Sarbanes-Oxley forced companies to look under the rock of their internal controls, but eight years later, spreadsheets and databases are still causing operational risk headaches, and sometimes the public embarrassment of financial restatements or fraud. To combat the problem, the Institute of Internal Auditors (IIA) is rallying the troops. The group has issued a practice guide entitled Auditing User-developed Applications. The guide urges internal auditors to "determine and review" critical spreadsheets and databases, which it distinguishes from their innocuous kin with the term user-developed applications, or UDAs.
Internal auditors should audit UDAs annually, and regard any problems as a control weakness, the IIA recommends.