| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
End-User Computing & Shadow IT
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series covers end-user computing and shadow information technology. It explains how non-programmer users create their own tools, why this practice introduces security and compliance gaps, and the governance controls an IS auditor should expect to find when reviewing this area of operations.
What this episode covers
- What end-user computing is — tools that let non-programmers design and run their own small applications, typically governed by the technology team.
- Why organisations permit it — speed of delivery, reduced pressure on IT departments, and greater flexibility to respond to changing business conditions.
- Security and compliance risks — absence of independent review, missing access controls, unencrypted data, lack of backups, and exclusion from security patching.
- Governance controls — defining criticality criteria, applying data classification, maintaining an inventory, and imposing full application-level controls on critical tools.
- What shadow IT is — any unsanctioned technology used without proper approval, made common by cheap cloud software and mobile devices.
- Managing shadow IT — policy, approval routing, system consolidation, explicit access rights, user education, activity monitoring, and endpoint controls.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is end-user computing and why do organisations allow it?
End-user computing refers to tools that let ordinary, non-programmer users build and run their own small technical solutions, such as spreadsheets or simple databases. Organisations allow it because users can build and launch tools quickly, which takes pressure off the technology department and makes the organisation more flexible in responding to new markets, regulations, and customer demand.
What security risks does end-user computing create?
Because the technology team is often not involved, end-user tools may never receive an independent review or be built using formal development methods, leaving gaps in access controls, authentication, and audit logging. Sensitive data may sit unencrypted, the tools may never be backed up, they may hold private information that creates compliance exposure, and they may be excluded from security patching. Any tool judged critical should therefore receive the same controls as a full enterprise application.
What is shadow IT and why is it so common?
Shadow IT is technology used inside an organisation without proper vetting or approval from the technology and security teams. It has become common because cheap cloud software, powerful mobile devices, and remote working on personal devices make it easy for anyone to acquire and use a tool in minutes. It covers any unsanctioned application, service, or system and can spark innovation but also expose the organisation to serious security and compliance risk.
How should an organisation control shadow IT?
Controls begin with a clear shadow technology policy tied to business goals and a culture where the technology team acts as a helpful service provider rather than a barrier. All technology purchases should be routed through that team for review and approval, and systems should be consolidated where possible to shrink the overall footprint. Additional measures include explicit access and admin rights, a real user education programme, activity monitoring, and strong endpoint controls over how users move data.
📚 Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in End-User Computing & Shadow IT.