When conducting an audit, an auditor must obtain an understanding of a client’s internal control environment, including the use, applicability and nature of any manual and automated controls, in order to design appropriate procedures to test such controls.
The question often arises during the course of an audit:
"Should I be using automated or manual controls for this process? Is one better than the other?"
It’s a great question, and unfortunately there is no overarching correct response here.
Depending on the nature of the control activity in question, either manual or automated controls may be preferred, or even a combination of the two. For example, it is highly recommended that clients have automated controls in place for processes such as backups of application and data files, network security (e.g. the use of firewalls, intrusion detection / prevention systems, etc.), change management (e.g. the use of file integrity monitoring applications, version control software, ticketing systems, etc.) to ensure consistency and reliability in control operations over a period of time without manual intervention.
There are controls, however, that inherently will require manual operation. For example, approvals of changes prior to implementation into a production environment, periodic user access reviews, reconciliations of data / transactions, are all controls that organizations should certainly consider having in place.
To conclude, organizations should certainly strive to eliminate any manual processes that could be replaced by implementing automated systems, where resources permit, but should continue to keep in mind that manual controls can play an important and often complementary role as well.
About DANNY MANIMBO
Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for co-leading Schellman's ISO practice as well as the development and oversight of Schellman's SOC practice line as well as specialty practices such as HIPAA. Danny has been with Schellman for eight years and has over 11 years of experience in providing data security audit and compliance services.