Everything You Need To Know About End-User Computing — EUC & EUDAs
End-user computing is a broad term, so we break down what it is, why you should care, and how you can start improving governance and controls today.
End-user computing applications (EUCs) are computer systems and platforms built and maintained by businesses to allow employees, typically non-programmers, to create working computer applications. This article explains what EUCs are, why a failure to govern them can lead to operational deficiency, and what businesses can do to manage EUC risk within their organisation.
What Is End-User Computing?
End-user computing applications are often built, managed, and maintained by end-users and fall outside the remit of the IT department. Under this broad definition, all computing done with no relation to IT or development teams could be considered EUCs.
End-user computing is known by other abbreviated terms. However, they all refer to the same thing. For example, some firms will refer to EUCs as:
- UDAs: User Developed Applications
- EUD or EUDAs: End User Developed Applications
- EUAs: End-User Applications
EUCs can be used to calculate data, store data or create applications. End-user computing applications include Access databases, SQL queries, Python, and Matlab. Microsoft Excel spreadsheets often make up more than 90% of an organisation's EUC inventory, particularly within financial services. With the increasing adoption of no-code applications, these applications are often categorised within the family of EUCs.
Why Are EUCs So Prolific Within Modern Organisations?
End-user computing applications are familiar and flexible and therefore dominate many workplaces. Most people know how to navigate their way around a spreadsheet. When core systems do not provide data in the ideal format, the export to Microsoft Excel functionality quickly enables end-users to complete the last mile of data manipulation and reporting.
EUCs often start as tactical solutions to fill a business need and deliver on a requirement not yet covered by a core system. Over time, an organisation can become increasingly dependent on individual EUCs, using them in day-to-day operations and longer-term decision-making — and they quickly become irreplaceable.
Spreadsheets that have become overly complex or mission-critical for day-to-day operations can carry a significant operational risk for companies operating without adequate governance and control. Regulators have started to become more explicit about the need for organisations to have greater control over EUCs and spreadsheets. This was highlighted in a recent letter to CEOs of financial institutions where the Bank of England's Prudential Regulatory Authority (PRA) outlined how organisations should prioritise implementing governance and controls for EUCs.
The Advantages Of EUCs
Traditionally, the needs of the business and end-users have outpaced the speed at which technology departments can deliver dedicated reporting systems. This lag decreases as organisations update their technology stacks and leverage newer, more agile technologies. There will always be a need for end-users to have the ability to manually shuffle and manipulate data or prototype new ideas and requirements. End-user computing applications like spreadsheets or Software as a Service (SaaS) applications are an ideal tool for this.
End-user applications are also becoming more powerful. For example, Microsoft recently announced the release of LAMBDA, allowing users to define new functions written in Excel’s formula language. Microsoft has also released the ability to co-author spreadsheets, making them the ideal end-user tool for collaborating on datasets with colleagues. It’s clear EUCs are here to stay, and we have to learn to manage their usage safely and in line with operational resilience and compliance requirements.
The Risks Of EUCs
In a corporate setting, the word EUC is often accompanied by risk. The problem isn’t with the software applications themselves, but it’s related to the way end-users create digital assets and how those assets are governed and maintained.
There is a broad spectrum of end-user ability and discipline for EUCs like spreadsheets. Some end-users will build spreadsheet models in line with widely adopted best practices. Doing so enables other users who want to use or audit the spreadsheet application to understand the purpose of the application and how to operate it. Sometimes end-users don't do this due to a lack of awareness, training, time or discipline, which can materialise into hidden operational risks.
The starting point with EUC risk involves keeping an inventory and audit trail of the EUCs in the company and managing the processes they support within the organisation. Therefore, everything related to the EUC should be thoroughly tested and documented.
Maintaining Operational Resilience
Unlike traditional applications built and managed by IT professionals, EUCs are not monitored or controlled to the same degree within the organisation. The volume and agile/iterative nature of end-user computing applications make them potentially risky, and maintaining good governance and controls around them is a challenge for organisations because they are attempting to manage a constantly moving target.
