Spreadsheet and EUC fundamentals
End user computing (EUC) applications are applications built and/ or maintained by the business that fall outside of IT control. Microsoft excel spreadsheets are the most common EUC file type, typically making up to 90% or more of EUC inventories. Increasingly, other file types are coming under the scope of regulators.
New EUC application types are emerging.
Even in highly automated companies, Excel is still very relevant— especially in the financial reporting (SOX) process.
- 95% of companies consider Excel critical to their Financial Reporting processes.
- 88% of all spreadsheets contain formula or data lineage errors.
It’s not just accounting and finance departments. EUCs are increasingly supporting high-risk processes across the organization.
Board Reporting
Business Intelligence
Operations Analytics
Risk Management
Supply Chain Management
CRM
Data Privacy (CCPA)
Model Risk Management
Regulatory Reporting
Why should internal audit care about EUC risk?
Regulators are taking notice of organizational reliance on EUCs. The US has seen a tremendous uptick in regulatory interest around EUCs across all industries.
However, it’s not just regulators that companies have to worry about. Repercussions are costly and damaging when something in a critical file goes wrong. Here are just some examples of major scandals in recent years.
Errors within a Value at Risk (VaR) spreadsheet contributes to a $6B+ loss.
Citibank assessed $400M fine and cease & desist order with major callouts to EUC program listed.
Double counting in a spreadsheet leads Marks & Spencer to issue a correction in its quarterly trading statement after misreporting group sales figures.
- Low cost and low ‘barrier to entry’
- Highly flexible
- Easy to use
- Ubiquitous
- Interconnected
Spreadsheet risk can and should be actively managed. Controlling the risks will allow an organization to continue to unlock value and increase efficiency.
The basics of a risk management program
Spreadsheet risk management doesn’t have to be complicated. At a minimum, a comprehensive risk management program should comprise of three steps— identify, inventory, and remediate/ replace/ retire.
Identify & assess
Governance teams must evidence that they have located each Excel file that supports the financial reporting process. Any spreadsheet that directly feeds, supports, or validates a company’s financial reporting process are considered in scope. User identification can be effective, but is not enough. Teams must be able to answer, “Are you sure you’ve found everything?”
Ignorance is not bliss: Maintaining an EUC inventory
Maintain an inventory of all critical spreadsheets that are linked to other files to understand and evidence:
- File ownership
- Supported business process
- Risk profile
Utilize standard metrics to define:
- Applicable internal controls
- Cadence of inventory attestation
Lifecycle management
After placing the EUC file within an inventory, the final phase is lifecycle management. This phase itself is typically one of three actions:
- Remediate – Keep the file, but ensure it is accurate and working correctly.
- Replace – Replace the file with another EUC or alternative application. Replacement requires a thorough understanding of how each spreadsheet works and links to other files.
- Retire – Retire the file and monitor to ensure the retired spreadsheet is in fact expunged and not being used.
How to get started
To get started, ask the business these simple questions:
- Scope: Do you know all the processes in your business area that are supported by spreadsheets? This is the first question regulators ask.
- Accuracy: How do you know this list is accurate?
- Timeliness: Do you have a timeline to deprecate any of these spreadsheets?
Next steps
Get started with a comprehensive EUC risk program by creating an EUC risk management policy. This free guide is based on Apparity’s experience implementing policy, controls, and evidence that auditors will be looking for.
