Whether organisations are preparing for UK SOx, getting ready for US listings or managing existing US SOx programmes, mapping risks and controls over process level end user computing (EUC) applications is one of the more complex challenges. An EUC is any application owned or operated outside of IT, which is used to support financial, operational processes, business decision making and data processing.
EUCs are flexible and powerful tools often utilised to avoid weaknesses commonly found in core business processing applications. However, they can lack fundamental data and processing integrity controls, making them prone to errors.
The risks from even simple manual errors in filling EUCs can be substantial. In 2017, research provider Chartis estimated that the EUC value at risk for the 50 largest financial institutions is over $12 billion.
Some of the main risks associated with EUCs stem from their flexibility and ease of use. These risks make it hard to detect changes to functionality or data. It is certainly harder to develop and document an effective control framework for EUCs governed by end users than it would be for a typical IT system, where there is a clear separation between specification, development and testing.
Ultimately, a properly controlled environment for EUCs is needed. Organisations face the challenge of developing a clearly articulated and transparent control framework that doesn’t just manage the risks but can also assure sceptical stakeholders that the controls are reliable. A systematic and strategic approach to managing and mitigating EUC risks delivers standardised organisation wide controls and reduced reliance on key personnel and local administration.
Creating a robust controls framework for EUCs
Setting up a framework and monitoring EUCs can be a long and complex process. Our approach for implementing appropriate EUC controls has three key stages.
2. Design, implement and manage
The lifecycle includes scanning the network, creating an inventory, identifying business critical EUCs, mapping them, creating a framework and implementing controls. It’s also important to rationalise, replace and ensure ongoing monitoring of EUCs.
Find the right approach for your organisation
Organisations are at different levels of maturity when it comes to managing EUCs. Ideally, the aim would be to automate processes and controls with a purpose-built system. Such a system can help to provide boards and regulators with greater assurance over the controls in place, along with a stronger foundation for documentation, and in many cases a more cost-effective process over time. In cases where this systems-based approach is more expensive or time intensive, a tactical approach may be more suited.
Overall, the right approach, with an EUC controls and assurance framework, should be part of your plan as you prepare for UK SOx. The key questions to ask yourself as you get ready are:
- Which EUCs are relevant to financial processes in scope for UK SOx?
- How do you know that the EUCs you’re deploying are doing what they’re supposed to and how do you demonstrate this?
- How do you make sure your EUCs meets the standards for completeness, accuracy, and appropriateness?
- Are outputs from EUCs such as reports, and analysis used to support key decisions or expert judgements? How are those extracts controlled?
- Is ownership for EUCs clear and aligned to UK SOx process ownership?
- How do you build sustainable, long-term ways to manage EUC risks as part of UK SOX compliance and beyond?
UK SOx is coming, and organisations are reviewing their EUC frameworks in light of increasing regulatory expectations. While defining, implementing, and monitoring EUCs, your approach needs to be complemented with relevant expertise and technology. We bring together subject matter experts from technology risk, data, modelling, testing and finance transformation teams to deliver an end-to-end solution.
Listed, regulated and large privately-owned organisations have found our tried and tested approach helpful to set up a robust EUC control framework. Our alliances and partnerships with leading software providers add value at every point – from discovery and inventory to EUC management.
KPMG is helping a range of organisations get to grips with managing EUC risks for UK SOx implementation. To discuss any aspects related to EUC controls, feel free to reach out to me at Tejas.Mehta@KPMG.co.uk