No. Procedural controls will always be required. For
example, the procedures for granting users access to a data
system or the procedures for changing, modifying, or removing
a person’s access to a data system would be examples of
procedures that are required by the regulation that the data
system is not necessarily going to be able to address. Currently,
the data system can create those accounts and change user
privileges. But the procedure for how that is done is normally
going to require some type of record keeping that includes
management reviews and approvals of system access or
changes to system access. So, procedural controls are not
going to go away completely.