End-user computing

Internal Auditor, Feb, 1993 by Larry E. Rittenberg, Ann Senn

Is it true that end-user computing is like a runaway train?

End-user computing is altering the fundamental nature of computer applications and the way such applications are being developed. By the mid-1990s, 50 percent of data processing budgets may be allotted to end-user computing (EUC); and the number of personal computers and workstations manned by white-collar workers is expected to rise to 70 percent or higher.

Unfortunately, EUC and its implications have not always been well understood, nor well managed. Recent research conducted under the auspices of The Institute of Internal Auditors Research Foundation(*) confirms a generally held perception that the management approach to EUC is usually the result of unplanned responses to individual situations rather than a considered strategy. Only 31 percent of the organizations surveyed in the research project indicated that EUC had been developed in a systematic or controlled fashion.

Such lack of direction may result in loss of control over applications, development processes, security, integrity, and costs. Internal auditors can provide real value to their organizations by helping them to manage -- and thus to benefit from -- EUC.

* What Is End-user Computing?

End-user computing may involve a single user on a microcomputer, networks of users downloading data for further processing on workstations, or user-developed mainframe applications using fourth generation languages. The distinguishing factor of end-user computing is not the technology, the size of the applications, or the sophistication of the application, but the fact that the user has the ability to create an application, manipulate data, determine access to data -- all with limited assistance from an intermediary such as an information systems department.

Technology, such as microcomputer developments, micro-to-mainframe links, data bases and data communications, has enabled end-user computing to develop; but the technology alone cannot account for the growth in end-user computing. Rather, the demand for end-user computing stems from:

* An unprecedented systems development backlog, and a decreasing ability on the part of Information Systems (IS) departments to meet the ever-increasing user needs on a timely and cost-effective basis.

* More demanding and better-educated users who realize that maximizing computing benefits is integral to achieving a competitive advantage.

* The recognition of complete, accurate, and timely information as a corporate resource and competitive advantage.

* An increasing specialization and sophistication of business analysis.

End-user computing represents a way of doing business. Users understand the decisions they need to make, the decision-making process, and the information needed to support the decision. The user wants flexible, easy-to-use tools with standardized interfaces to corporate data for developing and maintaining end-user applications.

Most end-users don't really care whether they are working on a microcomputer or a mainframe. They do care whether they can access and manipulate data, using their own decision models and reporting capabilities.

* Audit Concerns

Placing computing power and capability in the hands of end-users allows users to bypass the traditional IS planning and development process, as well as all the control procedures that have been built in to ensure that:

* The right systems are developed within reasonable costs.

* The systems are developed efficiently and effectively, using the right tools and within reasonable cost.

* Applications contain adequate controls.

* The impact of an application on other users, or data, is addressed.

* Applications are properly documented and can be maintained by someone other than the developer.

* Adequate levels of security are built into applications to maintain the integrity of corporate data resources.

* Applications create reliable data and reports.

The peculiarities of EUC, coupled with the lack of central control, create or recreate exposures that should be addressed by the internal auditor.

Control Over Resources

Formal systems development processes are governed by well-defined planning and budgetary procedures to allocate scarce computing resources, but such procedures often do not exist in an end-user computing environment. Computing strategies play an important role in an organization's competitiveness; and a strategic umbrella should be in place, so that end-user developments do not drain resources with projects that do not address strategic corporate needs. Centralized development authorization helps set priorities and control redundant efforts.

Inadequate Controls

Many users may not appreciate the risks associated with developing applications. The common book of knowledge regarding computing risks and controls resides in the Information Systems departments. With IS no longer in charge, there is no assurance that standard safeguards built into the traditional process will be followed.

Because few companies have implemented comprehensive definitions of end-user controls and procedures, adequate controls cannot be assured. In the EUC environment, no one is responsible for enforcing such traditional data processing standards as application controls, testing procedures, and documentation.