EnD-user computing risks

What is an EUC?

It's an End-User Computing application

An End-User Computing application or EUC is any application that is not managed and developed in an environment that employs robust IT general controls. They are created and maintained by business units and embedded within business unit processes. Although the most pervasive EUCs are spreadsheets, EUCs also can include user databases, queries, scripts, or output from various reporting tools. 

Because these applications are not managed by general IT controls, robust end-user computing controls are necessary and should form a key component of any operational risk management strategy. Manual control processes are not enough.

EUC Risks

Errors

Studies show that 90% of spreadsheets with over 150 rows contain errors. Even very experienced users searching for errors only identify, on average, 54% of such errors. In addition to data entry, errors can also occur within formulas, the spreadsheet logic, or links to other spreadsheets and external data sources.

 

Poor version & change control

By their very nature, spreadsheet applications and other end-user developed applications can be more difficult to control than more traditional IT developed applications.  Even where change control policies exist, these can be difficult to enforce.

 

Poor documentation

Files that have not been properly documented may be used incorrectly after a change in ownership of the EUC, or just improperly used in general. Again, this can lead to unintended and undetected errors.

 

Lack of security

Unsecured files may be easily traded among users, and allow for areas of spreadsheets that should remain constant to be changed. This can lead to increased errors, or might allow sensitive and confidential information to be seen by unauthorized users.

Lack of audit trail

As with any financial processes, the ability to audit and control changes to key data is essential both for internal governance and for compliance with external regulation. For critical applications, managing this risk effectively is crucial and in many instances will require monitoring and controlling changes at the individual cell level.

 

Risk of the unknown

The greatest operational risk with spreadsheet usage is in not knowing the size of the potential problem. The use of spreadsheets is so widespread that for many companies it is extremely difficult to assess just how many exist, how many are used in critical business applications, how these are linked together, or where data is fed into or extracted from other IT applications. To quantify this risk, it is necessary to carry out a full inventory of spreadsheet usage and a detailed risk assessment of all business critical spreadsheets.

The Consequences

What can happen when you ignore these risks? 

There are many real world examples which illustrate the quantifiable consequences that can arise from the uncontrolled use of spreadsheets. The consequences of poor spreadsheet control and management can result in:

  • Financial loss
  • Loss of stock value
  • Loss of reputation and/or market share
  • Vulnerability to fraud
  • Increased cost of auditing and compliance
  • Regulatory fines and penalties for non-compliance
  • Increased capital adequacy requirements
  • Loss of your job

Read  more about some of these examples on our blog