OCC Steps Up Scrutiny of EUCs at Financial Institutions
EUCs – End User Computing applications – have hit the headlines again, after the US Office of the Comptroller of the Currency (OCC) levied a $400 million fine on an American-based bank. It found issues in the institution’s risk management and regulatory reporting practices, where EUCs featured heavily.
EUCs – applications developed and supported by end-users, rather than the corporate IT function – are hugely powerful and very popular, often being the go-to application to address a host of business issues swiftly. Excel spreadsheets are by far the most popular EUC applications, but other applications that use SAS, Python, or MATLAB can be seen in the same way.
A dangerous lack of transparency
While these applications offer great flexibility to end-users, the lack of controls usually found in Corporate IT applications means they lack the transparency and auditability that regulators (and customers and management for that matter) demand in effective risk governance.
When using a spreadsheet, it unclear who changed a formula or cell entry, who reviewed it, and who approved it. At banks, it is not unusual to manage billions of dollars of investments using highly complex spreadsheets. They will feature millions of cells fed from multiple data sources. Manually capturing, approving, and reporting changes to these spreadsheets for risk management and audit purposes is beyond the abilities of end-users, risk managers, and compliance teams.
Policy management, enforcement, and reporting is an extra challenge for compliance teams where staff use EUCs. While the policies around using, updating, and retiring EUC will undoubtedly exist, identifying who is using EUCs and ensuring they are aware of the EUC policy and are applying it is an enormous challenge.
Weighing in on an enormous challenge
Policy management, enforcement, and reporting is an extra challenge for compliance teams where staff use EUCs. While the policies around using, updating, and retiring EUC will undoubtedly exist, identifying who is using EUCs and ensuring they are aware of the EUC policy and are applying it is an enormous challenge.
From my perspective, managing EUCs is not new; we have been involved in projects for over 15 years. All the institutions we engage with understand the need to manage their EUCs. The challenge lies in keeping tabs on where they are used, and working proactively with users to understand the value of the EUCs, and the risks they pose to the business. Then you can work with end-users to manage them properly and ensuring they are ‘in policy.’
Ian Cleaver, VP Professional Services at Mitratech, outlines the approach he recommends to clients when implementing Mitratech’s EUC management solution. “The first step is to identify your most important EUCs, and then to create an inventory of them, so you can proactively monitor them. You can also benefit from using an alerting capability to show when changes are made and where problems of missing data, calculation errors, or other problems that could drive issues for an institution.
“The results of this activity can be integrated into a consolidated Governance, Risk, and Compliance (GRC) framework to provide transparency of the EUC risk to the business,” he explains. “When I used the platform at a global bank, we ensured that the EUC management reports were featured in the monthly Board meeting – very much belt and braces, but it worked. We had no issues.”
[bctt tweet=”The challenge lies in keeping tabs on where they (EUCs) are used, and working proactively with users to understand the value of the EUCs, and the risks they pose to the business.” via=”yes”]
Manage your Shadow IT spreadsheets
With ClusterSeven, take control of the End User Computing assets hidden across your enterprise that can create hidden risk.