The Institute of Internal Auditors has released new guidance to help internal auditors assess the risks related to spreadsheets, databases and information systems in their organizations.
The IIA is publishing two new issues of an ongoing series of Global Technology Audit Guides to help educate auditors about these risks. The group noted that almost every organization uses some form of user-developed applications, or UDAs, such as spreadsheets and databases, as they can be easily developed, cost effective to produce, and changed with relative ease.
However, risks such as data integrity, availability, and confidentiality can pose threats to an organization and internal auditors may consider auditing UDAs. GTAG 14, Auditing User-developed Applications, explores, among other topics, how best to risk rate and scope a UDA audit. The 32-page GTAG also proffers a sample audit program, best practices for implementing controls over UDAs, and advice on how internal auditors can work in a consulting role to help management develop an effective UDA control framework
In most organizations, selected staff members are permitted as a matter of business necessity to extract, manipulate, analyze, and report on enterprise data using spreadsheets, databases, or other user-developed applications, said IIA director of standards and guidance Lisa Hirtzinger in a statement. This practice gives rise to risks concerning data integrity, availability, and confidentiality.
Standard 2110.A2 of the IIA
IT failures, especially information security breaches, can place the organization at risk for reputation damage, diminished competitiveness, noncompliance with laws and regulations, and other adverse consequences, added Hirtzinger. These impacts should not be underestimated.
GTAGs, which are written in straightforward business language to address timely issues in IT management, control, and security, are strongly recommended, but not mandatory, guidance under the IIAs
