The important applications used for financial reporting, trading, liquidity analysis, and so on are known by many phrases and acronyms. They include “End User Computing” (EUC), “User Developed Applications” (UDA), “tools,” “calculators,” or plainly— spreadsheets. Whatever you call them, you need to know where they are, who is using them, and which business processes are dependent on their existence.
A lack of EUC controls will result in internal and external audit points, MRAs, MRIAs and even cease and desist orders. This isn’t just the concern of big banks overseen by the Securities and Exchange Commission (SEC) or the Office of the Comptroller of the Currency (OCC). The Federal Deposit Insurance Corporation (FDIC) is also demanding smaller banks start by knowing where their EUCs are. In other words, smaller banks are being asked to create and maintain an EUC inventory, just like many of the country’s largest banks have.
As with all things, there are many ways to create an EUC inventory— some better than others. To help you avoid common pitfalls, here are the top five worst ways to build an EUC inventory.
1. Email Distributed EUC List
Sending an email to all business users asking them to respond with a list of their EUCs is so ineffective it’s barely worth mentioning. However, many banks start with this approach because of its’ low level of effort and perception as a good initial minimum viable product.
Often, hundreds of emails will be sent and responses logged. However, this exercise doesn’t guarantee that everything will be found. It’s likely that something important will been missed.
You will have a list that you have little confidence in, let alone one that meets the scrutiny of even a junior auditor or regulatory examination.
2. GRC-based EUC List
Asking users to log on to a Governance, Risk and Compliance (GRC) platform, such as Archer, to answer questions about their EUC usage is another pitfall. Your bank undoubtedly has a shiny platform for all your GRC requirements. So why not develop a EUC-focused questionnaire and ask your first-line to describe each of their EUCs?
Even if you don’t make the all-too-common mistake of asking so many questions about each EUC that your users simply refuse to cooperate, you still have no way of doublechecking that nothing important was missed. A basic list will exist, but not a complete inventory.
3. Scan-based EUC Inventory
Using technology to find technology seems so obvious and, dare it be said, easy. There are also many powerful scanning tools available.
But the reality is EUCs do not have guaranteed technical attributes, metadata, content or even a naming convention that separates them from all the other files on your network. A spreadsheet being used for critical reporting may have an innocuous name, few formulas, no macros, no plug-ins and no links to sensitive systems. A scanner will often miss such applications.
The logical solution would be to cast a wider net by broadening the search criteria. Unfortunately, that usually results in an ocean of noise. Allocating a resource to look through a huge list of files to pick out those that matter just doesn’t happen because it’s inefficient.
4. Infrequent Updates
Unlike large enterprise applications, important EUCs can be created, modified, copied, duplicated, and used in minutes. Bank policies often expect annual refreshes of inventories.
It is inevitable that expecting your users to remember all their EUCs used in the past twelve months, or scanning for any files used in the same period, is just not going to result in success. It is a waste of time, effort and resources.
5. Relying 100% on Technology
Technology is constantly improving— robotic processing, artificial intelligence, machine learning, etc. The silver bullet is just around the corner.
Scanning is the answer— eventually. We can all agree that technology will be key. However, can technology answer questions such as:
- Why was this EUC developed?
- Where are the results of this EUC being used?
- When does the user intend to use this application?
This qualitative input from your users is as important as any quantitative scanning results.
The Smartest Way to Create an EUC Inventory
Apparity’s 3rd generation EUC risk management platform is designed from the ground up to meet the challenges and requirements for accurate EUC inventory creation, verification, and maintenance. This is achieved through a unique combination of file discovery, analysis, aggregation, noise filtering and user involvement. It is unobtrusive and user-friendly for 1st line business users, their management, auditors and even regulators. This ensures adoption and usage by everyone across the organization.
