ISACA CISA: IS auditor verify spreadsheets

Question

An IS auditor is informed that several spreadsheets are being used to generate key financial information. What should the auditor verify NEXT?

A. Whether adequate documentation and training is available for spreadsheet users
B. Whether the spreadsheets meet the minimum IT general controls requirements
C. Whether there is a complete inventory of end-user computing (EUC) spreadsheets
D. Whether the spreadsheets are being formally reviewed by the chief financial officer (CFO)

Answer

C. Whether there is a complete inventory of end-user computing (EUC) spreadsheets

Explanation

The question you asked is about end-user computing (EUC) spreadsheets that are being used to generate key financial information. EUC is the use of software applications by non-IT professionals to create, modify or control data or information systems. Spreadsheets are a common example of EUC applications that can pose significant risks to data integrity, security and compliance if not properly controlled.

The best answer to this question is C. Whether there is a complete inventory of end-user computing (EUC) spreadsheets. The IS auditor should verify next whether there is a complete inventory of EUC spreadsheets that are being used to generate key financial information. This is because an inventory is the first step to identify and assess the EUC applications that are critical, sensitive or material to the organization’s operations and reporting. An inventory can also help to determine the ownership, location, purpose, frequency of use and update, and dependencies of the EUC spreadsheets. Without an inventory, the IS auditor cannot effectively evaluate the adequacy of controls over the EUC spreadsheets.

The other options are not as good because:

• A. Whether adequate documentation and training is available for spreadsheet users. This is an important aspect of EUC control but it should be verified after establishing an inventory of EUC spreadsheets. Documentation and training can help to ensure that spreadsheet users understand the design, functionality, limitations and risks of the EUC applications they use. However, documentation and training alone cannot prevent errors, fraud or misuse of EUC spreadsheets if they are not identified, monitored or reviewed.
• B. Whether the spreadsheets meet the minimum IT general controls requirements. This is a relevant factor to consider but it should be verified after establishing an inventory of EUC spreadsheets. IT general controls are policies, procedures and practices that apply to all IT systems and data in an organization. They can help to ensure the reliability, security and availability of IT resources and information. However, IT general controls may not be sufficient or appropriate for EUC applications that are developed and maintained by end-users outside the IT function.
• D. Whether the spreadsheets are being formally reviewed by the chief financial officer (CFO). This is a desirable practice but it should be verified after establishing an inventory of EUC spreadsheets. A formal review by the CFO can help to ensure the accuracy, completeness and validity of the financial information generated by the EUC spreadsheets. However, a formal review by the CFO may not be feasible or effective for all EUC spreadsheets if they are numerous, complex or dynamic.

Reference

• Certified Information Systems Auditor (CISA): Definition, Exam (investopedia.com)
• CISA Certification | Certified Information Systems Auditor | ISACA
• CISA Exam Content Outline | CISA Certification | ISACA
• Agenda Item N-C – ISA 560 (ifac.org)
• Understanding a financial statement audit (pwc.com)
• Microsoft Word – 46E508BD-727C-289CEE.doc (ifac.org)

Isaca Certified Information Systems Auditor CISA certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Isaca Certified Information Systems Auditor CISA exam and earn Isaca Certified Information Systems Auditor CISA certification.