RMAS: Contact Us

RMAS FAQs

COMPLIANCE
What is the GLBA Safeguards Rule?
Does the GLBA Safeguards Rule Apply to Harvard?
What does the GLBA Safeguards Rule Require?
What are the elements of a good compliance program?

RISK MANAGEMENT
What is risk management ?
What types of risk is the University concerned about?
Who manages risk at the University?
What is my role in managing risk?
What is the Risk Management Committee?
What is the role of the Joint Committee on Inspection?

AUDIT
How are audits selected?
What should I expect during an audit?
Why aren't good practices sited in an audit report?
Who gets copies of audit reports?
How confidential is my report?

REGULATIONS
If I have a grant or contract with the federal government, are there any laws I should be concerned with?
If I have international business travel, are there any laws I should be concerned with?
What is the HIPAA Privacy Rule?
Will the HIPAA Privacy Rule affect my research?
How could the HIPAA Privacy Rule affect my research?
If the HIPAA Privacy Rule does not take effect until April 2003, why should I worry about it now?
Are there any exceptions to the HIPAA Privacy Rule?
My research involves only de-identified data, so why should I be concerned about the HIPAA Privacy Rule?
What is FERPA?
What are students' education records under FERPA?
Can information be released for a student directory?
What rights do students have under FERPA?
What is the USA Patriot Act?
How does the USA Patriot Act impact higher education?
What if I have additional questions?

INSURANCE
How does the University's self-insurance programs work?
What if a loss or damage occurs to a Harvard building?
Will insurance pay all of a department's repair/replacement costs after a loss?
Are building contents automatically insured on the University's Property Policy?
What if someone is injured on our premises?
What if a tenant, student or employee wants to be reimbursed for damage to personal property?
What if a department wants to buy, sell or lease a vehicle?
What should a driver do if an accident occurs while driving a University vehicle?

INFORMATION SYSTEMS
What are internal controls?
Can I request an Information Systems Audit, and how much do they cost?
Are there system security standards?
Who should I call if I experience a hacker?
What does a systems audit entail?
How do I protect my PC system from a virus?
What are the controls that should be considered when developing a new application?
What controls should applications have?

COMPLIANCE

What is the GLBA Safeguards Rule?
The Gramm Leach Bliley Act ("GLBA") Safeguards Rule is a federal law that requires businesses that provide financial products or services to ensure the security and confidentiality of their customers' personally identifiable, non-public financial information. This includes electronic and paper records.

Does the GLBA Safeguards Rule Apply to Harvard?
Yes. Earlier this year, the Federal Trade Commission ruled that the Safeguards Rule applies to colleges and universities that engage in financial activities, such as servicing loans and providing financial advice. The GLBA Safeguards Rule will affect the University's Student Financial Services' Offices, Deans' Offices, and the Faculty Loan Office.

What does the GLBA Safeguards Rule Require?
The Safeguards Rule requires businesses engaged in financial activities to develop, implement and maintain an information security program, including administrative, technical and physical safeguards.

For more information, contact Tina Sheldon, RMAS, at 617-496-7175 or Mary Feeney, OGC, at 617-495-9687.

What are the elements of a good compliance program?
For an organization to have an effective compliance program, the following seven elements are required:

Existence of Written Standards
Effective Oversight
Due Care in Delegation of Authority
Training
Monitoring
Discipline
Corrective Action

These seven elements of a compliance program may be found in the November 11, 1991 United States Sentencing Commission Guidelines, Sentencing for Organizations. The full description from the guidelines follows:

The organization must have established compliance standards and procedures to be followed by its employees and the other agents that are reasonably capable of reducing the prospect of criminal conduct
Specific individuals within high-level personnel of the organization must have been assigned the overall responsibility to oversee the compliance with such standards and procedures
The organization must have used due care not to delegate substantial discretionary authority to individuals whom the organization knew, or should have known through the exercise of due diligence, had a propensity to engage in illegal activities
The organization must have taken steps to communicate effectively its standards and procedures to all employees and other agents, e.g. by requiring participation in training programs or by disseminating publications that explain in a practical manner what is required.
The organization must have taken reasonable steps to achieve compliance with its standards, e.g. by utilizing monitoring and auditing systems reasonably designed to detect criminal conduct by its employees and other agents and by having in place and publicizing a reporting system whereby employees and other agents could report criminal conduct by others within the organization without fear of retribution.
The standards must have been consistently enforced through appropriate disciplinary mechanism, including as appropriate, discipline of individuals responsible for the failure to detect an offense. Adequate discipline of individuals responsible for an offense is a necessary component of enforcement; however, the form of discipline that will be appropriate will be case specific
After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense and to prevent further similar offenses- including any necessary modifications to its program to prevent and detect violations.

