Last month the Institute of Internal Auditors plugged a gap in its guidance for members by issuing recommendations for the auditing of “user-developed applications,” which generally are spreadsheets and databases developed by end users rather than by IT personnel.

User-developed applications, or UDAs, are subject to a high level of data-integrity risk because there may not be adequate controls over validating their output or making changes to them, the IIA points out. There is also confidentiality risk, because a UDA and its data typically are easy to transmit outside the company via e-mail. And there is a risk that some UDAs will not be available for audit, because they may be stored on end users’ hard drives or even portable flash drives and thus not captured in a periodic network backup by the IT department.

It is the availability risk that most concerns Mary Ann Tourney, internal audit manager for Talecris Biotherapeutics, a $1.5 billion provider of injectionable medical treatments. Not knowing about a UDA that feeds information to a financial-reporting system, for instance, could cause financial-statement errors to go undetected or render incorrect the assessment of internal controls that is required under the Sarbanes-Oxley Act.

“The predominant pitfall, to me, is identifying the population of impacted systems,” says Tourney. “It’s sort of a scavenger hunt. Most auditors are concerned about UDAs because both the ownership and the management of the information are so dispersed. Without established and enforced standards for the creation and management of UDAs, it is a difficult population of sources to capture, much less test.”

That concern points to the fine line internal auditors always walk: remaining independent from management while also acting as its adviser. It is management’s ultimate responsibility to create and maintain an inventory of “critical” UDAs to be included in an audit, points out Cyndi Plamondon, the IIA’s vice president of professional practices. Internal audit, though, should help define what constitutes a key UDA and also compile its own list prior to conducting an audit and compare it with management’s, she says.

Internal audit then should evaluate management’s controls over identifying UDAs and their owners, how UDAs are used, how changes to them are made and by whom, and what network systems they feed, the IIA says. Auditors also should evaluate the level of risk associated with each UDA and determine whether the controls reduce risk to an acceptable level based on the company’s risk appetite and tolerance.

Special attention should be given to manual journal entries supported by UDAs. “If internal auditors do not have access to a management-generated inventory and risk ranking of UDAs, they would do well to look first at those that support the financial close and reporting process,” the IIA states.

The IIA’s recommendations are contained in the institute’s 14th Global Technology Audit Guide. User-developed applications were recommended as a topic ripe for guidance by the IIA’s advanced technology committee, but the factors that make UDA audits tricky are not new. Corporate end users have been creating spreadsheets and databases without IT supervision for decades, and they have always been risky and difficult to track.

“It may be that we had a gap in our guidance,” acknowledges Plamondon. “In some organizations, UDAs may not have gotten as much attention in the past as they should have. Now we’re making our members aware that they should look at these applications and how they are controlled.”