II Management

EUC programs that store and manipulate important information (e.g. financial figures, examination records, research data) of universities should be subject to same level of general IT controls implemented on applications controlled by IT department. Nevertheless, since the IT departments do not own those EUC programs, the first step towards effective EUC management is establishing a EUC control policy, covering the following elements:


Each academic or administrative unit may have different interpretations of EUC applications, which may result in obstacles during the implementation of EUC controls. Management should provide clear definition of EUC programs and communicate to universities' staff, students and any relevant members.

EUC Register

A EUC register should be created by each academic or administrative unit to record all existing EUC programs. The nature of EUC programs should be identified and categorised into corresponding classes (e.g. financial, academic, operational, and informational). In addition, the ownership, including the owner's name and respective academic or administrative unit, of each EUC program in the register should be documented. Management should also ensure that the EUC register is regularly updated to avoid any incorrect information kept within.

Risk Assessment

The risk assessment process evaluates the risk level of each EUC programs in the EUC register based on its nature and the classification of information (e.g. confidential, internal and public) it stores/manipulates, considering the following risks due EUC errors or frauds:

  • Financial Risk - Financial misstatement

  • Academic Risk - Incorrect research conclusions of findings

  • Operation Risk - Impact or interruption to operations

  • Information Risk - Misleading information

Based on the risk assessments results (e.g. high, medium low), adequate level of security controls can be deployed for EUC programs, which helps to better utilise the limited resources for EUC management. The risk assessments should be performed at least once each year to ascertain the validity of assigned risk levels and maintain the appropriateness of the controls implemented over EUC programs.