Rabo AgriFinance, Inc. End User Computing Tools Policy
Purpose To comply with Rabobank guidelines, it is important that appropriate policies are established regarding controls on the use, storage and modification of spreadsheets and databases used in preparation and reconciliation of critical tasks such as the financial reporting process. Generally, these policies are intended to ensure that all spreadsheets/databases critical to the financial reporting process or that generate key reports relied upon by Management are managed and controlled based on the associated risk to Rabobank. The purpose of this policy is to outline the roles and responsibilities of the IS Department as well as the users and developers of spreadsheets and other desktop tools used by Rabobank to establish controls over operational, analytical and financial reporting as they relate to spreadsheets and other desktop tools. In addition, this policy describes procedures for assessing the risk level of spreadsheets and other desktop tools and describes the minimum control standards required for all operational, analytical and financial desktop tools. All End User Computing (EUC) applications are developed by end-users, usually through the use of desktop tools. Such desktop tools may include Excel, Word, Hot Docs, Cognos/Impromptu, and SharePoint. These tools are typically developed without the involvement of Rabobank’s IS Department or any of its application vendors.
Timing and Scope The new policy will become effective on July 1, 2008 and all EUC’s used, created, or modified after June 30, 2008 should be reviewed.
Steps for Evaluating and Establishing Controls Implementing a process to ensure appropriate controls is a critical element of compliance. There are five high-level steps to implementing such a process for each application and usage within each application: 1. Initial assessment of EUCs and establishment of criticality ratings 2. Develop an inventory of the Medium or High criticality rated EUCs 3. Determine the necessary level of controls 4. Evaluate existing “as is” controls 5. Develop action plans for remediating control deficiencies 1. Conduct an initial assessment of all your EUCs and establish criticality ratings In order to assess how Rabo AgriFinance is using EUCs; we need to categorize each EUC based on the use of the information and/or complexity of spreadsheet. Each EUC will need to be ranked as Low, Medium or High based on the following guidelines: LOW: Serves as an electronic logging and information tracking system May perform simple calculations such as using formulas to total certain fields or calculate new values by multiplying two cells. Low risk of potential input, logic, and interface errors Low financial impact to the company Low risk to the company’s reputation __________________________________________________________________________ 10/10/2012 Version: 1.0 Page 1 of 5
Rabo AgriFinance, Inc. End User Computing Tools Policy
MEDIUM: Underlying data is extensively manipulated into new information Functionality within the tool is not in the knowledge level of the resources who will be utilizing it High risk of potential input, logic, and interface errors Impacts decision making Moderate financial impact to the company Moderate risk to the company’s reputation HIGH:
Contains complex calculations, valuations and modeling tools (might be considered an “application” in its own right) High risk of potential input, logic, and interface errors Significant financial impact to the company Significant risk to the company’s reputation Information generated may be used for critical management decision-making
2. Develop an inventory of the Medium or High criticality rated EUCs The inventory should include:
Name of the EUC Directory path Purpose of Spreadsheet or Database Data Sources - brief description of the inputs, processing, output and destination of output (distribution) Financial statement accounts or footnotes affected Developer of the spreadsheet User(s) of the spreadsheet Frequency of updates (daily, weekly, monthly) Logic last updated Access Control Change Control - Re-computing Change Control – Documented Testing
__________________________________________________________________________ 10/10/2012 Version: 1.0 Page 2 of 5
Rabo AgriFinance, Inc. End User Computing Tools Policy 3. Determine the Necessary Level of Controls Review the table below and determine which of the following controls should be considered to help mitigate the risks inherent to the EUC. Descriptions of each control have been provided below.
