Recently the Institute of Internal Auditors (IIA) issued recommendations on evaluating the security of "user-developed applications," or UDAs. To you and me this means spreadsheets and Microsoft Access databases developed by end users instead of IT personnel. The IIA points out that UDAs can be dangerous to the bottom line of any organization if not managed properly because of the high level of data-integrity risk they pose due to inadequate control capabilities. So what impact does all this have specifically on the banking industry, especially as they face new demands from regulators? A lot.
Despite the high operational risk associated with spreadsheets and other UDAs, they are and will remain for quite some time the front-line tool for managing data within the banking industry, to the tune of many millions of users. Banks use spreadsheets for many critical processes throughout the front, middle and back offices. Beyond pricing, trading, reconciling and reporting - they also use UDAs to gather critical data for regulators. And because regulators turn to leading trade associations such as the IIA to identify best practices, banks must be sure that their policies match IIA's recently promoted guidelines.
Most banks assume their data and applications are secure and correct because of the comprehensive security features set up by IT staffs. However, most UDAs are left outside the protective embrace of the banks' control processes, leaving banks vulnerable but filled with misguided confidence that they are protected.
The most common threats to data integrity start with human error. A misplaced decimal point, a misaligned "copy-and-paste" can accidentally change a formula to a hard-coded number. A second threat is known as confidentiality risk. Inadequate or disabled access controls can enable UDAs to be viewed by unauthorized people.
Banks must also acknowledge what the IIA calls "availability risk." Many UDAs exist outside formal technology infrastructure processes, and can be easily overlooked when a bank is backing up data. And if a bank is unaware about a UDA that feeds information to a financial-reporting system, this could cause financial-statement errors to go undetected or the information to be lost altogether.
The next important step banks can take to protect the integrity of their data is to identify their key UDAs. These are typically those that are part of the financial or management reporting processes or those used to comply with regulations. Many banks incorrectly assume having a list of critical UDAs is all that needs to be done. This is false because the UDA list is only an organizational tool for simplifying the management of risk rather than a complete solution to the problem.
Banks should track what goes on within UDAs and continually monitor usage. Relying on audits or periodic checks is not enough. To fully ensure their data integrity, banks must know who uses their applications and how they use them on an ongoing basis. Banks can then more fully estimate the financial, operational and regulatory risks that UDAs pose and make any changes to their risk management processes before an error is made.
The most effective way to monitor the use of UDAs on an ongoing basis is through automated data management technology. These technologies are beneficial because they closely monitor and identify any irregularities down to a cell level that necessitates evaluation and correction. These systems automatically detect and alert non-compliance, human error and fraud in spreadsheets of any size, complexity, intensity and location.
Most importantly, they have the ability to pinpoint problems from within the bottomless spreadsheet activity so senior bank executives or auditors do not have to search records manually. Also, having automated processes as part of an overall risk management program delivers transparency, accountability and proper ethics that greatly enhance the credibility of the bank.
Ralph Baxter is CEO of ClusterSeven
