reporting processes and thus controls over that spreadsheet are just as important, possibly more, than
            the controls in the AIS applications.

            Generally, this situation involves a transfer of data from one or more internal AIS data files to a
            spreadsheet where some kind of manipulation will be made for financial reporting purposes, for example,
            generate a trial balance, consolidation, post year-end journal entries, calculate depreciation, and so on.


            Controls would involve access and accuracy.
            For access, the softcopy of the electronic spreadsheet needs to be protected from unauthorized access,
            that is, limited to a minimum number of people able to access the file. This restricted access could be
            accomplished by putting the electronic document in a separate folder that is accessed by a separate
            login credential. In addition, the spreadsheet itself needs to be protected — formulas in the cells and so
            on — by locking and password protecting cells and the spreadsheet. This feature would protect the
            spreadsheet from errors due to accidental changes in the formulas or data.

            Accuracy would involve testing the formulas formally and independently of the person building the
            spreadsheet, and some formal control to reconcile the final results with the appropriate external
            information or data. Documenting the independent testing (QA function) would be valuable to the CITP.


            Operating system level

            The operating system (O/S) provides access to the files it houses. Because that access is to raw data,
            databases, data files, and application files, O/S access has a particularly high inherent risk.

            The administration function should also set up a sufficient level of logs to provide information in case of
            an intrusion, fraud, and other situations where management or the auditor needs to understand who got
            in, where they got in, and what functions were accessible. Because logs are critical to investigating fraud
            — and intrusions testing for adequacy of logs is an important issue for management — all servers should
            use tracking logs, especially virtual private networks (VPNs) and other sensitive access servers.

            Limited access

            As is always the case with logical access, the goal is to limit the rights of users to the minimum,
            providing only access required to do their jobs. Sound logical access at the O/S level focuses on limiting
            access, especially admin access rights, to users. One key issue is limiting the number of personnel who
            have admin rights to a minimal number; this depends on the size of the entity, but probably at least two,
            and no more than a handful. Another key issue is to remember that when something goes wrong, it is
            helpful to review access rights at the O/S, in case someone is abusing access.

            There are tools available to the CITP to read the access rights in the O/S. Sometimes the O/S itself has
            an admin tool that will allow a user to view the access rights table/information. Tools like DumpSec can
            print out the access rights information in a digestible, readable form.

            Password policy should also be reviewed for adequacy of the various policy options, when relevant to the
            audit or review. Usually, the O/S allows admin rights to access the password policy options and set up




            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-14