I’m pleased to introduce the 2nd post in my EUC Best Practices Series. This one introduces the operational side of the equation. Although technology is required to mitigate EUC risk on a sustainable basis, having an operational model is also a critical success factor.
Why Your Organization Needs an EUC Control Policy
Putting technology aside, perhaps the most critical element to any EUC Control initiative is to first ensure that a corporate policy is in place to govern the lifecycle of critical spreadsheets, Access databases and EUCs. Without a corporate policy, there is no indication that mitigating EUC risk is important to the business, and no way to ensure the proper safeguards are in place. Mitigating EUC risk is as much about technology as it is about business process, so an EUC Control Policy is a must have for any successful project.
Who Gets Involved?
Typically, an EUC Control policy is created in collaboration with various business lines that develop, use, and monitor EUCs – the CFO or controller, managers in various lines of business, IT, and internal audit.
Manual vs. Automated Controls
It should be written to support the type of controls being put in place (i.e. manual vs. automated). For manual controls, keep in mind that users will likely be required to perform additional manual tasks to comply with the policy, and that there may breakdowns in the process over time. These additional tasks can include things like periodic verification of proper access controls, creation and maintenance of the EUC inventory, risk assessment, documentation of critical EUCs, documentation and sign-off of significant changes, manual archiving of old versions, and periodic validation of high risk models.
Spreadsheet and EUC Management Software can automate many of these tasks. Keep in mind that if automated controls are being implemented with the deployment of new software, then the policy should be written to support and leverage the new software. This approach will ensure sustainable controls are embedded into everyday business operations.
So what goes into an EUC Control Policy?
Key Elements of an EUC Control Policy
- Definition- A definition of EUCs along with some examples used within business lines (e.g. within finance examples may include account reconciliations, journal entries, financial statements, etc.).
- Categorization- Provide a taxonomy for users to identify and rank EUCs according to use (e.g. operational, financial, analytical) and risk levels (e.g. L1, L2, L3 or High, Medium, Low).
- Risk Assessment – Provide a methodology for determining what a risky spreadsheet is within your business. This can be based on a variety of criteria and factors, including complexity, financial significance (i.e. materiality), use, business process, regulatory process, or any number of criteria.Deloitte defines EUC risk based on Complexity and Materiality per the following example:
A simplistic approach is to consider only Complexity as a first pass. The following is a simple algorhithm and for scoring EUCs based on Complexity. As mentioned above, other risk factors may include financial significance, business impact/use, and whether an EUC contains sensitive data or not.
-
Control Requirements- Define the IT controls required for critical vs. non-critical EUCs. Controls recommended by leading tax and audit firms include: development lifecycle, segregation of duties, access control, documentation, change control, testing/diagnostics, version control, back-up and archival. A complete set of EUC controls and definitions can be found in the PwC white paper entitled The Use of Spreadsheets: Considerations for Section for 404 of the Sarbanes-Oxley Act. Again, if automated controls are being implemented, make sure the policy is written per software usage guidelines and users are required to leverage the software to satisfy control requirements.
-
Compliance Requirements- Define what the minimum requirements are to comply with the policy. For example, you may require business lines to ensure end users be trained on the new policy as well as any new control software, that business lines be required to inventory and risk rank their EUCs annually, and that business segments be required to comply within a 12 month timeframe.
-
Ownership – Define who is responsible for owning and maintaining the policy. This is a typically risk and control function.
-
Policy Review Schedule – Define how often the policy will be updated or revised.
-
Definitions- Be sure to define any new terms or acronyms like EUC, UDA, risk assessment, etc.
Remember, the goal of the EUC Control policy is to set the minimum standards for managing the lifecycle of EUCs within the organization to effectively mitigate risk, prevent fraud, and improve business processes, while enabling compliance.
Feel free to email me to request a sample EUC Control Policy that you can customize for your organization.
Good luck and let’s hear your comments!
Eric Perry
0 Responses to “EUC Best Practice #2: Implement an EUC Control Policy”