Lowering Your Spreadsheet Risk With An EUC Audit
Spreadsheets, as well as other End User Computing applications (EUCs) are vital to the everyday running of companies worldwide, with tasks ranging from financial monitoring to operational systems and beyond. They allow users to build applications to improve work processes by automating the gathering, sorting, filtering and analysis of data.
Despite the huge value they bring to companies, the importance of EUCs is often overlooked. This often creates concerning situations where one error in these processes can have dramatic impact on a company. Indeed, it is commonly widely accepted that spreadsheets will contain errors. This acceptance is a form of complacency that often manifests itself because an organization has been lucky to this point. They’ve not had any material repercussions from the errors within their systems. However, this ignorance can easily come crashing down when a company’s luck runs out.
As the complexity of EUCs increases, the chance of error also rises. A recent industry study by Raymond Panko highlighted an alarming fact that 90% of spreadsheets with more than 150 rows will contain errors. Firm’s EUC estates are constantly growing and with it the amount of financial and operational risk is also increasing.
With this knowledge, the question then becomes: How can managers and people within organizations whose job it is to mitigate risk, do so effectively? The way businesses have responded to EUC risks has been broad and varied, ranging from complete ignorance to large, completely devoted educational and analysis teams, and even to banning the use of them entirely.
How to conduct an EUC audit
Inventory
Create or gain access to an inventory. Management should have one, particularly as to comply with SOX regulations, businesses are required to have one. Often organizations build this in a spreadsheet, however using a dedicated EUC inventory management system will help to automate the process.
Risk rank
Utilizing a standard rating methodology, rank the EUCs. Factor in points like usage, financial impact, the complexity of equations. An EUC management solution with a risk check capability can assign a risk rating to an EUC to speed up the process of building the ranking.
Access and security
Who has access to the files? They may be stored on a shared network, so it’s important to know who has access to that. Secondly make sure password protection is enabled on high value documents and the people who need to access it know their secure passwords.
Input controls
What type of data is inputted into the EUC? Work out if the system for inputting this data is accurate. Further to this, review any conditions within the EUC, for example, can only text be entered into text fields.
Calculations and formulas
What formulas are used? Recalculate these separately to the application to assess their accuracy.
Outputs
Are there reports generated from the application? Double check the calculations within it if so. Who is supposed to receive this information? Check the distribution list and ensure the right people get the information.
Change & version control
How can the application changes be tracked, ensuring the most up to date version is being used? There are various solutions that can monitor and highlight the various changes to EUCs from version to version. These changes can then be tested and approved as necessary.
EUC management
Conducting an effective EUC audit is a vital skill to lower risk. In terms of continued management, there is also a lot that can also be done to minimize the threat to your organization. Below we outline the management strategies you should employ to keep your data and processes safe.
Allocate a shared location
It should be mandatory that business critical EUCs are all saved in at least one defined shared location. Depending on who needs access and if there’s different teams from different departments, the location could either be on a departmental level or horizontally.
Documentation should be easy and hassle free
Create standard documents and templates, then directly insert them into the work processes of users. By placing risk management requirements in front of users, on applications they work with every day, it makes it difficult for users to forget their responsibilities of mitigating risk.
Gather quantifiable evidence
By having objective, quantifiable data, you can evaluate each EUC side by side, gaining an understanding of levels of risk within different areas of the organization. To begin with, one way forward, would be to analyse the complexity of files. Are there a lot of sheets? How many links to other sources are there? A secondary tactic is to ask users a set of questions about the EUCs they operate. For example, ‘does this data form reports for external parties’, ‘is there any personal and sensitive information contained within’.
Make the most of existing technology
There are a number of solutions that can help you to gather this evidence, as well as improving your overall EUC management. However, in the meantime, there are some simple and easy steps you can take to mitigate risk immediately:
- Encryption – one of the benefits of storing all EUCs in a specified drive, this can then be encrypted. This adds a further layer of protection if primary securities are compromised.
- Scanning – easily identify EUCs with scanning technology. This can also help to create risk assessments by reading and noting the specific criticality criteria.
- Data loss prevention – DLP helps to protect sensitive data within sheets accidently leaving the company through media such as emails.
Automate management
Despite the most stringent of procedures, even the most diligent employees can make mistakes. As the complexity of spreadsheets increases, this chance of human error does, too. This is also the case for the employees whose job it is to manage the risk within the business. Because of this, automating tasks can deliver huge progress in optimizing your EUC management.
Discover PolicyHub
It's the Policy Management solution that’s easy to use, so you can build stronger compliance.