End-user development refers to activities and tools that allow end-users – people who are not professional software developers – to create or modify system software.
User-Developed Applications (UDAs) typically consist of spreadsheets and databases created and used by end users to extract, sort, calculate, and compile organizational data to analyze trends, make business decisions, or summarize operational and financial data and reporting results:
Due to their unrestricted nature, User-Developed Applicatons allow relatively un-sophisticated computer users to write programs that represent complex data models, while shielding them from the need to learn lower-level programming languages. However, once end users are given freedom to extract, manipulate, summarize, and analyse their UDA data without assistance from IT personnel, end users inherit risks once controlled by IT.
These risks associated with User-Developed Applications
- Data security i.e. data confidentiality, integrity and availability.
- Data download issues
- Lack of structured development processes and change management controls
- Increasing complexity of the application
- Inefficient or ineffective development practices
- Lack of version control leading to multiple versions of the same application
- Lack of documentation
- Lack of support
- Limited input and output controls
- Lack of formal testing and acceptance
The audit process includes a series of steps including. identifying critical UDAs, evaluating the level of risk associated with each UDA, and testing the controls to determine whether they are sufficient to reduce associated risks to an acceptable level based on the organization’s risk appetite and tolerance.