Compliance Programs and the Corporate Sentencing Guidelines, Preventing Criminal and Civil Liability; Jeffery M. Kaplan, Joseph E. Murphy, Winthrop M. Swenson; West Group 10/2000.

RISK MANAGEMENT

What is the Risk Management Committee?
The Harvard Risk Management Committee (RMC) provides a forum for identification, discussion and resolution of major risks facing the University. The RMC is charged by the President and Provost to provide advice on:

How the University may assure that faculty and staff are aware of their legal and ethical responsibilities as members of the Harvard community
What steps should be taken to establish and codify University-wide standards of conduct
Coordinating and disseminating information regarding training, oversight functions, and internal controls, especially in areas subject to regulations
Facilitating inter-faculty collaboration and support of risk identification and mitigation strategies

The RMC is endorsed by the President, Provost and Joint Committee on Inspection and represents an integral part of the University's compliance initiative. This committee generally meets three to four times a year and is chaired by the University's General Counsel. Membership is comprised of senior administrators and faculty from across Harvard University. The RMC is staffed by RMAS' CRM Group.

What is the role of the Joint Committee on Inspection?
The Joint Committee on Inspection (JCOI) is Harvard's audit committee. The JCOI has oversight responsibilities for all financial, operational, and compliance matters and any issues and risks as a result of control weaknesses in these areas. The JCOI reports to the President and Fellows of Harvard College (the "Corporation") and fulfills its oversight responsibilities by reviewing compliance, financial and operational information to be reported and the systems of internal controls established within the University and the audit process.

In the conduct of its business, the committee generally meets four times a year. In fiscal year 2001, the committee adopted a charter which outlines the committee's general responsibilities.

The JCOI consists of two representatives of the Corporation and three representatives of the Board of Overseers of Harvard College ("Overseers"). For fiscal year 2003, members of the committee are:

James Houghton, Chair JCOI (Corporation Member)
Chairman of the Board, Emeritus, Corning Incorporated
Robert D. Reischauer (Corporation Member) President, The Urban Institute
Karen Gordon Mills (Overseer)
Managing Director & Founder, Solera Capital
Joseph O'Donnell (Overseer)
Owner, Chairman Boston Concession Group, Inc.
William Lee (Overseer)
Managing Partner, Hale and Dorr, LLP
Other regular participants on the Committee include:
Ronald Daniel, Treasurer; Ann Berman, Vice President for Finance; Robert Iuliano, Acting Vice President and General Counsel; Deloris Pettis-Donaldson, Director, Risk Management & Audit Services

Who manages risk at the University?
Some departments are responsible for managing specific risk areas. For example, the Office of Human Resources manages employment risks. Similarly, Environmental, Health & Safety consults on environmental risks.

However, as employees or agents of the University, we are all risk managers. What does that mean? Whether "risk manager" is in our job title or job description is irrelevant. We all are presented with risk in the workplace. For example, we all have resources at our discretion, such as staff, finances, property and information. What we do or do not do with those resources can either create or mitigate risk.

What is my role in managing risk?
You have two roles in managing risk. The first role is to be aware of and understand what areas of risk are present in your current position. For example, if you manage people you need to consider employment laws, discrimination laws and union contracts. You also need to consider the University's policies and practices around hiring, firing and creating a safe work environment.

Once you know your risk areas, you need to consider the implications of these risks on yourself, your department and the University. This second role in managing risk requires that you to assess each situation and that you anticipate the consequences of your actions. How do you make such an assessment? Ask your self the following questions:

a) Is this action legal? If it is not legal, stop here.

b) Does this action meet the University's standards?

c) Does this action meet my professional standards?

d) Does the "golden rule" apply? How would I feel if I were treated this way?

e) How would this look on the front page of the newspaper?

These questions provide a framework to assess risk. If you still do not know what to do, you should seek guidance. The University has many resources to assist you with your decision-making processes. Such resources include your Human Resources representative, the Office of General Counsel, the Office of Risk Management & Audit Services, Environmental, Health & Safety or the University 'Helpline'.

