Spreadsheets and other end-user controlled applications (EUCs) are core elements in most companies’ financial reporting and operational processes. What is alarming is that one inadvertent error in these critical files can have material consequences.
Although EUC risk is very real, it has become readily accepted – but it shouldn’t be. Organisations may think that because nothing material has happened so far, they should be just fine. However, complexity is on the increase, and studies show that 90 per cent of spreadsheets with 150 or more rows contain errors, according to well-known research by Raymond Panko – “What we know about spreadsheet errors”. As we continue to put more computing power in the hands of end users, EUC risk will only grow.
So, what can risk managers do to begin reducing EUC risks – eliciting cooperation from the line of business and getting started when the ocean of EUCs is so large?
It may seem like an impossible challenge but there are five easy steps to getting started on managing EUC risk:
- Designate a shared location. Make it a requirement that critical EUCs are stored in one or more designated shared networked locations. This could be done at a departmental level or horizontally, based on a particular process that spans cross-functional teams.
- Make documentation easy. Create baseline documentation standards and implement them directly into the users’ existing work process. For example, create a fill-in-the-blank questionnaire on the first page of each Excel spreadsheet for users to fill out. Keep it simple and quick to answer. By putting risk management requirements directly within Excel where the line of business works every day, it becomes very easy for users to fulfil their risk responsibilities.
- Strive for objective evidence. Move to a quantitative approach to criticality so that you can look at every EUC consistently and gain an evaluation of risk across the organisation. One option is to start simply by looking at a file’s complexity (e.g. how many sheets in a workbook? How many links to other sources? Are there any macros?). Another option is to start with a criticality self-assessment (see step two above). Ask users a defined set of questions about each EUC, e.g. is this spreadsheet used to report results to investors? Does it contain personally identifiable information?
- Leverage existing technology. Managing EUC risk doesn’t always mean buying new software. Partner with IT to use existing technology, for example:
- Encryption – after storing high-risk EUCs in a designated drive (step one), the files can be encrypted. Then, even if the firewall is breached, the data in these files will remain protected.
- Scanning – this technology can help create a simple identification of EUCs, and in addition help create a risk assessment by reading and recording specific criticality criteria (step three).
- Data loss prevention – prevent sensitive data in high-risk spreadsheets and EUCs from leaving the company inadvertently via email by using data loss prevention (DLP) technology.
- Automate EUC risk management. It is essential to guarantee accuracy and maintain the integrity of critical EUCs. However, given the complexity of today’s spreadsheets, this is hard to do manually, even with the help of existing IT. Risk managers may want to find ways to improve productivity while further reducing EUC risk. Software is available that can help with:
- Spreadsheet accuracy – an Excel plug-in can automatically check critical spreadsheets for all types of errors and data connection issues. The line of business will appreciate the time it saves them searching for spreadsheet errors, and they will be able to spend more time on strategic analysis – something today’s CFOs are demanding. These software applications are easy to install and use, and often far less expensive than enterprise software.
- Self-governing EUC controls – preventive EUC risk management software can be used to implement controls on the most critical files, e.g. cell-level locking to prevent formula changes, enhanced password enforcement, or a 24/7 audit trail tracking objective evidence of file changes.
- Lineage mapping – automated discovery, visualisation and diagnostics of up- and down-stream data sources to improve integrity of the data utilised by the most critical EUCs.
Remember, managing EUC risk is a journey. Pick a starting point and begin lowering your organisation’s EUC risks – some controls are better than none. As the work progresses, technology, especially automation tools, can dramatically close the resource gap and improve productivity in this endeavour.
The white paper ‘Taming the spreadsheet menace’ from CIMCON Software outlines everything risk managers need to know about EUC risk and how to control it. Download it here.
Craig Hattabaugh is chief executive officer of CIMCON Software. CIMCON Software is an expert in spreadsheet accuracy and EUC self-governance. To find out more, visit www.cimcon.com