Business requirements are often set at a senior level and delegated down to individual end-users responsible for building and using EUCs to deliver on the requests. As the number of tasks increases, the number of EUCs can increase and end-users often end up building files in isolation. Then, as workloads increase and the level of delegation increases, visibility and awareness decrease over the end-to-end process. With thousands of requests within an organisation, EUCs are relied upon to varying degrees, so it becomes difficult to know where there is exposure to operational risk.
In our experience working with financial institutions, it is not uncommon for organisations to have huge volumes of spreadsheets, sometimes millions within one organisation. Where internal governance and controls have been established, EUCs will typically be registered within an inventory by end-users once a file is deemed to be business-critical or significant. This approach has its own risks because it requires the end-user to understand the meaning of “business critical” and creates friction by adding manual work to their already busy day. This means that even after establishing a governance and controls process, organisations can still be exposed to risk.
Furthermore, two EUCs are rarely alike. Each will change and evolve as the business requests change and as users make changes. Each may contain a high level of detail, and maintaining visibility over each file and understanding the potential risks becomes an arduous task. Discovery and analysis alone is a highly resource-intensive task. Deciphering what is or isn’t critical creates a lot of manual work unless you use automated tools - this is one of the reasons Workscope has built an automated solution.
Does this mean that EUC’s are bad? We don’t think so. If anything, we believe they will remain a firm fixture embedded within business operations because of their convenience, flexibility, and adaptability.
Understanding End-User Computer Risk
The data produced by EUCs, such as financial statements or internal management reports, is often critical because it is used to steer decision-making activities. The applications can house confidential and crucial data and can contain highly complex calculations, making files difficult to audit and quality check. They can often contain thousands of lines of VBA code and data taken from multiple sources and systems. Without adequate documentation, it is often difficult to understand how a workbook is designed to work. As files get passed around the organisation different versions of the same file emerge and the most active users of each file are not necessarily the people who built the file in the first place. A lack of visibility and control over these scenarios can lead to potentially devastating errors. With the uptake in remote and more flexible working, the workforce is becoming more fragmented and siloed. The result is a lack of visibility on EUCs being built outside of the view of managers and IT. At the same time, EUC technologies are becoming more powerful, easier to use and more convenient for the average end-user, which increases the uptake even more.
The Propensity For Errors
Human errors such as data-entry-input errors, spreadsheet-logic mistakes, or broken links to external data sources can impact a spreadsheet's overall integrity and accuracy. In June 2016, Tim Harford published a substantive article on the tyranny of spreadsheets. This Financial Times article makes exciting reading for anyone not yet fully versed on the subject.
Other Common EUC Governance Challenges
Poor Change and Version Controls
Spreadsheets and other EUCs can be challenging to control and monitor. Most users have low visibility into deliberate and accidental changes made to spreadsheets by other users, and even when there are change control policies in place, they are hard to enforce.
Files with inadequate documentation can lead to unintended consequences if users rely on files they did not build and therefore do not have a complete understanding of.
Challenges with the audit and review process
End-user computing applications contain a high level of detail that changes over time. Performing a full audit and review of a file can be time-consuming, especially for someone who has not built or regularly used the file.
End-user computing applications often do not live in isolation as they consume data from external sources such as third-party data providers, databases, and other critical spreadsheets. Keeping tabs on the consumption of data is challenging, and a lack of visibility on end-to-end data lineage means that the impact of updating or removing one spreadsheet may be unknown until after it happens.
In most companies, spreadsheets are ubiquitously used, and so the volume and complexity of EUC’s is constantly changing. Therefore, unless you have an automated monitoring solution, it isn't easy to assess an organisation's dependency on spreadsheets at any given time. Furthermore, it is difficult to understand which files are used in mission-critical business operations or which files are potentially risky for the organisation. The only way to fully assess the risk is to maintain a complete inventory and constantly analyse files and their associated usage.
