END-USER COMPUTING RISKS

An End-User Computing application or EUC is any application that is not managed and developed in an environment that employs robust IT general controls. They are created and maintained by business units and embedded within business unit processes. Although the most pervasive EUCs are spreadsheets, EUCs also can include user databases, queries, scripts, or output from various reporting tools. 

And, while EUC is the most common term used, they are also called: 

Studies show that 90% of spreadsheets with over 150 rows contain errors. Even very experienced users searching for errors only identify, on average, 54% of such errors. In addition to data entry, errors can also occur within formulas, the spreadsheet logic, or links to other spreadsheets and external data sources.

By their very nature, spreadsheet applications and other end-user developed applications can be more difficult to control than more traditional IT developed applications. Even where change control policies exist, these can be difficult to enforce.

Files that have not been properly documented may be used incorrectly after a change in ownership of the EUC, or just improperly used in general. Again, this can lead to unintended and undetected errors.

Unsecured files may be easily traded among users, and allow for areas of spreadsheets that should remain constant to be changed. This can lead to increased errors, or might allow sensitive and confidential information to be seen by unauthorized users.

As with any financial processes, the ability to audit and control changes to key data is essential both for internal governance and for compliance with external regulation. For critical applications, managing this risk effectively is crucial and in many instances will require monitoring and controlling changes at the individual cell level.

The greatest operational risk with spreadsheet usage is in not knowing the size of the potential problem. The use of spreadsheets is so widespread that for many companies it is extremely difficult to assess just how many exist, how many are used in critical business applications, how these are linked together, or where data is fed into or extracted from other IT applications. To quantify this risk, it is necessary to carry out a full inventory of spreadsheet usage and a detailed risk assessment of all business critical spreadsheets.

There are many real world examples which illustrate the quantifiable consequences that can arise from the uncontrolled use of spreadsheets. The consequences of poor spreadsheet control and management can result in: