Exam CISA topic 1 question 601 discussion

The best answer to this question is C. Whether there is a complete inventory of end-user computing (EUC) spreadsheets. The IS auditor should verify next whether there is a complete inventory of EUC spreadsheets that are being used to generate key financial information. This is because an inventory is the first step to identify and assess the EUC applications that are critical, sensitive or material to the organization’s operations and reporting. An inventory can also help to determine the ownership, location, purpose, frequency of use and update, and dependencies of the EUC spreadsheets. Without an inventory, the IS auditor cannot effectively evaluate the adequacy of controls over the EUC spreadsheets.

When an IS auditor is informed that several spreadsheets are being used to generate key financial information, the next step would typically involve assessing the control environment related to these spreadsheets. In this context, the auditor should verify: Risk Assessment: It helps in assessing the overall risk associated with the use of spreadsheets for financial information. This includes understanding the complexity, criticality, and potential impact of these spreadsheets on financial reporting. Control Evaluation: Having a complete inventory allows the auditor to evaluate the controls in place for each spreadsheet. This includes considerations such as data accuracy, integrity, security, and compliance with relevant policies and regulations. Efficiency and Effectiveness: It ensures that the auditor has a comprehensive view of the spreadsheet landscape, enabling them to focus on areas that are more prone to errors or manipulation.

End-user computing (EUC) spreadsheets are those spreadsheets created and maintained by non-IT personnel to support business operations. The use of EUCs can pose significant risks to organizations due to the lack of controls and oversight, which may result in errors, fraud, or non-compliance with regulations