Difference between Automated and Sytem based control 2046



  • I am confused about the difference between Automated and system based control. If some one can explain using an example (preferably from the IT side of Audit) that would be great.
    Also if someone can provide link to some online dictionary for audit terms that would be helpful too.
    Thanks in advance.
    Calvin



  • Hi Calvin - These may be more synomomous terms than different for meeting for SOX compliancy requirements? Maybe some of the links from some quick research this morning, might help define these terms from a SOX perspective?
    To me, Automated Controls seem broader in scope, as some of the research included network, security, along with IT system controls. System controls would most likely include balancing, perservation of information, sampling/testing, etc.
    Please copy to browser and add www to all links below
    General Searches
    google.com/search?hl=en-and-q=sox automated versus system controls
    google.com/search?hl=en-and-q=sox automated controls
    google.com/search?hl=en-and-q=sox system controls
    One of the better articles found
    ebcvg.com/articles.php?id=767
    Two types of automated controls identity auditing and identity control dramatically drive down manual IT audit activity while reducing critical areas that can be compromised. In such an environment identity extends beyond users to include assets, applications, transactions and data. Injecting identity at the network layer provides IT organizations with the knowledge of who is accessing what assets from where, both within and across enterprise boundaries. It uses this visibility to protect critical assets and ensure compliance, as well as the reporting to prove it, resulting in the simultaneous reduction of cost and risk.
    Another possible resource
    deloitte.com/dtt/article/0,1002,cid%3D96127,00.html



  • An automated control is one that is programmed to occur. Data postings are automated controls. The data is posted when scheduled and is posted to the correct file. Another example of an automated control would be sign-on access to a system or application. The correct combination of user ID and password gets you in. An incorrect combination will not let you in.
    An example of a system-based control would be an exception report. When data being posted or transferred from one dataset to another do not match up as expected, the unmatched data is identified and either held in suspense, posted to a suspense account, not posted at all or keeps the entire dataset from posting. The exception report shows which data did not match up. Someone needs to make a decision as to how to handle the exceptions (recode them, delete them, etc.) in order for the posting process to properly complete. Since this control requires both system and manual efforts to be effective, it is generally referred to as a system-based control.



  • More or less agree with Mike.
    We would refer to the second type of control as an IT Dependent Manual control i.e. you have an automated part being the creation of an exception report and the manual element being the review and action thereon.
    An automated control could easily be referred to as a system-based control in some organisations so the original question is not an easy one to answer. SOX does not set the vocabulary at this level.



  • Thanks Harry for the links. I found the deloitte link helpful.
    Kymike and Dennis thanks for the replies. They were informative as usual.
    I noted that automated controls can be benchmarked and if you have good control around change management you may reduce your testing effort in year 2 for them.
    Also automated controls requires only one sample size whereas system based controls since they are a combination of automated and manual process need full sample size (specified as per the frequency). The other problem that I am facing for couple of System based controls on the business side is that IT owns the automated part whereas business owns the manual part. Since we have separate testing resources for IT and business, who owns the testing sometimes, becomes an issue.



  • Also automated controls requires only one sample size whereas system based controls since they are a combination of automated and manual process need full sample size (specified as per the frequency). The other problem that I am facing for couple of System based controls on the business side is that IT owns the automated part whereas business owns the manual part. Since we have separate testing resources for IT and business, who owns the testing sometimes, becomes an issue.
    I feel your pain buddy, we have some of the same issues ourselves.
    Remeber though that the automated part of the control will be able to be benchmarked/test of one in same way as straight automated controls. Only the manual part i.e. the review of the exception report need be applied a greaster frequency



  • Also automated controls requires only one sample size whereas system based controls since they are a combination of automated and manual process need full sample size (specified as per the frequency). The other problem that I am facing for couple of System based controls on the business side is that IT owns the automated part whereas business owns the manual part. Since we have separate testing resources for IT and business, who owns the testing sometimes, becomes an issue.[/quote].
    I sincerely feel that business owns the application and IT merely maintains it. Even if IT is going to maintain the application and is responsible for the automated controls, the business owner is ultimately responsible for the process of which IT controls are merely a part.
    w.r.t the sample size, the automated part of the control can be tested may be twice a year, to get comfort on the effectiveness of automation and like denis suggested, the manual part needs to be tested at a fairly regular frequency.
    cheers



  • I sincerely feel that business owns the application and IT merely maintains it. Even if IT is going to maintain the application and is responsible for the automated controls, the business owner is ultimately responsible for the process of which IT controls are merely a part.

    Agree with this wholeheartedly. However, the work required to demonstrate that the IT system operates effectively could rest with IT.


Log in to reply