How the University may assure that faculty and staff are aware of their legal and ethical responsibilities as members of the Harvard community
What steps should be taken to establish and codify University-wide standards of conduct
Coordinating and disseminating information regarding training, oversight functions, and internal controls, especially in areas subject to regulations
Facilitating inter-faculty collaboration and support of risk identification and mitigation strategies

In the conduct of its business, the committee generally meets four times a year. In fiscal year 2001, the committee adopted a charter which outlines the committee's general responsibilities.

The JCOI consists of two representatives of the Corporation and three representatives of the Board of Overseers of Harvard College ("Overseers"). For fiscal year 2003, members of the committee are:

James Houghton, Chair JCOI (Corporation Member)
Chairman of the Board, Emeritus, Corning Incorporated
Robert D. Reischauer (Corporation Member) President, The Urban Institute
Karen Gordon Mills (Overseer)
Managing Director & Founder, Solera Capital
Joseph O'Donnell (Overseer)
Owner, Chairman Boston Concession Group, Inc.
William Lee (Overseer)
Managing Partner, Hale and Dorr, LLP
Other regular participants on the Committee include:
Ronald Daniel, Treasurer; Ann Berman, Vice President for Finance; Robert Iuliano, Acting Vice President and General Counsel; Deloris Pettis-Donaldson, Director, Risk Management & Audit Services

AUDIT

How are audits selected?
University audits are selected through a risk assessment process. RMAS communicates with schools, departments and University management to identify and prioritize operational, financial and compliance risks to the University. The specific audit projects for the year are chosen based on these assessed risk factors. The final plan is also evaluated to ensure adequate representation of schools, departments and affiliates.

What should I expect during an audit?
There are four distinct phases to an audit at the University and an understanding of these phases will help you to understand the process. First is the Planning Phase during which the objectives and scope of the audit are determined. Second is the Fieldwork Phase when interviews are conducted and internal controls, systems, policies and procedures are tested for efficiency and adequacy. Third is Communication of Results Phase when the results of the audit are presented in draft form for comment/discussion on findings and recommendations and then as a final published report to management. Fourth is the Follow Up Phase or Post Audit Review (PAR). This is conducted within 18 months of the full audit and it is a means to ensure that significant issues in the original audit have been addressed.

Why aren't good practices sited in an audit report?
An audit report has the following objectives: tell what was found, convince management of the work and validity of the findings, and move management toward change and improvement. To accomplish these objectives, audit findings that strengthen the control environment and require management action are given the most attention. However, the report must also be objective and offer an unbiased view of the control environment. This is accomplished in the summary section of the report where an overall assessment of the internal controls is provided e.g. good, adequate, adequate but needs improvement or inadequate. Additionally, a short paragraph will offer the reader an overall assessment and could mention some of the stronger controls in the organization.

Who gets copies of audit reports?
In general, an audit report is issued to those in a position to see that corrective actions are taken and those with a need to know. Generally, this includes the department/function management team, Finance Dean, RMAS Director, Vice President of Finance and the PricewaterhouseCoopers Partner on the Harvard account. The report may also be distributed to those individuals who have significant responsibility for the audit area e.g. Office of Sponsored Research for award management audits.

How confidential is my report?
Your report is issued to those on the distribution list and its content is held in confidence within RMAS. The distribution of reports to others that may request a copy must be approved by the RMAS Director. This restriction prevents an indiscriminate broadcasting of reported information to people without a need to know.

REGULATIONS

If I have a grant or contract with the federal government, are there any laws I should be concerned with?
Yes, the Federal Civil False Claims Act applies to individuals and corporations that do business with the federal government. The Federal Civil False Claims Act is an anti-fraud law. Under the Act, an individual or corporation is liable if they knew or should have known that they submitted a false claim to the federal government. If you would like more information, please contact Risk Management & Audit Services.

If I have international business travel, are there any laws I should be concerned with?
Yes, the Foreign Corrupt Practices Act applies to individuals or corporations, who conduct business in a foreign country. The Foreign Corrupt Practices Act is often referred to as the anti-bribery law. Under the Act, an individual or corporation is prohibited from either directly or indirectly bribing a foreign official or foreign political office. If you would like more information, please contact Risk Management & Audit Services by clicking on the link below.

