End-user computing (EUC) refers to systems in which non-programmers can create working applications. EUC is a group of approaches to computing that aim to better integrate end users into the computing environment. These approaches attempt to realize the potential for high-end computing to perform problem-solving in a trustworthy manner.
End-user computing (EUC) applications (such as Microsoft Excel, Microsoft Access and others) continue to present challenges for organizations.
On the one hand, EUCs provide a great benefit by allowing users to directly manage, control and manipulate data. Unlike SAP, Oracle and other enterprise resource planning (ERP) applications that facilitate the automated and integrated flow of transactions and data, EUCs are neither ponderous nor difficult to modify. In fact, EUCs allow businesses and users to quickly deploy solutions in response to shifting market and economic conditions, industry changes or evolving regulations. They can also help plug functionality gaps for ERP systems.
Challenges associated with EUCs include:
- Misstated financial statements due to simple data entry or calculation errors in spreadsheets
- Regulatory and compliance violations
- Operational impacts and losses due to errors
- Loss of time stemming from cumbersome manual processes and calculations that could be automated
- Data redundancy and version control
- Lack of recovery or forensic capabilities
- Higher risk of fraud
- Audit findings due to lack of control around EUCs.
It’s imperative that organisations have a framework to:
- Define what EUC risk is for the organisation
- Define what constitutes high risk EUCs
- Define the additional controls that are required to manage high risk EUCs
- Establish appropriate reporting and monitoring protocols for oversight
- Establish protocols for action in the event of the risk levels deterioration/ the monitoring revealing exceptions
- Establish appropriate escalation
All this must be congruent with and feed the larger operational risk management framework.
Perhaps, the safest way to execute on and mitigate the risks of EUC applications is by taking a system-based approach to supporting the control framework. A manual approach is prohibitive and burdensome from a cost-benefit, risk-reward perspective.
EUCs are here to stay and our dependence on them is unlikely to diminish. EUC risk must be understood and assessed. The truth of the matter though is that for any of this to happen, foremost, EUC risk must grab the attention of management.