Jeremy Condie Blog Post Header
Jeremy Condie Blog Post Header

8 Key Steps For a Successful EUC Control Project

Jeremy Condie |

It is a rare organization that doesn’t rely on important End User Computing (EUC) applications and technologies that are unknown to their IT departments.

These applications are also often called “Shadow IT.” They exist because business users decide to build their own widgets for a host of reasons including rapid prototyping, capturing a market opportunity, and maintaining control; i.e. not divulging their own knowledge, et cetera.

So appreciating the risk that these end user-developed applications actually pose is Step #1. And truthfully? It often takes a regulator or auditor to bring this to management’s attention.

But where to start? Few organizations have ever thought to tackle this before, so they lack the knowledge or experience to even ask the right questions, let alone implement a solution.

GRC Summit On-Demand Video

The key steps in EUC control

Based on our own two decades’ experience helping organizations think through and implement sustainable end-user application risk and control solutions, we can safely say these are the basic steps to follow in implementing an EUC control project:

Clarify what the organization is attempting to achieve

This could be as general as “any employee who develops an application that will be used at least once a year.” Or it could be quite specific such as “any spreadsheet used in financial and regulatory reporting.”

 Build a sustainable inventory

It is at this stage that organizations deliberate over the merits of asking users to self-report, or whether to use scanning to identify key applications. Experience shows that self-reporting is the better starting point. Users know their important applications and why they developed them in the first place. However, technical scanning can be used to help verify that nothing was overlooked. Automated workflows can then poll the users to reattest that nothing has changed since their last attestation. And, again, judicious scanning can help spot anything missed.

Risk-assess files for their relative importance

At this stage the inventory can easily be several hundred, if not thousands of applications. Treating them all equally could be an unnecessary resource drain because not all are doing equally important work. So tiering them helps. As examples: Tier 1 need close monitoring, Tier 3 only occasional reviews.

Ensure your high-risk applications are working as intended

Best practice would suggest that organizations focus on their Tier 1 applications and to check that each is working as intended. It may come as a surprise, considered these are developed by end users, to hear that many are passed around the organization and used by people who really have no idea how the spreadsheet or application actually works. So mistakes can easily be added by even the most well-intentioned employees.

Once checked and approved, record material changes

Once an application has been checked, it really makes sense to monitor that no one has changed it after it was passed back to the business. So any material change needs to be recorded, explained and approved, otherwise unknown risks are being reintroduced into the business.

Keep backup of these key files, otherwise called versions

These are important if there is a need to backtrack and determine why a change was made, or what data formed the basis of some analysis.

Record any important issues and their resolution

Despite ensuring an application is working correctly, there may still be mistakes made such as entering incorrect data, or using an assumption that didn’t pan out. Recording these “issues,” along with whatever the resolution proves to be, is ideal.

Decommission and replace with core systems

And lastly, each EUC application should have a planned end-of-life. If the application isn’t doing anything too important, its value will likely decline over time and fade away. And anything used consistently ought to be replaced with a proper core system. Either way, EUCs should have a limited shelf life. and be replaced with proper core systems

While much of this may seem obvious, many organizations struggle to implement these sensible controls. Perhaps there is the fear of the unknown, or the scale of the problem is simply unknown, or both.

Fortunately, with ClusterSeven, you can avail yourself of both a software solution and the client support you can leverage to manage the full lifecycle of any EUC. Please contact us for further details and a demonstration.

EUCs should have a limited shelf life and be replaced with proper core systems. Click To Tweet