Almost every auditor has suspicions, if not first-hand knowledge that the spreadsheet and other EUC controls in their company aren’t effective. For some companies, EUC specific risk policy and controls may not even exist. Regardless, every organization uses spreadsheets. At a minimum, Accounting, Treasury, Tax and FP&A all use spreadsheets to some degree. Furthermore, the use of models for operational decision creates yet another area prone to excessive EUC risk. Putting Sarbanes-Oxley and other internal policy compliance aside, the primary objective is preventing errors. Reducing the likelihood of sensitive data loss is also critical. Reducing fraud in those tools that are under end user control (EUC) is a valid goal, but it’s typically not the top priority.
By far and away, the #1 EUC file type is spreadsheets. There are ubiquitous, almost every employee has Excel or Google Sheets and thus testing any controls can seem daunting. It needs people and the time to perform specific tasks and that costs money. In addition, there is a cultural inhibitor in that the talented, innovative employee who is driving the use of an end-user controlled application is often reluctant to have any type of oversight on their work. This is ironic given that they have a lot to lose if something goes wrong like a material error.
The solution lies in the use of technology to automate many of the historically manual processes used to implement and/or test EUC controls. CIMCON’s technology can enable you to identify the higher risk files and test controls at a macro level and if need be, test down at the individual file level.
Enabling more effective implementation and testing of EUC controls
-
Discovery technology finds the high risk files, determines quantity and where they’re stored.
-
Systematically identify weaknesses in the EUC files used in business critical processes
-
Automated data lineage visualizes the data dependencies in critical processes
-
Comprehensive diagnostic analysis for spreadsheet-based model validation
-
Automate the collection and reporting of file owner’s self-assessed risk criteria and attestations
-
Cloud-based inventory service automates the reporting of objective evidence
-
Make spreadsheet error checking and remediation tools available to file owners/power users