What is an EUC?
End User Computing (EUCs) are computing solutions and applications created and maintained by business units and embedded within business unit processes. Although the most pervasive EUCs are spreadsheets, EUCs also can include user databases, queries, scripts, or output from various reporting tools. In general, an EUC is any application that is not managed and developed in an environment that employs robust IT general controls.
The need for robust end user computing control procedures is undeniable and should form a key component of any operational risk management strategy. Manual control processes alone are not enough.
CIMCON Software provides the industry's most comprehensive end-user computing controls from discovery, risk assessment and analysis to monitoring, versioning, approvals and security.
There are many real world examples (drawn from publicly available information) which illustrate the quantifiable consequences that can arise from the uncontrolled use of EUCs.
Spreadsheet usage is prevalent across a wide range of industries, often playing a critical role in financial processes and reporting. Because of its widespread usage, knowing the risks associated with end user computing is important. Such risks include:
Errors
Studies show that 90% of spreadsheets with over 150 rows contain errors. Even very experienced users searching for errors only identify, on average, 54% of such errors. In addition to data entry, errors can also occur within formulas, the spreadsheet logic, or links to other spreadsheets and external data sources.
Poor version and change control
By their very nature, spreadsheet applications and other end-user developed applications can be more difficult to control than more traditional IT developed applications. Even where change control policies exist, these can be difficult to enforce.
Poor documentation
Files that have not been properly documented may be used incorrectly after a change in ownership of the EUC, or just improperly used in general. Again, this can lead to unintended and undetected errors.
Lack of security
Unsecured files may be easily traded among users, and allow for areas of spreadsheets that should remain constant to be changed. This can lead to increased errors, or might allow sensitive and confidential information to be seen by unauthorized users.
Lack of audit trail
As with any financial processes, the ability to audit and control changes to key data is essential both for internal governance and for compliance with external regulation. For critical applications, managing this risk effectively is crucial and in many instances will require monitoring and controlling changes at the individual cell level.
Risk of the unknown
The greatest operational risk with spreadsheet usage is in not knowing the size of the potential problem. The use of spreadsheets is so widespread that for many companies it is extremely difficult to assess just how many exist, how many are used in critical business applications, how these are linked together, or where data is fed into or extracted from other IT applications. To quantify this risk, it is necessary to carry out a full inventory of spreadsheet usage and a detailed risk assessment of all business critical spreadsheets.
The Consequences
There are many real world examples (drawn from publicly available information) which illustrate the quantifiable consequences that can arise from the uncontrolled use of spreadsheets. The consequences of poor spreadsheet control and management can result in:
- Financial loss
- Loss of stock value
- Loss of reputation and/or market share
- Vulnerability to fraud
- Increased cost of auditing and compliance
- Regulatory fines and penalties for non-compliance
- Increased capital adequacy requirements
- Loss of your job
