i-nth logo


Mary Callahan Hill & W. Alan Barnes


Businesses today rely on the work being done by staff using personal computers. The proliferation of personal computers has led to widespread implementation of end-user computing applications.

As their name implies, end-user applications are designed, implemented, and controlled by users rather than by IT professionals. End-user applications can be risky for organizations, both with respect to management decision making and to financial reporting.

For public companies, the risk involved in these applications has been increased by the requirements of the Sarbanes-Oxley Act of 2002 (SOX), which call for management to document end-to-end financial operations and internal control structures.

Following is a review of the reasons for the prevalence of end-user applications and their inherent problems, as well as strategies for the internal control of these applications for various-sized businesses.


End-user computing has four significant risks from an operational or financial reporting standpoint:

  • First, there is the risk that the end-user application will have unintentional errors that result in poor decision making or inaccurate financial reporting.
  • Second is the risk that scarce resources (money or employee time) will be wasted on developing these applications.
  • The third risk is that end-user applications will be used to perpetuate fraud or hide losses.
  • Finally, end-user applications increase the risk of data breaches.

Managing these risks requires control over end-user development, which includes a policy on end-user applications (including spreadsheets), communication about end-user applications, and training on software to develop end-user applications.


2011, The CPA Journal, July, pages 67-71

Full article

End-user computing applications