What is an EUC?
It's an End-User Computing application
An End-User Computing application or EUC is any application that is not managed and developed in an environment that employs robust IT general controls. They are created and maintained by business units and embedded within business unit processes. Although the most pervasive EUCs are spreadsheets, EUCs also can include user databases, queries, scripts, or output from various reporting tools.
And, while EUC is the most common term used, they are also called:
- UDA (User Developed Applications)
- EUDA (End User Developed Applications
- EUA (End User Applications)
- EUCA (End User Computing Applications)
No matter what they are called, robust end-user computing controls are necessary and should form a key component of any operational risk management strategy. Since these applications are not managed by general IT controls, manual control processes are not enough.
EUC Risks
Errors
Studies show that 90% of spreadsheets with over 150 rows contain errors. Even very experienced users searching for errors only identify, on average, 54% of such errors. In addition to data entry, errors can also occur within formulas, the spreadsheet logic, or links to other spreadsheets and external data sources.
Poor version & change control
By their very nature, spreadsheet applications and other end-user developed applications can be more difficult to control than more traditional IT developed applications. Even where change control policies exist, these can be difficult to enforce.
Poor documentation
Files that have not been properly documented may be used incorrectly after a change in ownership of the EUC, or just improperly used in general. Again, this can lead to unintended and undetected errors.
Lack of security
Unsecured files may be easily traded among users, and allow for areas of spreadsheets that should remain constant to be changed. This can lead to increased errors, or might allow sensitive and confidential information to be seen by unauthorized users.
Lack of audit trail
As with any financial processes, the ability to audit and control changes to key data is essential both for internal governance and for compliance with external regulation. For critical applications, managing this risk effectively is crucial and in many instances will require monitoring and controlling changes at the individual cell level.
Risk of the unknown
The greatest operational risk with spreadsheet usage is in not knowing the size of the potential problem. The use of spreadsheets is so widespread that for many companies it is extremely difficult to assess just how many exist, how many are used in critical business applications, how these are linked together, or where data is fed into or extracted from other IT applications. To quantify this risk, it is necessary to carry out a full inventory of spreadsheet usage and a detailed risk assessment of all business critical spreadsheets.
The Consequences
What can happen when you ignore these risks?
There are many real world examples which illustrate the quantifiable consequences that can arise from the uncontrolled use of spreadsheets. The consequences of poor spreadsheet control and management can result in:
- Financial loss
- Loss of stock value
- Loss of reputation and/or market share
- Vulnerability to fraud
- Increased cost of auditing and compliance
- Regulatory fines and penalties for non-compliance
- Increased capital adequacy requirements
- Loss of your job
Read more about some of these examples on our blog.
E.U.C Risk Management Framework
The Business Case and Best Practices for End User Computing (EUC) Risk Management
Managing the enormous risks from End User Computing (EUC) applications is probably not on the top of the agenda for your C-suite. Nonetheless, you can be assured that they would care deeply if a material error related to EUCs were to occur or become public. It has cost a CEO their job.