Automated controls are commonly used within service environments to enhance control precision, consistency, and timeliness. When appropriately designed and governed, automated controls can reduce manual intervention, increase population coverage, and support management’s system of internal control. However, reliance on automation introduces specific risks that must be addressed through design, oversight, and monitoring activities.
This blog outlines key considerations relevant to the design and operation of automated controls in a SOC reporting context.
Governance over Automated Control Logic and Configuration
For purposes of SOC reporting, management maintains responsibility for the accuracy and completeness of the configuration and logic underlying automated controls. Risks related to accuracy and timeliness are mitigated through controls that provide direct oversight of automated control logic. As a result, management needs to establish direct controls to:
- Review and approve automated control configurations and logic
- Perform reviews when configuration changes occur
- Conduct periodic reviews at a frequency determined by system complexity, risk, and the applicable control framework
- Retain documentation evidencing such reviews
These governance controls are designed to ensure that automated controls continue to operate as intended, that changes do not introduce unintended control failures, and that service auditors can rely on the automated controls when conducting a SOC examination.
Use of Automated Controls
Automated controls in service environments typically include controls related to data processing, employee onboarding procedures, monitoring, or identifying system events. When automated controls are used, management must define an acceptable failure rate for the control.
When determining the acceptable failure rate, management needs to consider the assessed risk associated with the control objective. As the assessed risk increases, management’s acceptable failure rate is expected to decrease accordingly. Additional factors to consider include how often the control is performed and the accuracy of the automated control’s operations (i.e. false positives).
Management’s determination of the acceptable failure rate, along with all the information used in determining the rate needs to be documented, reviewed, and approved at least annually in order for a service auditor to relay on the automated controls for a SOC examination.
Definition and Identification of Deviations
Management is responsible for defining what constitutes a control deviation for each automated control. This definition is embedded within the automated logic and used by the system to identify exceptions requiring review.
Key considerations include:
- Whether deviations are clearly and consistently defined
- Whether deviation definitions align with the stated control objective
- Whether the system accurately flags deviations based on those definitions
SOC auditors evaluate whether deviation definitions are appropriate and sufficient to support reliance on the automated control.
Calculation and Evaluation of Deviation Rates
When deviations are identified, management must also calculate the actual deviation rate and evaluate the results against the defined acceptable failure rate.
Management’s responsibilities include:
- Ensuring deviation calculations are complete and accurate
- Retaining documentation supporting the calculation methodology
- Performing timely assessments to determine whether control failures exist
- Initiating remediation when deviation rates exceed acceptable thresholds
This process helps supports management’s assertion regarding the design and operating effectiveness of automated controls.
Limitations on the Use of Automated Controls
Automated controls are not designed to address subjective or judgment-based activities. As such, management should not rely on automated controls for areas requiring professional judgment or qualitative assessment, including but not limited to:
- Management’s review of control design and operating effectiveness
- Management’s risk assessment process
- Evaluation of vulnerabilities and remediation plans
- Analysis of security events and incidents
Processes that are subjective or require judgement need to be addressed through manual or hybrid controls, as appropriate.
Consideration of Automation Risks in the Risk Assessment
One of the most important aspects of the control environment in a SOC report is management’s risk assessment process. In order for a service auditor to rely on automated controls, management must have completed a thorough risk assessment that considers risks specific to automation, including but not limited to:
- Breakdowns in automated control logic
- Unauthorized or inappropriate overrides
- One-off or non-standard scenarios where automation is not feasible
- Systems or processes not fully covered by automation
Where such risks are identified, management must designs complementary controls or monitoring activities to mitigate potential control gaps.
Conclusion
Automated controls are evolving and continue to play an important role in system and organization control environments by improving consistency, coverage, and efficiency. However, effective reliance on automated controls requires robust governance over control logic, clearly defined acceptable failure rates, meaningful deviation definitions, and explicit consideration of automation-related risks.
Through these measures, management supports the design and operating effectiveness of automated controls and provides a sound basis for inclusion in SOC reports.