Governance & Compliance for End User Computing (EUC)Print Version
A key objective of financial management is a clear line-of-sight from summary figures to the underlying data. This ensures that problems in the information supply chain are rapidly highlighted for remedial action. This requirement underpins the implementation of all financial software systems.
However, the business is under constant change due to many factors. These include market pressures (e.g. competition and new products), corporate evolution (e.g. strategy changes, mergers, acquisitions and disposals) and new regulations (e.g. Dodd Frank Act, Solvency II, Sarbanes Oxley and many others). Not surprisingly, it is almost impossible for central IT systems to keep up with business demands.
The result is a gap between the capabilities of information systems and the needs of the business. This gap is filled by Excel spreadsheets and MS Access® databases – known collectively as End User Computing (EUC) or end User Developed Applications (UDA). These act as additional operational applications until IT can replace them. However, limited IT resources mean that business critical EUCs often live in the organization for many months or years. Without visibility of their quality and activity, these applications will break the integrity of the information supply chain, no matter how much money has been invested in central robust solutions.
Unlike central applications, EUCs have rarely been thoroughly tested. They are also liable to error-prone manual changes. In the past, business has usually had enough time and staff to catch these mistakes before they caused financial and reputational losses. This is no longer true. Reporting timescales are shorter and more frequent, putting manual processes under more pressure. At the same time the need to cut costs has reduced staff numbers. Errors are now more likely to happen and less likely to be noticed until it is too late. Indeed, known errors in the market place dut to lack of control of spreadsheets have already reached $billions.
EUC and spreadsheet risk is an implicit, and increasingly explicit, part of most information regulations leading to increasing demands for electronic evidence of spreadsheet control and spreadsheet compliance, such as:
- Fed / OCC Model Risk Management Supervisory Guidance
- Sarbanes-Oxley (SOX) reporting for US listed firms
- Dodd Frank Act for financial institutions - including DFAST (Dodd Frank Act Stress Testing)
- 2013 COSO Framework
- CCAR (Comprehensive Capital Analysis and Review) for stress testing
- FAS 157 on fair value accounting
- Solvency II regarding capital adequacy for the insurance industry
- BCBS (Basel Committee for Banking Standards) on PERDA/PERDARR (Principles for Effective Risk Data Aggregation and Regulatory Reporting)
- FSA Handbook addressing risk management practices
- PCAOB for Audit Guidelines
- NAIC Model Audit Rules for the insurance industry
- HIPAA governing the privacy of personal information
As a result, the management of Excel spreadsheets and other EUC activity is receiving increasing focus within audit and risk management agendas. All the leading advisory firms have helped clients establish governance policies to meet the demands of both spreadsheet compliance and best practice. Successful implementation of these policies requires a fast, repeatable solution with a low administration overhead. Automated technology such as ClusterSeven is ideally suited to this spreadsheet control objective.Print Version
“…the auditors did not test controls over applications that processed financially significant transactions, including important manual spreadsheets.”PCAOB: AS No. 5 Report 21 Oct 2009
FSA [UK Financial Regulator], 2007
Problems have been identified with the flow of information from spreadsheets to risk systems, financial statements and regulatory computations. FINRA has observed instances where multiple departments within a firm use spreadsheets that lack controls to protect the integrity of the data when the spreadsheet moves among departments…..... Examiners will review the controls that are in place by firms to ensure the data integrity and completeness of spreadsheetsFINRA, 2010