Real-World Examples Of Inadequate EUC Management
EUC risks can have severe consequences and a negative business impact, including financial losses, stock value losses, fraud exposure, reputation loss, regulatory fines, and penalties for non-compliance. Chartis previously estimated that the total EUC risk value for the fifty largest financial institutions equates to $12 billion, therefore, it’s easy to imagine how the repercussions of inadequate EUC management can be financially and reputationally devastating to businesses.
A few of the most well-publicised incidents of EUC programs impacting the bottom line include:
- A spreadsheet error led to nearly 16,000 coronavirus cases going unreported in England when developers uploaded an old file format instead of the CSV file format used by laboratories.
- The National Treasury Management Agency lost an investment of nearly €750,000 due to a data capturing error. The Public Accounts Committee later questioned the agency about the control weakness in their processes.
- An American multinational investment bank and financial services holding company’s London Whale Disaster led to losses of $6 billion. The culprit was a simple copy and paste error in the value at risk model.
- An outsourcing company lost £4.3 million in profits and suffered a share price drop due to a spreadsheet error in a pension fund deficit caused by an outside firm of actuaries.
- When a large bank bought Lehman Brothers assets in 2008, someone hid more than 179 contracts in an Excel document. Noone checked the file, and the bank bought the unwanted assets and had to suffer the losses.
The European Spreadsheet Risks Interest Group does extensive research on real-world examples of inadequate EUC management that have resulted in financial loss, reputational damage, or regulatory action.
Governing EUC Applications
Regulations that impact governance and controls of internal processes, which would therefore impact EUCs, are already well established, particularly within the financial services sector. Sarbanes-Oxley Act (SOX) has already been in place in the US for some time to set new auditor standards for the complete and accurate handling of financial reports.
In 2021, The Department of Business, Energy, and Industrial Strategy (BEIS) issued a white paper warning that companies should improve their internal controls. As a result, we are now expecting a UK version of SOX which will require organisations to start preparing now to avoid penalties in the future.
In a Q4 2021 letter to industry CEO’s, The Bank of England's PRA warned banks and building societies to be more vigilant with their regulatory reports and explicitly highlighted a lack of EUC and spreadsheet controls as a risk.
How To Manage And Mitigate EUC Risks
Organisations should implement a formal program to address and mitigate EUC risk management and ensure integrity across the complete inventory of files. Technology-enabled governance and risk management programs can support this goal by saving time identifying and remediating issues and therefore reducing the probability of operational deficiencies. An example of how organisations can start managing EUC risk is outlined below.
Discover a complete inventory of EUCs
Establish a complete inventory of EUC files and gather metrics that enable you to assess the complexity and risk associated with each one. For example, spreadsheets that contain significant amounts of VBA, or spreadsheets and are reliant on data connections to external sources like databases could be riskier than those used for more straightforward calculations and record keeping.
Determine Criticality and Significance
Not all spreadsheets are created equal. In order to prioritise which EUCs to focus on first, evaluate the quantitative and qualitative risks associated with each one. For example, files that are used regularly by many users as part of a financial reporting process that are connected to unsanctioned databases may represent a higher risk when compared to a simple file that is used infrequently by one user. Where remediation needs to take place, ensure that you have a mechanism to know who is responsible and who else within the organisation will be impacted by any change. When businesses use automated tools, like Workscope, they can gather metrics automatically, surface the most significant operational risks, and maintain transparency across the associated business impact.
The use of EUC’s is a constantly evolving, moving target where new files get created, and non-critical files evolve and eventually become mission-critical. Once a company has visibility over their inventory they should maintain continuous governance and controls over the evolving inventory and take action when risks materialise.
How WorkScope Can Help
It is simply impossible to manually map and manage EUC usage within the average organisation at the level of detail required to achieve accurate visibility, insights and control. Fortunately, technology tools like Workscope can support automation that helps with discovery, ongoing inventory management, data lineage, file/usage analysis and risk assessment of EUC applications in a cost-effective, reliable way. If you have any questions on how to get started, contact us today!