An effective end user computing policy includes elements of governance, process, people and technology. Each of these elements should be customized to meet the specific needs of the organization.

You’ve learned what an End User Computing (EUC) Application is. You’ve learned about the unique risks that these EUCs pose to your organization. And you’ve read horror stories of the very real financial and reputational impacts of not controlling these risks.

So now you are asking yourself, how can I control these risks?

This blog post will cover the element of governance and the basics of developing an end user computing policy.

Define Roles and Responsibilities

Identify who the EUC policy applies to and what they are responsible for in terms of implementing the policy. Common roles and responsibilities include the following:

EUC Owner

Responsibilities typically include:

  • Identify all EUCs in use and evaluate their criticality
  • Develop and implement controls consistent with what is outlined in the policy and supporting documentation

Manager

Responsibilities typically include:

  • Provide oversight and verify that fulfillment of controls is complete and accurate
  • Review and sign off on any changes made to an EUC to ensure the integrity

Compliance / Audit

Responsibilities typically include:

  • Ensure compliance standards are being met across the organization

Define What an EUC is

Your audience must understand what is and what is not in scope for this policy.

Not all spreadsheets are created equal. You likely don’t care if the spreadsheet used to coordinate the holiday potluck has controls or not. But the spreadsheet used in financial or regulatory reporting is a different story.

EUCs are typically identified by looking at two factors: 1.) Complexity and 2.) Business Impact.

Complex spreadsheets have a higher risk for error due to, well…their complexity. Macros, formulas, pivot tables, and external links are a few examples of how a spreadsheet can become increasingly complex. It is up to you to determine the threshold for whether a spreadsheet falls into a High, Medium, or Low complexity.

However, complexity alone cannot define whether or not a spreadsheet is an EUC or not. My fantasy football spreadsheet that I have on my computer contains complex formulas and macros but would that be considered an EUC? No. The impact that the spreadsheet can have on your business must also be considered.

Think of business impact as being, if your spreadsheet failed, what would be the result to the business. Common questions when assessing the business impact of your spreadsheet, include:

  • Is this spreadsheet used in financial or regulatory reporting functions?
  • Does this spreadsheet have the potential to impact financial statements by a material amount?
  • Is this spreadsheet used to make decisions on significant investments or expenditures

When both are taken into consideration, complexity and business impact will help you define what is an EUC and subject to the policy.

Define the Required Controls

You’ve now set the tone for who is responsible for implementing the policy and which spreadsheets fall under the policy. You now need to define your strategy and requirements for controlling your EUCs. Below are common EUC controls.

Inventory Control

All EUCs need to be maintained in a central inventory with appropriate metadata information (e.g., Owner, Department, Business Process, Criticality, etc.)

Change Control

It is critical for the business to be able to quickly understand the significant changes between any two versions of a spreadsheet, prove that the spreadsheet is working as intended, and prove that the spreadsheet received formal sign-off by an appropriate individual affirming that the changes were appropriate.

Version Control

You must know where your files are stored and which version is the latest and greatest. Without proper versioning controls, there is risk in using an incorrect spreadsheet.

Access Control

You must be sure that only authorized users are making changes to your spreadsheets.

Integrity Control

You must ensure that the integrity of your spreadsheets have not been compromised and are free of errors.

Summary

Governance is one pillar of a successful EUC management program and developing a strong end user computing policy is your first step in developing the foundation. In this policy, be sure you clearly articulate the roles and responsibilities of those impacted by the policy, what types of EUCs need to abide by the policy, and the strategy and requirements for minimizing the risk in these EUCs.

For a more detailed example of an end user computing policy, please review our Best Practice End User Computing Policy Guide.

About the Author:

Head Of Professional Services at Apparity

Justin leads management of Apparity's Professional Services team and all related customer implementation projects.