When the Romans perfected aqueducts, those channels that transported fresh water from the source to established cities and towns became the backbone of those areas. Though the Romans were excellent civil engineers, the creation and implementation of aqueducts still required a lot of planning—projects could consist of different elements like pipes, tunnels, canals, and bridges, as well as combinations of these.
Your internal controls are similar—they are the pillars of facilitating your compliance, and like Roman aqueducts, they can be designed and constructed in different ways depending on your organization. Oftentimes, as cybersecurity assessors, we’re asked whether manual or automated controls are “better.”
The truth is, each has their uses and in this article, we’re going to explain further. First, we’ll rewind all the way to briefly define what internal controls are and what they should do—regardless of whether they’re manual or automated—before getting into the comparison between their human vs. computer characteristics.
That way, you’ll come away understanding the typical functions and benefits of each for when you move forward in installing your own controls.
What are Internal Controls?
An internal control is commonly defined as a process designed to provide reasonable assurance regarding the achievement of your organizational objectives.
At a high level, think of it as a progression like this:
Delving a little deeper now as to how this works—to implement an effective system of internal control, you must:
- Clearly specify objectives allowing for the identification of risks.
- Pinpoint risks that may derail the achievement of your specified objectives—i.e., where and what are the possibilities that an event will occur and have an adverse effect?
- Implement internal controls, or the actions that will help to ensure your directives to mitigate identified risks are carried out.
As all organizations evolve and changes are introduced, this process must also remain dynamic—if your organizational objectives shift, so do the related risks, and ultimately, as should the controls. Avoid this process altogether, or let it remain stagnant despite surrounding updates, and you’ll likely find your system of internal control contains ineffective, redundant, or inefficient controls.
Components of Internal Controls
When structuring your internal controls, the COSO model of internal control identifies 5 distinct elements to the process. At a minimum, you should have all these in place for each control, as these components both are necessary for effectiveness and form the basis against which that internal control will be evaluated:
1. Control Environment
This is the building block for the rest of your building block—the tone setter of your organization that influences the rest. Your control environment should align your business processes with any applicable laws and compliance requirements, as well as industry best practices.
An intangible factor, control environment considerations include:
2. Risk Assessment
Given the ever-evolving security threat landscape, it makes sense that part of your internal control structure should be a process to identify and analyze relevant risks that may affect your achievement of your objectives—that includes potential impact and likelihood.
This also includes determining how you should manage those assessed risks.
3. Control Activities
Your control activities are the policies and procedures that help—at all levels—you achieve your business objectives while keeping risks low. These could include, among others:
4. Information and Communication
Information systems are what make it possible for you to run and control things, and effective communication across your entire organization helps ensure everything is working as it should and that your people understand how to take action should they need to.
Similarly, you need to monitor internal control systems for performance and effectiveness. Continuous monitoring, through things like quarterly reviews or internal audits, helps you identify issues before they can cause a problem for you or your compliance project.
Manual vs. Automated Controls
This difference is likely self-explanatory, but here it is anyway, with an example of each to boot:
Manual controls rely on human actions.
For example, validating data center visitor’s credentials prior to permitting physical access.
Automated controls rely on electronic actions.
For example, securing a data center access through a biometric scan that is limited to authorized personnel.
So then, which is better to implement?
In truth, systems of internal control will comprise a combination of both manual and automated controls—what you use will depend on your control objective, cost, available data and internal resources—but here are some benefits and drawbacks for both.
Pros and Cons of Automated Controls
- Generally more consistent and efficient
- May be built into software used for business processes.
- Reduced risk that controls will be circumvented
- Enhanced segregation of duties, and timeliness and availability of information.
- Dependent upon design/programming
- Limited to discrete control objectives.
- Reliance on potentially inaccurate systems,
- Possible unauthorized access, changes to, or loss of data
- May require investment in new technologies
Automated controls are more suitable for environments with high volumes of similar transactions.
Pros and Cons of Manual Controls
- Can be used to monitor automated controls
- Allows for wider judgement and more nuance
- Allows for professional skepticism and experience in evaluation
- Susceptible to human error
- More easily overridden
- Inherently less consistent than automated controls
- More susceptible to collusion and fraud
Manual controls are applicable in areas where you require more judgment and discretion.
Next Steps for Your Internal Controls
As we previously mentioned, systems of internal control will contain both manual and automated practices. For instance, you can automate the process to alert security personnel when certain security events are detected but also require a manual investigation and creation of a ticket to track remediation efforts.
But there’s no universal answer as to which type of control is considered better. The best advice we can give is to consider both automated and manual controls and perform a cost-benefit analysis to determine which type is right for the risk being mitigated.
Now you at least understand the benefits and drawbacks of both manual and automated controls for when it’s time for your structuring and implementation process. To help you learn even more about shaping and maintaining your controls, check out our other content on different related subjects:
- Are Information Technology General (ITGCs) Important?
- Understanding and Defining Your SOC 1 Control Objectives
About the AuthorMore Content by Terry O'Brien