Home / General / Internal Audit Spreadsheet & EUC Risks
Spreadsheet Errors

Internal Audit Spreadsheet & EUC Risks

June 24, 2021

Spreadsheet and EUC fundamentals

End user computing (EUC) applications are applications built and/ or maintained by the business that fall outside of IT control. Microsoft excel spreadsheets are the most common EUC file type, typically making up to 90% or more of EUC inventories. Increasingly, other file types are coming under the scope of regulators.

New EUC application types emerging

New EUC application types are emerging.

Even in highly automated companies, Excel is still very relevant— especially in the financial reporting (SOX) process.

It’s not just accounting and finance departments. EUCs are increasingly supporting high-risk processes across the organization.

Board Reporting

Business Intelligence

Operations Analytics

Risk Management

Supply Chain Management


Data Privacy (CCPA)

Model Risk Management

Regulatory Reporting

Why should internal audit care about EUC risk?

Regulators are taking notice of organizational reliance on EUCs. The US has seen a tremendous uptick in regulatory interest around EUCs across all industries.

Seal of the United States Securities and Exchange Commission (SEC)
Seal of the United States Securities and Exchange Commission (SEC)
Seal of the United States Securities and Exchange Commission (SEC)
Seal of the United States Securities and Exchange Commission (SEC)
Seal of the United States Securities and Exchange Commission (SEC)
Seal of the United States Securities and Exchange Commission (SEC)

However, it’s not just regulators that companies have to worry about. Repercussions are costly and damaging when something in a critical file goes wrong. Here are just some examples of major scandals in recent years.

JPMorgan Chase logo

Errors within a Value at Risk (VaR) spreadsheet contributes to a $6B+ loss.

JPMorgan Chase logo
Material spreadsheet arithmetic error leads to profits being exaggerate by over $5M. Conviviality collapses after losing over 60% of its stock value.
JPMorgan Chase logo

Citibank assessed $400M fine and cease & desist order with major callouts to EUC program listed.

JPMorgan Chase logo

Double counting in a spreadsheet leads Marks & Spencer to issue a correction in its quarterly trading statement after misreporting group sales figures.

Despite the risks they bring, spreadsheets remain:

  • Low cost and low ‘barrier to entry’
  • Highly flexible
  • Easy to use
  • Ubiquitous
  • Interconnected

Spreadsheet risk can and should be actively managed. Controlling the risks will allow an organization to continue to unlock value and increase efficiency.

The basics of a risk management program

Spreadsheet risk management doesn’t have to be complicated. At a minimum, a comprehensive risk management program should comprise of three steps— identify, inventory, and remediate/ replace/ retire.

Ensure all critical spreadsheets are identified
Build and maintain a comprehensive and accurate inventory
Control inherent risk by applying spreadsheet controls
Identify alternate application and migrate functionality
Discontinue use of application
Spreadsheet Risk Management Workflow Diagram

Identify & assess

Governance teams must evidence that they have located each Excel file that supports the financial reporting process. Any spreadsheet that directly feeds, supports, or validates a company’s financial reporting process are considered in scope. User identification can be effective, but is not enough. Teams must be able to answer, “Are you sure you’ve found everything?”

Ignorance is not bliss: Maintaining an EUC inventory

Maintain an inventory of all critical spreadsheets that are linked to other files to understand and evidence:

  • File ownership
  • Supported business process
  • Risk profile

Utilize standard metrics to define:

  • Applicable internal controls
  • Cadence of inventory attestation

Lifecycle management

After placing the EUC file within an inventory, the final phase is lifecycle management. This phase itself is typically one of three actions:

  1. Remediate – Keep the file, but ensure it is accurate and working correctly.
  2. Replace – Replace the file with another EUC or alternative application. Replacement requires a thorough understanding of how each spreadsheet works and links to other files.
  3. Retire – Retire the file and monitor to ensure the retired spreadsheet is in fact expunged and not being used.

How to get started

To get started, ask the business these simple questions:

  • Scope: Do you know all the processes in your business area that are supported by spreadsheets? This is the first question regulators ask.
  • Accuracy: How do you know this list is accurate?
  • Timeliness: Do you have a timeline to deprecate any of these spreadsheets?

Next steps

Get started with a comprehensive EUC risk program by creating an EUC risk management policy. This free guide is based on Apparity’s experience implementing policy, controls, and evidence that auditors will be looking for.


Subscribe for Updates

Subscribe to our newsletter for exclusive content.

Subtle White Feathers

Chris Trammell and Jeremy Condie

Related Articles

Share This