X X X
Segregation of duties/roles
Back-up and Recovery
Data Security and Integrity
a) Change Control: The owner will obtain approval from direct manager/superior prior to requesting or making a change to a formula or computation. All changes should be tested prior to using the spreadsheet. For high-complexity desktop tools, the owner will obtain formal sign-off from an independent individual that the change is functioning as intended. Evidence of approval and testing must be retained for audit trail purposes. b) Version Control: All EUCs will follow the department or group’s naming convention. Naming convention can be defined in the name of the file/desktop tool, or the naming of directories/folders and sub-directories/folders. c) Access Control: RaboAgriFinance’s server contains a directory system, which restricts access to only certain personnel. To the extent that additional protection of files is necessary (e.g., via password protection for files containing confidential information), the owners use their judgment as to which files require such additional protection. d) Input/Output Control: Reconciliations and/or check figures for inputs and/or outputs, if applicable, in comparison with the other source of valid data is required and must be noted (either as a note with in the electronic document or referenced on the hard copy print-out). This should be presented on the document as a tie-out table, or referenced with a key indicating source of the reconciliation. e) Data Security and Integrity: All operational, analytical and financially significant EUCs (spreadsheets, queries, and report tools) need to be secured to prevent unauthorized access. These desktop tools should be located in a secured directory within the network accessible by the department or individual. The structure of the directory as well as the security applied to each will be determined by the department and communicated to IT for a non-standard security implementation. Security: The owner must password protect cells and macros for critical and complicated formulas along with macros that do not change from month-to-month. Integrity: Results need to be reconciled and reviewed to published numbers
__________________________________________________________________________ 10/10/2012 Version: 1.0 Page 3 of 5
Rabo AgriFinance, Inc. End User Computing Tools Policy f)
Documentation: All operational, analytical and financial significant desktop tools must have sufficient documentation to facilitate their ongoing update, support, and maintainability. This documentation should be retained on file by the department of the EUC owner. The level of the documentation will be should be determined by the use and value of the tool to the business. To achieve this, department heads are responsible to maintain and inventory of EUCs. As a starting point, the inventory will be assembled from the department documentation. Not less than annually, each Department should review their inventory of EUC tools. Each department will need to identify who in their respective areas will be responsible. The internal audit department on a periodic basis may also conduct EUC reviews.
g) Back-ups: All operational, analytical and financial EUCs identified in the Inventory EUCs section must reside on Rabobank’s server rather than on an individual’s local hard drive. This will ensure the EUCs are included during Rabobank’s server backup procedures. h) Archiving: Should any of the information require archiving, the department/division will notify IS as to which files need to be archived. Once the files are identified they will be segregated in an archive folder and will be locked down as "read only." i)
Logic Inspection – Inspecting the logic in critical spreadsheets should be done by someone other than the user or developer of the spreadsheet. This review should be formally documented.
Segregation of Duties/Roles and Procedures - Roles, authorities, responsibilities and procedures should be defined and implemented for the EUC tool.
k) Overall Analytics – Analytics should be used as a detective control to find errors in spreadsheets used for calculations. However, analytics alone are not a sufficient control to completely address the inherent risk of financial amounts generated using spreadsheets. 4. Evaluate Existing “As Is” Controls Evaluation of existing controls is typically done by comparing the existing spreadsheet controls against a checklist of “necessary” controls, such as those listed above, based upon the use and complexity of the spreadsheet. Management must ensure that the controls operate effectively. Any gaps between existing and “necessary” controls should be identified as remediation items as well as any gaps in operating effectiveness.
5. Develop Action Plans for Remediating Control Deficiencies An action plan should be developed for each control gap identified. These action plans should increase the controls over the EUC to the necessary controls based upon the use and complexity of the spreadsheet. Key elements of an action plan include:
Assigning responsibility for actions in plan
Establishing required remediation dates
Prioritizing remediation efforts
__________________________________________________________________________ 10/10/2012 Version: 1.0 Page 4 of 5
Rabo AgriFinance, Inc. End User Computing Tools Policy
Recommended Controls The table below outlines the roles within the organization responsible for implementing and following the required controls listed above. The group(s) within the organization will be responsible for ensuring the control is in place and effective, and which controls apply to which type of EUC. Control a. Change Control b. Version Control c. Access Control d. Input/Logic Inspection Control e. Data Security and Integrity f. Process Documentation g. Back-Up and Recovery h. Archiving i. Logic Inspection j. Segregation of Duties/Roles k. Overall Analytics
x x x
EUC Owner Responsibility x x x x x x x x x x
Critical implementation documents: End User Computing Tool Review Worksheet (record information for each EUC tool) End User Computing Tools Master Worksheet (record information for all EUC tools)
__________________________________________________________________________ 10/10/2012 Version: 1.0 Page 5 of 5