What is the HIPAA Privacy Rule?
This is a federal law that protects the privacy of individually identifiable health information, such as medical history, diagnosis, treatment, or payment information. Protected information also includes demographic information, such as date of birth and social security number, that is maintained with health information. The protection applies to all forms of information, including electronic and paper.

This law was created in response to the growing anxiety among Americans about the use and dissemination of health information in an age when computers allow easy sharing of data. Although HIPAA will present challenges to researchers who study health issues, Harvard’s compliance efforts should be viewed as an opportunity to demonstrate to the public that scientists treat confidential health information responsibly.

Will the HIPAA Privacy Rule affect my research?
Yes, if you collect health information, whether about individuals or in aggregate form, from any of the following: health care providers, including hospitals; health plans, including insurance companies; or health care clearinghouses, including third party administrators of health plans. Under HIPAA these groups are considered “covered entities” and are limited in their ability to share individually identifiable health information with researchers.

How could the HIPAA Privacy Rule affect my research?
After April 2003, covered entities will not be able to share health information with you unless: (1) the covered entity first obtains from each patient whose information is to be disclosed a written authorization to share that information with you; (2) your school’s IRB or the covered entity’s IRB approves a waiver of patient authorization; (3) the covered entity “de-identifies” the health information before disclosing it to you; or (4) the covered entity shares only a “limited data set” under the terms of a Data Use Agreement that meets HIPAA requirements.

Under the HIPAA Privacy Rule, covered entities will be required to keep a record of certain releases of health information for research purposes. Covered entities will also be required to give patients, upon their request, an accounting of all such disclosures. These new requirements could make obtaining data from covered entities more challenging after April 2003.

If the HIPAA Privacy Rule does not take effect until April 2003, why should I worry about it now?
If you are conducting longitudinal studies involving patient health information, you may want to begin obtaining patient authorizations sooner rather than later to assure the use of data collected after April 2003 in the event subjects later become unreachable.

If you intend to obtain patient information that will be created by a particular covered entity before and after April 2003, you should consider contacting the covered entity at the earliest opportunity about obtaining patient authorizations. Yes, there are several exceptions. For example, a covered entity may share information with you concerning deceased patients if you meet certain criteria. In addition, a covered entity may permit you access to health information to assist you in designing a research protocol provided certain conditions are satisfied.

Are there any exceptions to the HIPAA Privacy Rule?
Yes, there are several exceptions. For example, a covered entity may share information with you concerning deceased patients if you meet certain criteria. In addition, a covered entitiy may permit you access to health information to assist you in designing a research protocol provided certain conditions are satisfied.

My research involves only de-identified data, so why should I be concerned about the HIPAA Privacy Rule?
Data that is considered de-identified today may not be considered de-identified when HIPAA takes effect. The privacy rule names 18 separate identifiers that must be removed from patient records before that information can be considered de-identified. You will need to consider whether the resulting data will be of use once this information is removed.

Covered entities have the option of stripping fewer identifiers from patient records but only if an expert with knowledge of statistical and scientific principles and methods assures that patients will not be identifiable from the disclosed data or by comparison of the data with other sources of information.

Another option is to obtain a limited data set. This data set can contain more information about subjects, such as dates of birth and 5-digit zip codes, than de-identified data. This disclosure requires a Data Use Agreement between you and the covered entity that establishes the permitted uses and disclosures of the data set.

Alternatively, you can apply for a waiver from your school’s IRB, as discussed in a previous question.

For more information contact Risk Management & Audit Services, the Office of the General Counsel, or your school’s IRB Administrator.

What is FERPA?
FERPA stands for the Family Educational Rights and Privacy Act. This is a federal law, which was passed in 1974 to protect the privacy of student records. FERPA protects students who are currently enrolled or formerly enrolled in higher education institutions that receive federal funding.

What are students’ education records under FERPA?
Student education records are records, files or documents, which contain information directly related to a student, and are maintained by the university. Examples include the university telephone directory, student registration forms, graded papers, and advising packets. It is important to note that FERPA applies to both paper and electronic records.

There are several exceptions to FERPA. For example, campus security records and student employment records.

Can information be released for a student directory?
Directory information, which generally includes information such as a student’s name, address, telephone number, and major field of study, can be released without written consent of the student.

However, universities are required to annually notify students in attendance of what constitutes directory information. This notice must also provide procedures for students to restrict the institution from releasing his/her directory information.

