When evaluating internal controls, there is a hierarchy of control types that most auditors keep in mind. Preventive controls are more effective than detective controls, and automated controls are more reliable than manual controls. Let’s start by understanding the difference between manual and automated controls and the testing approaches.
What Is an Automated Control?
Today, nearly every company has some degree of control automation configured to perform either a preventive or detective function. Automated controls are commonly found in critical areas like a backup of application files, network security, and change management.
The use of automated controls testing is highly recommended in these processes to ensure consistency and reliability of operations. Furthermore, with the rapid integration of ERP systems in modern companies, the use of automation in activities such as procurement 3-way matches, workflow approval routing, and data field validations has become widespread.
Automated Controls vs Manual Controls: What’s the Difference?
It is important to understand the difference between automated controls vs manual controls. Automated controls are ideal in situations with high volume, uniform transactions. In this case, there is little need for manual intervention or judgment. Automated controls include the risk of relying on inaccurate systems and data or putting trust in an inappropriate automation algorithm.
Manual controls are preferred when there is a need for human judgment. The need for manual controls often arises when there is a low volume of transactions that require discretion in deciding the outcome of the internal control process. Manual controls run the risk of human error and intentional override.
A third control category also exists called semi-automated controls, sometimes referred to as IT-dependent controls. With this type of automated control, human intervention is still required, but the person’s action is dependent on the output for a system.
To illustrate the different types of control, we can use a system access control as an example. As a manual control, user access is tested by comparing all (or a sample of) users to the current employee listing and then testing for appropriate levels of access. In semi-automated controls, a system may perform the first comparison to the active employee listing and then flag users with potential issues for review. In automated controls testing, the system would validate the users in real-time against the active employee listing, access can validate against the individual’s job code and provisioning profile, and any discrepancies would be adjusted automatically.
How Do You Automate Controls?
Control automation starts with strong documentation. Start with process and control flowcharts or narratives to define the process. Next, choose a less complex process to automate. In the control testing example for earlier, it could be the comparison of system users to the active directory. After you have proven the concept, look for control candidates that meet the criteria for automation, namely those with high volume transactions and uniformity. Finally build the automation and test the output to ensure the data coming out is what you expected.
The types of automated controls (semi-automated controls and fully automated controls) will ultimately dictate your testing strategy. There is a rhythm on how to test automated controls. You start with validating the data in the system is accurate and complete, then perform a test of one automated control. With semi-automated controls, the testing will depend on the level of automation. For the portion of the process that is automated, the test of one automated control idea still holds, but it will be supplemented with manual testing for the portion that requires human intervention.
What Are the Benefits of Automated Controls?
SOX compliance efforts benefit immensely from the existence of automated controls in a company’s internal control environment. Both from a time and cost perspective, automated controls dramatically improve the efficiency of SOX compliance and testing, especially in companies that have deployed powerful ERPs, such as SAP and Oracle. However, many companies have not optimized their internal control environment to take advantage of the configurations available within their ERP platforms. A company’s internal auditors do not have the technical expertise to advise process owners on the best ways to utilize the ERP’s automation features.
Companies that have successfully optimized their control environment through automated controls have realized tangible benefits in their SOX compliance process. Some of these benefits include:
Increased External Auditor Reliance
An increase in automated controls has a direct impact on the degree of external auditor reliance. The PCAOB, through AS5, clearly points to the advantage of having automated controls in an audit of internal controls by saying “an automated control would generally be expected to be a lower risk if relevant information technology general controls are effective.” In order to rely on automated controls, it is essential that there is a host of underlying IT general controls that are working effectively.
Increased Operational Efficiency
The existence of automated controls in an internal control environment ensures employees are spending more time on strategic initiatives rather than working long hours on manual, repetitive tasks. Automated controls also drastically reduce the odds of human error and fraudulent manipulation. Additionally, they greatly simplify the knowledge transfer process required during a transition of roles among employees. Once an internal control process is automated, there is also a significant difference when testing manual or automated controls. For example, automated controls testing only needs a test of one transaction. The idea is that the system always works the same, so if it works one it’s safe to assume it always works.
Reduced SOX Compliance costs
Studies have shown that reducing manual controls and increasing automated controls testing has a significant impact on the SOX Compliance spend of a company. Manual processes that constantly require the involvement of employees, consultants, or auditors are not sustainable. In the long run, having automated controls testing is more stable, largely because this enables a repeatable, reliable, and predictable framework while significantly lowering the cost of compliance.
Choosing Automated Controls vs Manual Controls
In the end, most companies have a mix of automated controls vs manual controls. Some control processes work better with automated controls, and some require personal discretion. Typically, the focus for the control environment should lean toward automation and prevention over manual and detection. As you evaluate your internal controls, keep in mind the benefits you hope to achieve.
John Kim, CPA was a SOX Subject Matter Expert and Technical Sales Director at AuditBoard. He has over 10 years of experience in Internal Audit, first as a Risk Assurance Manager at PricewaterhouseCoopers and then as the Senior Manager of Internal Audit for Zynga.