We’ve all been there – touched the wrong key on the keyboard and before you know it a formula has changed and suddenly the output of the equation is not what it should be. Or alternatively, the individual responsible for a particular spreadsheet has left the business without explaining to anyone how to access essential information. For most of us, the result of these actions can be dealt with quickly and easily, but for businesses it is not always so simple. For them, failure to effectively manage end-user computing (EUC), the act of non-programmers creating or altering working applications, can have catastrophic effects.
Take for example, JP Morgan Chase. The failure of model risk controls, including EUC applications, cost the US’ largest bank US$6bn in trading losses and $1bn in regulatory fines[1]. Meanwhile, the lack of adequate safeguards and controls enabled a trader at AIB’s Allfirst Bank to hide a US$700m loss by substituting links in a company spreadsheet to his private manipulated spreadsheet[2]. These losses are not something to sniff at.
EUC tools provide benefits and create challenges
Using EUC tools has many benefits, including:
- allowing users to directly manage, control and manipulate data at speed, and
- enabling businesses to quickly deploy solutions in response to changing market and economic decisions, industry changes or evolving regulations.
They are however not subject to the same development process and testing as traditional applications. The very same attributes that make EUC tools an attractive prospect, also make them challenging to manage and difficult to control. Left unmonitored, EUC tools can lead to:
- excessive operational risk,
- misstated financial statements due to simple data entry or calculation errors in spreadsheets,
- regulatory and compliance violations,
- loss of time due to cumbersome manual processes, and
- issues with data redundancy and version control.
These consequences at a time of heightened regulatory awareness and increased competition are a great concern to many businesses.
There is currently no specific legislation governing EUC applications, but the use of such tools is referenced by several of the global regulators, including the UK’s Prudential Regulatory Authority (PRA), the Basel Committee on Banking Supervision and the US Federal Reserve.
The UK’s Prudential Regulatory Authority (PRA) states that: “Spreadsheet controls might include adequate testing for the process of extracting data from spreadsheets, and a formal control process just as for corporate IT systems.”
The Basel Committee on Banking Supervison describes dependence on manually intensive processes or end-user computing “without sufficient controls” as an example of “ineffective data architecture and IT infrastructure” and “a key gap” in a bank’s compliance. Meanwhile the Federal Reserve says that the risks associated with end-user computing and distributed processing systems “must be evaluated for each significant activity as well as for the overall organisation.”
While none of these regulators focus specifically on EUC applications, the heightened awareness around regulation only emphasises the need for added controls.
Spreadsheet managament applications
So, how should financial institutions be addressing these concerns and what can they do to take advantage of the opportunities EUC tools offer without putting the future of their business at risk? The answer is spreadsheet management applications, tools which not only help organisations take control of their business-critical information and reduce operational risk, but also improve their overall architecture.
One such example is EUC+, a customisable, cloud-based tool powered by Brickendon Digital, which provides one simple process to store, analyse and secure all spreadsheets and databases.
It saves organisations time, money and reputation.
Helps drive better business, IT and architectural decisions
Easy-to-use and customisable to each organisation’s specific needs, EUC+ can register, secure and validate end-user computing tools from a web browser, with no need for costly teams. It is cloud-based, easy to support and acts as a useful information tool in cases of staff changeover and regulatory compliance.
Implementing a spreadsheet management application such as EUC+ has a raft of benefits, including:
- reducing operational and key-person risk,
- increasing visibility and control over your data,
- removing errors in financial statements,
- generating an impenetrable audit of all versions and facilitating direct comparisons,
- cutting testing requirements and auditor fees,
- eradicating regulatory and compliance penalties,
- eliminating redevelopment work needed when people leave the organisation, and
- reducing the effort to remediate errors.
In short, in order to embrace both the benefits of EUC applications and mitigate the associated risks, the key is control. As discussed by the PRA in its report on Solvency II, spreadsheets and other end-user applications are a form of IT which is commonplace in all organisations and as a result, they need to be under tight control, particularly where the content is material to the internal model data flow. In these situations, the PRA and other regulatory bodies will be looking for appropriate data quality controls, such as:
- reasonableness checks,
- input validations,
- peer reviews,
- systems environment configuration,
- logical access management,
- ongoing change controls,
- release management,
- disaster recovery, and
- documentation.
This is just one regulator’s take on the use of EUC. It is in fact a much bigger issue that needs to be considered by all organisations, even those outside of the financial services sector if they are to survive with both their bottom line and reputation intact. EUC+ addresses all of the above issues and is here to help.
[2] Information security Updates
Contact us for more information and how EUC+ can help revolutionise your business, email info@eucplus.co or call +44 203 693 2605.