What rights do students have under FERPA?
Under FERPA, students have several rights, including the right to inspect and review their education records, the right to seek the amendment of education records, and the right to consent and limit disclosure of information from education records.

What is the USA Patriot Act?
The USA Patriot Act is the acronym for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism. Congress enacted the USA Patriot Act in response to the terrorist acts of September 11, 2001. The Act immediately took effect when signed by President Bush in October 2001. The Act gives law enforcement agencies new powers to investigate terrorist crimes and track suspects.

How does the USA Patriot Act impact higher education?
There are several provisions of the Act that impact colleges and universities.

One, the Act impacts information technology offices. The Act expands the government's ability to obtain technology-related information through warrants, subpoenas and court orders. Technology-related information includes telephones, computers and Internet access.

Two, the Act impacts registrar's offices. The law grants certain federal officials the power to view some private student records when investigating terrorism. The Act amends the Family Educational Rights and Privacy Act, which protected student educational records, in some circumstances. The USA Patriot Act permits law enforcement officials to monitor foreign students and to collect student information from the National Center for Educational Statistics. Registrar's offices are required to report information regarding foreign nationals.

Three, the Act impacts environmental, health and safety offices as well as research administrators. The law expands the coverage of existing restrictions on the possession and use of select biological agents and toxins. The law also makes it a crime for certain restricted persons to possess a select biological agent or toxin. In addition, the law requires that security and access controls be in place.

What if I have additional questions?
Contact the Office of the General Counsel, Provost's Office, or Environmental Health and Safety Office.

INSURANCE

How does the University's self-insurance programs work?
The University has a self-insured program for property, liability and automobiles. In the Self-Insured Property Program, a reserve is set up to fund for University losses, third party claim payments and to pay the premiums for excess insurance. Each fiscal year departments are charged a property and liability premium, allocated per building, to maintain the property and liability reserve. Departments with University vehicles are charged an annual premium per vehicle to maintain the auto reserve.

The Self-Insured Property Program is based as closely as possible on commercial insurance guidelines as regards coverage's and exclusions.

What if a loss or damage occurs to a Harvard building?
Emergency repairs and other reasonable steps should be taken to protect the property from further damage. As soon as possible notify the Insurance Department of the details of the loss, by telephone (617-495-8668) and also submit a Property Loss Report Form. Further repairs should not be started until the scope of work and estimated costs for repairs have been agreed upon between the department and the Insurance Department.

Will insurance pay all of a department's repair/replacement costs after a loss?
Insurance reimburses the cost to repair or replace with like-kind or quality. Every attempt is made to reimburse the department the costs to put the building back to the condition it was in prior to the loss. A department may incur some costs not covered by insurance since there are normal limitations and exclusions to the policy. The Insurance Department will explain the coverage in more detail when determining the scope.

Are building contents automatically insured on the University's Property Policy?
Yes, there is limited coverage for contents on this policy, $250,000 per building. These contents must be University owned and the policy excludes losses due to theft. Departments can insure equipment and contents for a higher limit and include losses due to theft by purchasing additional contents insurance (Open Marine Policy). This insurance can be obtained by contacting the Insurance Department.

What if someone is injured on our premises?
Harvard employees are instructed to ask the injured person if he/she needs assistance. If possible let the injured person tell you what he/she wants to do. If medical attention is required call 9-911. Offer to call a family member or a friend and contact H.U.P.D. for assistance. Employees should never make a statement regarding liability or payment of bills. The Insurance Department should be notified of all incidents involving bodily injury to a third party (student, visitor or guest) as soon as possible by telephone (617-495-8668) and an Employee Incident Report Form should also be submitted.

What if a tenant, student or employee wants to be reimbursed for damage to personal property?
You can instruct person(s) wishing to file a claim to contact the Insurance Department directly by telephone or by submitting a Claimant Incident Report Form. Claims for damage to personal property are sent to our liability carrier to determine whether there is negligence on the part of the University. Our insurance company will investigate the incident and arrange the settlement or denial of any claims. Refer to the section on Comprehensive General Liability for further information.

What if a department wants to buy, sell or lease a vehicle?
Contact the Insurance Department for instructions prior to buying, selling or leasing a vehicle. The Insurance Department will process the registration, insure the vehicle on the University's Automobile Insurance Policy and provide guidelines on the use of vehicles, driver training and authorizing drivers.

