Updated: Dec 31, 2022
Control activities are the policies and procedures that help ensure management’s directives are carried out.
Examples include controls to ensure that goods are not shipped to bad credit risk or that only authorised purchases are made.
These controls address risks that, if not mitigated, would threaten the achievement of the entity’s objectives.
Control activities (whether within or outside the general and subsidiary ledgers) are designed to mitigate the risks involved in everyday activities such as transaction processing (business processes such as sales, purchases, and payroll) and safeguarding assets.
Control activities relevant to the audit may also include controls established by management that address disclosures being prepared in accordance with the applicable financial reporting framework — this would be in addition to controls that address risks related to account balances and transactions.
Business processes are structured sets of activities designed to produce a specified output. Business process controls can generally be classified as preventive, detective and corrective, or compensating or steering, as outlined below.
The nature of business process controls will vary based on the risks involved and the specific application.
Typical controls at the business process level would include the matters set out below:-
Controls: Segregation of Duties
Description: These controls can reduce the opportunities for a person to be in a position to both perpetrate and conceal errors or fraud.
Examples: The employee responsible for the accounts receivable processing cannot access cash receipts.
Controls: Authorisation Controls
Description: These controls define who has the authority to approve various routine and non-routine transactions and events.
Examples: Assigning responsibility to authorise:
Hiring of new employees;
Ordering goods and services; and
Extending credit to a customer.
Controls: Account Reconciliations
Description: This includes preparing and reviewing account reconciliations on a timely basis and taking any necessary corrective actions.
Examples: Reconciliations of bank accounts, sales transactions, intercompany balances, suspense accounts, etc.
Controls: IT Application Controls
Description: These controls are programmed into IT applications such as sales or purchases. They include fully automated and partially automated controls.
Examples: Checking the arithmetical accuracy of records, pricing of invoices, editing checks of input data, numerical sequence checks, and production of exception reports for manager review.
Controls: Actual Results Reviews
Description: These controls involve the regular review and analyses of actual results versus budgets, forecasts, and prior-period performance.
It also involves relating different sets of data (operating or financial) to one another and comparing internal data with external sources of information. Unexpected variations would be investigated, and corrective actions would be taken.
Examples: Analysis of operating results, comparing actual results to budget, and investigating variances.
Controls: Physical Controls
Description: These controls relate to the physical security of assets and permitted access to entity premises, accounting records, computer programs, and data files.
Examples: Such controls consist of asset security (door locks and restricted access to inventory/records) and comparing the results of periodic cash, security, and inventory counts with accounting records.
Smaller Entities | 较小的实体
Control activities are designed to prevent a material misstatement or detect and correct a misstatement after it has occurred. In smaller entities, the concepts underlying control activities are likely similar to larger entities, but their relevance to the auditor may vary considerably.
Consider the following:-