Everyone knows spreadsheets and other EUCs are risky. Although EUC risk is very real, it’s become routine and it’s readily accepted. It shouldn’t be! Learn 5 Steps to Stronger Spreadsheet & EUC Controls.
5 Steps to Better EUC Controls
Get Started Managing Spreadsheet Risks Today - it's easier than you think!
Everyone knows it – Spreadsheets and other end-user controlled models and applications are risky. Errors, data loss, deliberate tampering/fraud – are just a few of the risks.
The business owns the risk, but they’re somewhat numb to it. It’s kind of like the risk of driving a car – You know there’s high risk, but you’ve got to get from here to there. So you get in the car and drive.
Similarly, EUC risk is very real and it’s become routine & readily accepted. It shouldn’t be!
Hundreds of software companies preach the evils of Excel. But the solution isn’t to get rid of spreadsheets or other EUCs. Sure, some of them could or should be moved to more formally managed applications. However it’s futile to try and eliminate all EUCs in an attempt to mitigate the risk. And realistically, the business people would never stand for it.
So then, what can those of us who are responsible for information risk management and data governance do to help the LOB reduce these EUC risks? How can we test the effectiveness of controls when there are literally millions of these end user controlled files? The ocean of EUCs is so large it’s difficult to even imagine it can be controlled, never mind envisioning where to start. It seems like an impossible challenge.
It doesn’t have to be so hard! Here are 5 Steps to More Effective EUC Controls:
1) Designate a Shared Location. Require critical EUCs to be stored in one or more designated shared networked locations. This could be done at a department level, e.g., everyone in accounting or HR. Or it can be done horizontally based on a particular process that spans cross-functional teams.
2) Bake Controls into Users' Workflow. Have risk documentation standards that can easily be integrated into the users’ existing work process. A simple example: create a fill-in-the-blank cell on the first page of Excel for the user to fill out to identify the “model owner.” By keeping the risk management task directly within Excel where the line of business user works, it’s easier for them to document – and it gives you greater confidence that the LOB will adhere to risk policy.
3) Get Consistent & Quantitative. Move from subjective risk evaluation to consistent, quantitative methods. If you ask users which of their EUCs are most critical, you get subjective answers. Have objective metrics so you can calculate an objective score and a consistent evaluation of risk. There are two components that can enable an objective risk evaluation:
Define File Complexity, e.g., how many sheets, how many links to other spreadsheets or databases, how big are the macros, etc.
Specify File Criticality. Ask users a defined set of questions about each file, e.g., is this spreadsheet used to report results to investors, does this spreadsheet contain personally identifiable information, etc.
4) Scan for Compliance. Use technology to scan the shared drive(s) designated in Step 1 that house all your critical EUCs. You want the ability to identify every spreadsheet and EUC on that drive – not just its simple properties, but also the ability to read inside the file to perform an automated risk assessment based on the specific criteria defined in Step 3. A simple example is reading the date the file was last accessed to support a records retention policy violation. Another example: scan to read attestation evidence and user input fields for each file and write the data to a database for future reporting.
5) Partner with IT for Information Security. Use “broader brush” technologies to protect data and help implement policy, e.g., encrypt everything on the shared drive designated in Step 1. For example, if you know that sensitive information is stored in EUCs, make sure those files are stored in one place and encrypt the entire drive. If the firewall is breached, the data in these files will remain protected by the encryption. Your IT department probably already has access to this type of technology. Another example is data loss prevention (DLP) technology which prevents end users from sending sensitive information outside the corporate network, e.g., via email. This technology can be easily adapted to help prevent data leakage of high risk EUCs .
As always, there are more advanced steps: Location-based controls, cell-level locking, enhanced password enforcement, automated audit trail, providing spreadsheet error detection tools for the line of business, etc.
To learn more, download our white paper --> Taming the Spreadsheet Menace This white paper will help you to scope out the technology and processes to help you avoid the high costs & losses that result from poorly controlled spreadsheets and EUCs.