Researches revealed that about 68% of an enterprise's corporate data is stored in applications managed and controlled by IT department. The other 32% of corporate data is stored in Microsoft Excel spreadsheets, other databases (e.g. Microsoft Access), business intelligence tools (e.g., reporting tools), Microsoft Word documents, web-oriented architecture "mashup" approaches and other end user computing applications. Often the 32% portion of corporate data exists in relatively uncontrolled environments and may lack the same safeguards and controls applied to the 68% portion of corporate data under the IT Department control.
Such deficiency in safeguards and controls can result in negligent errors, as was the case with TransAlta Corp., which took a $24 million charge to earnings after a bidding error caused by a cut-and-paste mistake in an Excel spreadsheet. The lack of adequate safeguards and controls can also permit dishonest users to engage in fraud, as happened with AIB's Allfirst Bank, where a trader hid a $700 million loss by substituting links in a company spreadsheet to his private manipulated spreadsheet. For regulated enterprises, this can lead to regulatory compliance issues.
End User Computing ("EUC"), also known as User Developed Applications ("UDA") is a popular approach that involves end users with non-programming knowledge in design, creation and maintenance of working applications. Unlike conventional program development, assembling EUC programs is performed at application level of existing software packages. For examples, formulae entered in Microsoft Excel spreadsheet, analysis programs made by Statistical Analysis System ("SAS") and macros embedded in Microsoft Word.
From end users' perspective, the use of EUC is convenient and efficient, as it can be created and maintained locally. However, when talking about information security, EUC has a new set of problems, including weak access control, uncontrolled change process, higher possibilities of mistakes and loss of data. Poor management of EUC could eventually lead to exploitations on those security vulnerabilities.