Applications that are owned outside of IT governance, commonly known as EUCs (End User Computing) often form part of core business processes in the shape of spreadsheets, databases and custom developed software. The proliferation of these applications over time can significantly increase the risk profile of an organisation if not effectively managed. Where EUCs are used in financial processing and reporting, the impact of these risks materialising can have severe consequences. These may include accounting errors, regulatory fines, damage to reputation and impact on share price.
In this article, we explore how technology can be applied to discover, manage, monitor and decommission EUCs.
1. Understanding the EUC landscape through scanning technologies
Today, organisations want to encourage self-serve solutions, empowering employees to be analytical and foster innovation. Doing so while maintaining the required rigour and control in EUC development can be challenging.
Collating information on an organisation’s EUC landscape is typically a resource intensive exercise, categorising and confirming the validity of what is in existence within a given business function. With EUCs constantly evolving, a point-in-time exercise can shortly become out of date. Using technology to scan file drives and calibrating it for EUC criteria can significantly speed up this process to identify potential EUCs that are not formally categorised, along with validating the list of EUCs in catalogues.
2. Implementing a structured EUC inventory and applying automated governance
Using a structured database to store details associated with an EUC enables an organisation’s EUC policy to be built into the technology platform. Having a strongly governed inventory facilitates management information to be generated for clear reporting on the EUC risk profile, with corresponding key performance indicators such as progress against decommissioning targets.
In addition to reporting, the information captured about an EUC can be used to automate governance processes. Examples of this include workflow processes to email the owner of an EUC to confirm that it aligns with the organisation’s policy, notifications of when someone leaves the company who is assigned to that EUC and alerts when high risk items are added.
3. Embedding ongoing monitoring and review processes
Having invested in classifying and controlling the state of EUCs, the ability to manage change becomes paramount to realising the benefits of that investment over time. Traditional change logs that rely on human intervention are prone to errors and swiftly become out of date. A technology solution that can provide granular audit trails of changes applying the ‘built in governance’ removes the reliance on manual logs.
Where EUCs are used in critical business processes, understanding who is making changes, when those changes were made and what those changes were becomes an intrinsic part of the control environment. Many ERP systems provide the majority of what an organisation is required to report, but typically there are ‘final mile reporting’ steps to export/adjust/format the data to be used in board reports, investor packs or senior management MI. Using technology to apply that governance between the core ERP platforms can significantly reduce the risk of error.
To see our approach in managing the risk of End User Computing(EUC), click here
Forming a strategic approach to EUC management
Whilst organisations seek to minimise their EUC footprint, applications working outside of IT governance will continue to exist as businesses evolve to meet changing demands. Recognising this, here are some key questions for consideration when assessing a strategic approach to EUC management:
- Do you have a clearly defined and consistently used EUC Policy?
- Do you have established controls for the development and maintenance of EUCs?
- Have you got a technology enabled EUC inventory to provide you with a single version of the truth rather than a manual spreadsheet-based catalogue?
- Is there a mechanism in place to perform EUC attestation to inform EUC compliance?
- Is there an automated workflow process in place to support the review and approval of any critical EUC changes?
- Are processes defined to facilitate ongoing EUC monitoring and testing EUC adherence to policy?
To discuss any of the points above or find out how you can better manage EUC risks in your organisation, please reach out to Michael Storey.