Before designing an internal control plan, you should understand the basic types of internal controls and how they are intended to function. When deciding on the types of controls to implement, consider the unit's objectives and business goals and the associated risks and materiality. All controls require the appropriate training, communication, and oversight by unit management to ensure they are being implemented appropriately and operating consistently. Show Frequency of ControlsDepending on the underlying processes or functions, associated risks, and desired control objectives, control activities may be designed to operate at varying frequencies: recurring, daily, weekly, monthly, quarterly, annually, or as-needed (ad hoc). You may need more frequent controls for higher risk processes or functions. Primary Types of Control ActivitiesDepending on when they are intended to function, there are two basic types of internal control activities: preventative and detective. An optimal system of internal controls will have both. Preventative ControlsPreventative controls protect the university by helping to identify and address problems before they happen. Examples:
Detective ControlsDetective controls are designed to find errors or fraud in transactions after they have occurred, as well as identify missing assets or invalid transactions. Properly designed and operating detective controls will also help determine if preventative controls are functioning properly. An important detective control is reconciliation, which compares two sets of data to one another, and identifies/investigates differences. Other detective control examples include:
When controls find errors or improper activities, unit management must take sufficient remedial actions, including root-cause analysis and error correction, and implement necessary corrective measures to prevent such issues from recurring. Other Types of ControlsYou should also consider including these important characteristics of internal controls when designing controls to implement in unit-level internal control plans: Manual vs. Automated ControlsDepending on the control objective, available data and resources (e.g., software), and other factors, controls may be manual or automated.
Compared to manual controls, automated controls are generally more consistent and efficient and may be built into software used for business processes; however, automated controls are dependent upon design/programming and limited to discrete control objectives. Manual controls allow for the use of judgment in performing control activities. You can use a combination of manual and automated practices, as well. For instance, you can automate reconciliations with electronic transaction matching but require a manual investigation and resolution of unreconciled amounts and a manual review of the completed reconciliation following established protocols. Transaction vs. Summary-Level ControlsControls intended to function at the transaction or process level typically involve assessing discrete functions or transactions, while controls operating at a summary level evaluate an aggregation of transactions or functions. Examples include the following:
Centralized vs. Decentralized ControlsCertain control activities take place in centralized functions (e.g., Accounting, Sponsored Financial Services), while others occur in distributed (decentralized) units (e.g., department or business service center transaction reviews and approvals). To ensure that identified risks are addressed, you must understand where a given control takes place. For example, business service centers and the units they support must maintain service-level agreements that detail key responsibilities for financial controls between the unit and the service center. Internal controls should be documented sufficiently to demonstrate that controls are in place and functioning as intended (e.g. enable auditors to test performance of the control). Third-Party Risk Management/ControlsExternal vendors are a vital component of various business operations. Suppliers may have access to a wide range of information (including financial) from the supported unit. Once shared with a supplier using cloud-based software, data storage, or other outsourced services; direct control of this information is lost, regardless of sensitivity or value. As a result, appropriate technical and contractual considerations must be made, and mitigating control processes must be established with all external suppliers that have access to a unit’s financial information. Examples of such processes include:
Office of Audit, Risk & Compliance • Vanderbilt University • Nashville, TN 37203 • Phone 615-343-6660 © Vanderbilt University · All rights reserved. Site Development: University Web Communications Vanderbilt University is committed to principles of equal opportunity and affirmative action. Vanderbilt®, Vanderbilt University®, V Oak Leaf Design®, Star V Design® and Anchor Down® are trademarks of The Vanderbilt University
The term “control activities” (CA) refers to the policies, procedures, and mechanisms put in place by the management of an organization to reduce the risks identified during the risk assessment process. In short, Control Activities refer to the actions taken by the management to either mitigate or minimize risk. Typically, companies conduct risk assessments to identify risks that could hinder the achievement of their organizational goals and then device appropriate Control Activities to mitigate the risks. Hence, the need for control activities is an outcome of the risk assessment process. How Does it Work?The CA takes place at multiple levels and across all functions of an organization. It is the responsibility of the management to establish effective and efficient control activities, which can be a preventive, detective, or corrective in nature.
Types of Control ActivitiesAlthough the following is not an exhaustive list of alternatives available to management, these are some of the most commonly used CA:
Examples of Control ActivitiesNow, let us look at some of the examples to understand how the CA help in an actual organizational set-up. Example #1Over the years, technology has evolved to offer a very high level of accuracy. However, the outputs are still based on the inputs made by humans. Hence, the risk of inaccurate output due to erroneous and incorrect input is always there. To prevent the risk of human error, negligence or fraud, the duties can be segregated among two persons so that no one person handles the entire process. The first person will input the transactions, while the second person will authorize the transactions. This control system can mitigate the risk to a large extent only if the two persons don’t end up colluding to deceive the system. Example #2A particular company designed some new policies to review and reconcile the accounts receivable to ensure timely detection of the delinquent accounts and planning of appropriate actions. The new policies mandate weekly reconciliation of the accounts receivable recorded in the system to the available receipts by the Accountant. The Assistant Controller should then review the reconciliation. At the end of the month, the Account Receivable Supervisor should age the outstanding receivable balances, which the Assistant Controller should then review. Finally, the delinquent accounts should be taken up for further investigation, while the Controller should approve the written-off bad debt. Conclusion
Recommended ArticlesThis is a guide to Control Activities. Here we also discuss the definition and types of control activities along with how does it works?. You may also have a look at the following articles to learn more – |