA controls.
As per Controller’s Circular Letter (CCL) 3232, the term ‘End User Computing Application’ has been defined as ‘to encompass Excel Spreadsheets, Access databases, SQL Databases, Visual Basic (VB), Java, Lotus Notes databases and any other computer-based application that is NOT supported by IS&S.’
The CCL-3232 on EUCA Controls covers the following – 1.Identification of Key EUCA / Assessing Risk2.Common Errors3.Expected Controls4.Documentation Requirement
EUCA - Training
EUCA - Training
CCL 3232 – EUCA Controls
1. Identification of Key EUCA / Assessing Risk -
Management is ultimately responsible for a Key EUCA. Therefore, the controls within a Key EUCA must be reviewed by management prior to its use in a journal entry, disclosure, or performance of a SOX control.
Management is also responsible for verifying the completeness and accuracy of Key EUCAs as they are used during the ordinary course of business. It is essential that data from Key EUCAs used in financial reporting be accurate, complete, and timely.
A methodology has been developed to determine the complexity of spreadsheets, classifying them as High Risk or Other Risk. Decision tree on the following slide explains the methodology for identifying the key EUCA files -
EUCA - Training
CCL 3232 – EUCA Controls
Step # 1
No
If ‘Yes’ to any of the above
EUCA Decision Tree
Step # 2
Determine if EUCA is Key EUCA -•Results in creation of a Journal Entry (JE)•Used in performance of key SOX control•Supports disclosure information
Perform the following Action Items -•Implement Controls •Add EUCA to NST inventory•Maintain evidence of control performance•Create required documentation
Determine if EUCA identified is High Risk EUCA-•Impact of $10 Mn (Rs.45 Cr) per month or $25 Mn per year•Supports External Reporting (eg. Disclosures)•20 or more different variables require updation•Usage of over 100 Formulae or Macros•Multiple people involved in updating the file•Management decision that it is High Risk
If ‘Yes’ to any of the above
No
Optionally Follow ‘Action Items’Below
Optionally Follow ‘Action Items’Below
2. Common Errors
There are many common errors associated with EUCAs as described below :-
• Failure to check the accuracy of the calculations made by the formulas. • Failure to check the accuracy of the user's input back to the source information. • Creating formulas based upon certain assumptions that may be in error or later
change, causing calculation errors. • Having too many different areas/worksheet tabs within a Microsoft Excel
Spreadsheet or too many tables within a Microsoft Access Database for the user to fill in each month. This could result in data occasionally being missed or being significantly difficult to trace back to the source.
• Using more than one format for data entry (e.g., values, dates), causing errors when calculations or comparisons between data fields are performed. …continued
CCL 3232 – EUCA Controls
EUCA - Training
2. Common Errors• Failure to protect fields from unintended changes.• Not verifying that "linked" cells and workbook pages are current and still bringing in
the correct fields of information. Failure to perform EUCA independent verification sufficiently.
• Storing files where others may accidentally or intentionally delete or change them. • Failure to maintain a second copy of the EUCA as back-up.
Implementing controls like the ones addressed in the Section 3- ‘Expected Controls’ will assist in preventing the above mentioned common errors.
CCL 3232 – EUCA Controls
EUCA - Training
CCL 3232 – EUCA Controls
3. Expected ControlsCCL 3232 identifies below mentioned five categories of controls that users must incorporate into all Key EUCA spreadsheets -
EUCA - Training
S. No. Type of Documentation High Risk Other Risk
4.1 Overview and Instructions Required Optional4.2 Accounting example and related footnotes Required Optional4.3 Documentation of Controls Required Optional4.4 Process Flow Chart Required Optional4.5 Change Log Required Optional
See following 4 slides for details on above
CCL 3232 – EUCA Controls
4. Documentation Requirement –
It is essential that certain documentation be maintained so that the purpose and use of the EUCA is clearly ascertainable (this information should be within the EUCA, for example, on a separate tab in the Excel workbook). The following are required for Key EUCAs classified as high risk and recommended for all other EUCAs:
EUCA - Training
4.1 Overview -Provides an overview of file• Purpose served by the File• Nature of information/ data it contains• Frequency to update the data• Data that remains constant & data updated frequently• Kind of JV / Management decision supported by file
Instruction – • Brief description of contents• If the file contains different variables, provide brief idea of the same
EUCA Documentation Requirements
EUCA - Training
Overview & Instructions
4.2 Accounting Example & Related Footnote • Accounting entry passed – along with amount• Entry passed by whom / when, etc.• GL heads affected by entry• Effect on Revenue/ Expense/ Balance sheet• Underlying assumptions, if any
EUCA Documentation Requirements
EUCA - Training
Accounting Example
4.3 Documentation of ControlsFour types of controls are required to be in incorporated & documented in every High Risk EUCA spreadsheet. Mentioned below are the four types of control -
Attached is the Checklist as prescribed in CCL – 3232 for ‘Documentation of Controls’ which needs to be addressed.
