Evaluate End-User Computing Controls
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate End-User Computing Controls
End-user computing (EUC) tools present unique control risks primarily because:
They cannot be connected to enterprise databases and therefore contain only test data.
They require specialized IT staff to operate and are difficult to access.
They are more expensive to maintain than enterprise systems.
They are typically developed and maintained by non-IT business users outside formal IT governance, increasing the risk of errors, unauthorized changes, and lack of documentation.
Explanation
EUC tools (spreadsheets, Access databases, desktop applications) are created and managed by business users who may lack formal development training and often bypass IT change management, access controls, and documentation standards. Answer B is correct. EUC tools are typically inexpensive (A), require no specialized IT staff to operate (C), and can connect to enterprise data sources (D).
Which of the following is the most effective control for ensuring the accuracy of formulas in a critical financial spreadsheet used as an EUC tool?
Performing an independent review of all formulas and logic by a second qualified person, documenting the review, and re-performing key calculations to verify accuracy.
Printing a hard copy of the spreadsheet output each period for the files.
Requiring the CFO to sign off on the spreadsheet output monthly.
Storing the spreadsheet on a shared network drive accessible to all finance staff.
Explanation
Independent formula review and recalculation by a second qualified person is the most direct control for detecting spreadsheet errors - verifying the underlying logic rather than just the outputs. Answer D is correct. Shared access (A) increases risk. Print copies (B) do not verify formula accuracy. CFO sign-off (C) reviews output but may not detect embedded formula errors.
An organization's EUC policy requires that all spreadsheets used in financial reporting be inventoried and assessed for risk. The primary purpose of this inventory is to:
Identify which EUC tools are material to financial reporting so that appropriate controls can be designed and applied proportionate to their risk.
Ensure all spreadsheets comply with IT security standards for encryption.
Determine how much storage space spreadsheets consume on company servers.
Allow the IT department to migrate all spreadsheets to enterprise systems.
Explanation
An EUC inventory enables risk-based control decisions - high-risk tools (large financial impact, complex logic) receive stronger controls than low-risk tools. Answer C is correct. Encryption (A) and storage (D) are secondary concerns. Migration (B) may be a long-term goal but is not the purpose of the inventory.
A business user modifies a critical revenue calculation spreadsheet without documenting the change or notifying the finance team. This scenario illustrates which EUC control weakness?
Inadequate encryption of spreadsheet data at rest.
Absence of version control and change management for EUC tools - unauthorized or undocumented changes can introduce errors without detection.
Excessive access granted to IT staff for the spreadsheet.
Failure of the external auditors to review the spreadsheet during the prior year audit.
Explanation
Undocumented, unauthorized changes to critical EUC tools is a version control and change management failure - a fundamental EUC control risk. Answer A is correct. Encryption (B), IT access (C), and prior audits (D) are not the primary issues here.
Which of the following EUC controls most directly addresses the risk of unauthorized modification of a critical financial spreadsheet?
Protecting the spreadsheet with password-based file protection and locking formula cells, with access restricted to authorized users only.
Storing the spreadsheet in a folder labeled 'Official - Do Not Modify.'
Requiring the spreadsheet to be reviewed by management monthly.
Printing a backup copy of the spreadsheet at each month-end.
Explanation
Preventing unauthorized modification requires technical controls - cell and file protection, restricted access - that physically prevent unauthorized changes rather than relying on labels or periodic reviews. Answer D is correct. Monthly review (A) detects, not prevents. Labels (B) are ineffective technical controls. Print backups (C) support recovery but do not prevent modification.
Which of the following best describes an effective EUC governance framework?
Prohibiting all EUC tools from being used in financial reporting processes.
Requiring all EUC tools to be redeveloped as enterprise IT applications within one year.
Inventorying EUC tools, classifying them by risk, applying proportionate controls, and periodically reviewing their adequacy.
Limiting EUC governance to tools that process more than $10 million in transactions.
Explanation
Effective EUC governance takes a risk-based approach - identifying tools, assessing their risk, applying appropriate controls, and monitoring on an ongoing basis. Answer B is correct. Blanket prohibition (A) and mandatory migration (C) are impractical. Arbitrary thresholds (D) ignore lower-value tools that may still be material.
A company's month-end close process relies on a spreadsheet to aggregate data from five different systems and calculate consolidated revenue. The spreadsheet has no input validation, no formula documentation, and is updated by multiple users with no access restrictions. Which of the following correctly characterizes the control environment for this EUC tool?
Adequate - multiple users provides redundant review.
Moderate risk - only the lack of documentation is concerning.
Adequate - the spreadsheet is regularly used and has not produced errors.
High risk - multiple uncontrolled factors (no validation, no documentation, unrestricted multi-user access) create significant potential for undetected errors or unauthorized changes in a material process.
Explanation
Multiple simultaneous control weaknesses in a material revenue process represents high risk - no input controls, no audit trail, no access control, and no documentation compound to create serious financial reporting exposure. Answer D is correct. Regular use without known errors does not confirm control adequacy (A, B, C).
Which of the following represents a key difference between controls over EUC tools and controls over enterprise IT systems?
Enterprise systems require more frequent testing than EUC tools.
EUC tools process more transactions per day than enterprise systems.
Enterprise systems typically have formal IT general controls (change management, access controls, testing) enforced by IT governance; EUC tools often lack these controls and rely on user discipline.
EUC tools are subject to more rigorous regulatory requirements than enterprise systems.
Explanation
The critical distinction is the IT governance framework: enterprise systems are subject to formal ITGCs, while EUC tools operate outside this framework, creating the primary EUC control risk. Answer C is correct. Testing frequency (A) and regulatory requirements (B) favor enterprise systems, not EUC tools. Transaction volume (D) typically favors enterprise systems.
When should an organization consider migrating a critical EUC tool to a formal enterprise application?
Immediately - all EUC tools should be replaced by enterprise systems regardless of risk or cost.
When the EUC tool's risk profile exceeds what compensating controls can adequately mitigate - particularly for high-volume, high-risk, or complex processes that require robust IT controls.
Only when the external auditors specifically request migration.
Only when the EUC tool is more than five years old.
Explanation
Migration is warranted when the business risk of an EUC tool cannot be adequately controlled through compensating measures - typically when processing volume, complexity, or financial impact makes EUC controls insufficient. Answer D is correct. Blanket migration (A) ignores cost-benefit. Age alone (B) is not the trigger. External auditors do not mandate migration (C).
A company's internal audit team identifies 47 spreadsheets used in the financial close process. To prioritize audit resources, which criteria should drive the risk assessment of these tools?
The file size and creation date of each spreadsheet.
The number of worksheets contained in each workbook.
The seniority of the employees who use each spreadsheet.
The financial impact of the data processed, complexity of formulas, number of users, frequency of changes, and existing controls over each tool.
Explanation
Risk assessment should be based on factors that determine potential impact and likelihood of error: financial materiality, formula complexity, access breadth, change frequency, and current control strength. Answer B is correct. File characteristics (A, D) and user seniority (C) are not meaningful risk indicators.