A Framework for Managing and Controlling End-User Computing Applications

Keeping your IT estate secure is a constant battle for any professional in this field, and it's a task that is always made more challenging as businesses and new IT solutions and processes are constantly being created. However, as well as the technical challenges, businesses also need to consider the personnel issues they may face when building new systems.

People are always the least predictable part of any IT system, yet it's the one thing that can never be removed from the process. Even if you go all-in on the latest artificial intelligence and automation tools, employees will still have to manually interact with applications and data at some point.

Therefore, it's likely that end-user computing applications will still have a place in many organizations, so having a framework to manage and control these is crucial for IT teams to maintain adequate security and visibility.

What is end-user computing?

End-user computing (EUC) is a term that encompasses the wide range of technologies and applications that empower individual users to access, manipulate and collaborate on data and information within an organization. The primary objective of EUC is to facilitate seamless interaction between users and their computing environments, enabling them to efficiently perform day-to-day tasks and make informed decisions based on real-time insights.

This category of IT covers a wide range of applications, including databases, programming language algorithms and scripts. For most businesses, however, the most common type of EUC is likely to be spreadsheet applications like Excel, which are especially heavily used by financial operations teams for everything from tracking weekly sales data to projecting long-term results. Some other common examples include collaboration tools such as Slack, and business intelligence platforms like Tableau. These user applications are often customizable, catering to the specific needs of an organization and its workforce.

The challenges posed by end-user computing

The issue for many businesses is that, left unchecked, these EUC applications can quickly spiral out of control. Unmanaged systems that IT and compliance professionals have no visibility into can pose a wide range of risks from human error that can leave companies facing the prospect of operational mistakes, lost opportunities, reputational damage or even regulatory action.

One of the biggest dangers of EUCs is that, with data and formulae being entered manually with little oversight or checking, it's easy for errors to creep into essential operations. For instance, spreadsheet errors can result in firms getting inaccurate information into their performance, or even misstating their position to a regulator, which can lead to costly regulatory fines and reputation loss.

Indeed, there are a wide range of regulatory and compliance issues that can arise as a consequence of poor EUC configurations or errors. The Sarbanes-Oxley (SOX) Act, for example, is intended to protect against erroneous or fraudulent accounting practices, so is especially relevant for businesses using EUCs in this department.

Meanwhile, other regulations that could potentially be violated by poor EUCs include the Dodd-Frank Act, HIPAA, PCI-DSS and the EU's General Data Protection Regulation, to name but a few.

Aside from these issues, the lack of visibility created by some EUCs can also make areas such as disaster recovery trickier and leave businesses without the ability to effectively audit processes. In turn, this can leave companies more exposed to fraud due to a lack of forensic and monitoring capabilities.

Learn more: 5 Signs Your Disaster Recovery Plan is Doomed

The benefits of EUCs

Given this wide range of risk factors, businesses may wonder if they should be deploying EUC at all. Indeed, when it comes to issues like financial reporting, there are often other prepacked and automated solutions available that can do the same job.

But there are a number of positives to these applications, in particular the freedom and flexibility they can provide to businesses. Unlike tools such as Enterprise Resource Planning applications that look to automate the flow and control of data, EUCs are very easy to modify in order to adapt to changing demands and can quickly be customized to meet a firm's unique situation.

This means EUCs are better able to respond to evolving market or economic conditions, new regulations, and adjustments within the industry that can have an impact on the way companies do business. For example, external factors that will result in a change in how financial projections are calculated can be more easily factored into an EUC solution than a more rigid automated tool.

In addition, EUC can offer businesses greater mobility and better support strategies such as BYOD. However, given the potential for serious consequences should there be any failings within this, a strong system of management and control is a must-have, and this is where developing an EUC governance program comes in.

What is an EUC governance framework?

An EUC governance framework sets out what controls and processes are in place within an enterprise to ensure that the outcomes of EUCs are accurate, reliable and relevant to their users.

For example, Excel spreadsheets are one of the most common forms of EUC, so an internal governance management framework should guide end-users through the creation and use of such models by setting out clear requirements for what must and must not be done within them and how formulae should be reviewed and tested.

Many of the tools used for EUC will be developed on an ad-hoc basis or by business units for whom IT security and regulatory compliance are not their primary concern. The solutions they use to create these applications, such as Excel, often do not come with clear best practices or formalized control frameworks and documentation.

A comprehensive EUC governance framework will therefore have several key goals, which should include the following:

• Identify and document all EUC models in use within the business
• Determine the level of risk within each of these processes
• Ensure EUC models are as user-friendly as possible
• Set out control processes to minimize the risk of mistakes (e.g. spreadsheet errors)
• Provide consistency across all EUC models
• Create a clear audit process for documenting updates and changes to EUC tools

Managing and mitigating the risks of EUC

The first step to understanding and minimizing the risks posed by EUC is to determine which manual processes are in use throughout your business. Without this, you will be unable to clearly define the scope of your framework, which can lead to wasted effort or critical EUC processes slipping through the cracks if they're incorrectly identified.

For instance, projection models that use Excel spreadsheets or Access databases are classed as manual models as they rely on the user inputting every code and formula to perform calculations. Similarly, any programming language where a user can execute the code directly, such as SQL, R and SAS, also fall into this category.

These models will be defined by a lack of formal controls, little or no documentation of processes or changes, and limited audit trail functionality. Therefore, tackling these shortcomings should be the aim of any governance framework.

Policies that mandate improved documentation should be a top priority within this. Being able to see clearly what processes have been put in place and what changes are made boosts visibility, while it also helps guarantee consistency across your organization.

Key factors every EUC framework should include

There are several key ways in which a strong EUC governance framework can minimize the risks created by these applications. A first step will be to ensure essential spreadsheets, databases and other tools are consistent and able to be accessed by everyone that may need them, which means mandating that they're stored in shared network locations and offer IT departments and compliance officers full visibility.

A good framework will be divided into three key areas: governance, people and processes. Governance will deal with issues such as documentation, policies, ownership and reporting, while people will cover who has responsibility for EUC management in each department, as well as the training processes that will be needed to educate users of the framework and steps they should be following.

Finally, processes should cover areas such as risk management - ie, defining and ranking EUCs according to their risk profile - building an inventory, creating a template for the use of EUCs that can be followed throughout the business, and the development of controls such as version, change and access management.

If implemented effectively, such a framework can mitigate risk across all reporting and analytics that rely on manual processes. As businesses expand and become more complex, it can ensure that any new ad-hoc EUCs created in the future are also developed using clear best practices that have been customized and tested to meet the unique needs of the business.