Type of Controls High Risk Other RiskInput controls Required OptionalCalculation controls Required OptionalReporting controls Required OptionalGeneral controls Required Optional
EUCA Documentation Requirements
EUCA - Training
Checklist
4.4 Process Flowchart – Provide a pictorial view as to • Source(s) of the input data• Source(s) of data updates• End use of data / EUCA file
4.5 Change Log – • Any changes made in the EUCA is required to be captured in the change log in the
prescribed format as given below. • All the changes made to existing EUCA file must be approved by concerned EUCA
owner & reviewed by a independent person.
EUCA Documentation Requirements
EUCA - Training
Change Log
Process Flow Chart
EUCA Training - Contents
• Introduction• Why End User Computing Application (EUCA) Controls ?• Severe corporate cases on inadequate or failed EUCA controls• SOX Act & EUCA• General Motor (GM) Policy on EUCA Controls• CCL 3232 – EUCA Controls• EUCA Course in GM University• EUCA Timelines• Miscellaneous
EUCA - Training
EUCA Course in GM University (GMU)
• A training course on EUCA (GMU course number 33541) has been created in order to enhance the control environment over Microsoft Excel Spreadsheets and Microsoft Access Databases. This course is required to be taken by all GM Finance Staff employees. It is also encouraged for non-finance employees.
• Mentioned below are several other related courses available through the GM University website offering more information on MS Excel and MS Access:
- Microsoft Excel 2003 Fundamentals (Course Number 28422) - Microsoft Excel 2003 Proficient User (Course Number 28423) - Microsoft Excel 2003 Expert Part 1 (Course Number 28420) - Microsoft Excel 2003 Expert Part 2 (Course Number 28421) - Microsoft Excel 2003 Fundamentals (Course Number 28418) - Microsoft Excel 2003 Proficient User (Course Number 28423)
EUCA - Training
EUCA Training - Contents
• Introduction• Why End User Computing Application (EUCA) Controls ?• Severe corporate cases on inadequate or failed EUCA controls• SOX Act & EUCA• General Motor (GM) Policy on EUCA Controls• CCL 3232 – EUCA Controls• EUCA Course in GM University• EUCA Timelines• Miscellaneous
EUCA - Training
EUCA Timelines
Timelines for EUCA Risk Ranking & Related activities
S No Activity Responsibility Frequency Time Line
1
Completion of EUCA inventory or Assessment of High Risk & Other Risk EUCA files. Ranking to be reviewed by reporting authority and CFO.
Functional Manager Once in a year Q1
2 Confirmation of controls implemented (signature on the check sheet) Functional Manager
Once for every spreadsheet unless
revised
Within one month from end of Quarter in which
inventory is updated
3 Update Inventory & risk ranking – submit changes using “EUCA Inventory form" Functional Manager Every Six months
Within one month after the lapse of 6 month
period
4 Review of EUCA controls by IC Local IC Team Once a year Annual with SOX/PRM
Functional EUCA coordinator is responsible for the timely completion of above.
EUCA - Training
Risk Ranking Template
EUCA Training - Contents
• Introduction• Why End User Computing Application (EUCA) Controls ?• Severe corporate cases on inadequate or failed EUCA controls• SOX Act & EUCA• General Motor (GM) Policy on EUCA Controls• CCL 3232 – EUCA Controls• EUCA Course in GM University• EUCA Timelines• Miscellaneous
EUCA - Training
Miscellaneous
• For the purpose of helping in implementation & strengthening of existing EUCA controls, attached are two excel sheets containing the numerous formulaes and their functionality –
More on the type & functionality of MS Excel formuleas can be searched on Google
EUCA - Training
MS Excel Formulaes
Learn Functions in MS Excel
EUCA Training
Thank You