Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility

Controls: Automated or Manual - Is One Better?

When conducting an audit, an auditor must obtain an understanding of a client’s internal control environment, including the use, applicability and nature of any manual and automated controls, in order to design appropriate procedures to test such controls.

The question often arises during the course of an audit:

"Should I be using automated or manual controls for this process? Is one better than the other?"

It’s a great question, and unfortunately there is no overarching correct response here.

Depending on the nature of the control activity in question, either manual or automated controls may be preferred, or even a combination of the two. For example, it is highly recommended that clients have automated controls in place for processes such as backups of application and data files, network security (e.g. the use of firewalls, intrusion detection / prevention systems, etc.), change management (e.g. the use of file integrity monitoring applications, version control software, ticketing systems, etc.) to ensure consistency and reliability in control operations over a period of time without manual intervention.

There are controls, however, that inherently will require manual operation. For example, approvals of changes prior to implementation into a production environment, periodic user access reviews, reconciliations of data / transactions, are all controls that organizations should certainly consider having in place.

To conclude, organizations should certainly strive to eliminate any manual processes that could be replaced by implementing automated systems, where resources permit, but should continue to keep in mind that manual controls can play an important and often complementary role as well.

About DANNY MANIMBO

Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for co-leading Schellman's ISO practice as well as the development and oversight of Schellman's SOC practice line as well as specialty practices such as HIPAA. Danny has been with Schellman for eight years and has over 11 years of experience in providing data security audit and compliance services.