What should a driver do if an accident occurs while driving a University vehicle?
In the event an accident occurs the driver should do the following:

DO NOT ADMIT LIABILITY TO ANYONE.
Exchange vehicle information with the other driver - name, address, license number, plate number, year, make, model of car, name of Insurance Company.
If necessary, contact HUPD or the local police.
Report all accidents immediately to Insurance Department, 617-495-8668, FAX 617-496-0505.
Submit Auto Accident Report Form to Insurance Department, Holyoke 460.
If a Harvard employee is injured, he/she should file a report with the Department of Human Resources - Worker's Compensation, Holyoke 6th Floor, tel. 617-495-2786, FAX 617-496-3998.

INFORMATION SYSTEMS

What are internal controls?
Internal control refers to the means by which an organization manages risks that could impact the achievement of goals and objectives. The primary objectives of internal control are to ensure:

The reliability and integrity of information (e.g. operational and financial)
Compliance with policies, plans, procedures, laws and regulations
The safeguarding of assets
The economical and efficient use of resources
The accomplishment of established objectives and goals for operations or programs.

Can I request an Information Systems Audit, and how much do they cost?
If you have concerns about a particular process, system or application you can ask us to review it. We'd be happy to discuss it with you, decide what type and scope of review makes sense and schedule it when resources are available. You will not be charged for any work that we do with our in house staff. If we need to obtain expertise from outside the university, you may be required to pay for that expense.

Are there systems security standards?
While there aren't any hard and fast standards, there are best practices that systems should conform to maintain reasonable security. University Information Systems (UIS) maintains links to security guides by vendor and service here.

Who should I call if I experience a hacker?
Call or email the Network Security Incident Response Team (NSIRT) of University Information Systems (UIS). Call 496-4736 at any time. During business hours (Monday to Friday 8 a.m. to 6 p.m.), a staff member will take your call. After hours you can leave a voice mail to page the on-call engineer. You can email them at nsirt@harvard.edu. A team member can assist you in further evaluating the situation and determining what follow-up actions to take.

What does a systems audit entail?
There are different types of systems audits. The purpose of an audit is to evaluate the system controls that deal with security, access, user management, and data integrity. Click here to see an outline different types of systems audits and what they include.

How do I protect my PC system from a virus?
You should have virus protection software installed on your PC. Both Mcaffee and Norton AntiVirus work well. You should be sure that the software is configured to automatically scan files on floppies and files you download from the Internet. The software must have its virus definitions updated every month in order to stay current and provide the best protection. These definition files can be downloaded for free from the software vendor's site. Check with your local IT support organization for which software your department or school uses and the procedures for updating the virus definitions.

In addition, you should NEVER open an email attachment unless you're sure that it is free of viruses. In particular, don't open any attachments that have an extension of "vbs" or "exe"; these are programs, and unless you expect to receive a program from the sender, are likely to be malicious.

What are the controls that should be considered when developing a new application?
The development process should be well managed to ensure that the desired functionality of a system is delivered.

Specifications should be written and approved prior to development.
Changes to the specifications should be documented and approved.
Testing should take place in a test environment before going live.
If the system receives data from or sends data to other systems, these interfaces should be tested with the other system.
The expected results of the test should be known before beginning the test.
Test results should be reviewed and approved by the business owner of the application.
If the data used by the application is confidential, either non-confidential test data should be used or care should be taken that unauthorized individuals do not see the confidential data during testing.
A project plan should be developed that includes milestones, expected completion dates and responsible individual(s).
If data is being converted from an older system, the conversion effort needs to be built into the project plan and tested prior to implementation.
Training required to use the system should be designed and ready to be given just prior to implementation.
Training should include changes in business processes as well as system use.

What controls should applications have?
The levels of controls that should be in place for a system should be directly proportional to the risk associated with the system. Higher risks require a higher level of controls in place over the system.

The following is a list of some basic control areas to be considered for an automated system:

Access to the system should be restricted to users based on their roles and responsibilities.
User accounts should be kept current and disabled when employees leave.
Monitoring should be performed to detect intruders on the system.
Changes made to the system should be authorized, tested and documented,
A daily back up of the system should be performed and back up tapes should be stored off-site.
A disaster recovery plan should be developed, documented and tested.

Physical access to the computer that the application runs on should be considered.