What are the two types of control activities?

Before designing an internal control plan, you should understand the basic types of internal controls and how they are intended to function. When deciding on the types of controls to implement, consider the unit's objectives and business goals and the associated risks and materiality. All controls require the appropriate training, communication, and oversight by unit management to ensure they are being implemented appropriately and operating consistently.

Inhaltsverzeichnis Show

Frequency of Controls
Primary Types of Control Activities
Other Types of Controls
How Does it Work?
Types of Control Activities
Examples of Control Activities
Recommended Articles

Frequency of Controls

Depending on the underlying processes or functions, associated risks, and desired control objectives, control activities may be designed to operate at varying frequencies: recurring, daily, weekly, monthly, quarterly, annually, or as-needed (ad hoc). You may need more frequent controls for higher risk processes or functions.

Primary Types of Control Activities

Depending on when they are intended to function, there are two basic types of internal control activities: preventative and detective. An optimal system of internal controls will have both.

Preventative Controls

Preventative controls protect the university by helping to identify and address problems before they happen.

Examples:

Segregation of duties
Authorization requirements to prevent improper use of university resources
Enforcement of clear recordkeeping and documentation procedures
Protections for passwords and other information
Physical control over assets

Detective Controls

Detective controls are designed to find errors or fraud in transactions after they have occurred, as well as identify missing assets or invalid transactions. Properly designed and operating detective controls will also help determine if preventative controls are functioning properly.

An important detective control is reconciliation, which compares two sets of data to one another, and identifies/investigates differences.

Other detective control examples include:

Reviewing procurement card statements for appropriateness, allowability, and proper allocation.
Conducting post-transaction reviews on such things as exception reports as well as conducting analytical reviews, routine budget-to-actual reviews, and key metrics monitoring.
Reviewing transactions after the fact for reasonableness and proper approvals.
Conducting physical asset counts.

When controls find errors or improper activities, unit management must take sufficient remedial actions, including root-cause analysis and error correction, and implement necessary corrective measures to prevent such issues from recurring.

Other Types of Controls

You should also consider including these important characteristics of internal controls when designing controls to implement in unit-level internal control plans:

Manual vs. Automated Controls

Depending on the control objective, available data and resources (e.g., software), and other factors, controls may be manual or automated.

Manual controls rely on human actions. For instance, a human must review and give approval for certain proposed transactions.
Automated controls rely on computerized (electronic) actions. For instance:
- Authentication measures are put in place to authorize access to a system or process a transaction.
- Edit functions can ensure data accuracy and completeness.
- Transaction matching can be automated to facilitate reconciliations between two sources or systems.
- Automated alerts can notify a user of activity based on pre-established parameters.
- Analytical routines can identify transactions that are outside of policy compliance.

Compared to manual controls, automated controls are generally more consistent and efficient and may be built into software used for business processes; however, automated controls are dependent upon design/programming and limited to discrete control objectives. Manual controls allow for the use of judgment in performing control activities.

You can use a combination of manual and automated practices, as well. For instance, you can automate reconciliations with electronic transaction matching but require a manual investigation and resolution of unreconciled amounts and a manual review of the completed reconciliation following established protocols.

Transaction vs. Summary-Level Controls

Controls intended to function at the transaction or process level typically involve assessing discrete functions or transactions, while controls operating at a summary level evaluate an aggregation of transactions or functions. Examples include the following:

Transaction/process level: Reviewing travel expense reimbursements, reviewing procurement card transactions, and accompanying receipts, or approving an individual’s access to an IT system.
Summary level: Comparing budget to actual spending at the account or object code levels or reviewing financial statements or reports for unusual or unexpected activity or fluctuations.

Centralized vs. Decentralized Controls

Certain control activities take place in centralized functions (e.g., Accounting, Sponsored Financial Services), while others occur in distributed (decentralized) units (e.g., department or business service center transaction reviews and approvals). To ensure that identified risks are addressed, you must understand where a given control takes place. For example, business service centers and the units they support must maintain service-level agreements that detail key responsibilities for financial controls between the unit and the service center.

Internal controls should be documented sufficiently to demonstrate that controls are in place and functioning as intended (e.g. enable auditors to test performance of the control).

Third-Party Risk Management/Controls

External vendors are a vital component of various business operations. Suppliers may have access to a wide range of information (including financial) from the supported unit. Once shared with a supplier using cloud-based software, data storage, or other outsourced services; direct control of this information is lost, regardless of sensitivity or value. As a result, appropriate technical and contractual considerations must be made, and mitigating control processes must be established with all external suppliers that have access to a unit’s financial information. Examples of such processes include:

Ensure the existence of a data sharing agreement that clearly defines roles and responsibilities; particularly with respect to data security, data backup and disaster recovery, and the return of data in the event of contract termination.
Monitor and continually assess provider performance and compliance. Where available, request from the supplier and evaluate a copy of the annual Service and Organization Controls (SOC) Report, where available. This is an independent report on the design and effectiveness of the controls the supplier has in place that are relevant to the unit’s internal control over financial reporting and data security.
When reviewing the SOC Report, it is important to note any control deficiencies identified and determine how the unit’s internal control environment is impacted. In addition, it is important to review the “User Control Considerations” section, which details the internal control processes that are expected to be in place at the unit level to allow for the supplier’s control environment to function appropriately.

Office of Audit, Risk & Compliance • Vanderbilt University • Nashville, TN 37203 • Phone 615-343-6660

Vanderbilt®, Vanderbilt University®, V Oak Leaf Design®, Star V Design® and Anchor Down® are trademarks of The Vanderbilt University

The term “control activities” (CA) refers to the policies, procedures, and mechanisms put in place by the management of an organization to reduce the risks identified during the risk assessment process. In short, Control Activities refer to the actions taken by the management to either mitigate or minimize risk. Typically, companies conduct risk assessments to identify risks that could hinder the achievement of their organizational goals and then device appropriate Control Activities to mitigate the risks. Hence, the need for control activities is an outcome of the risk assessment process.

How Does it Work?

The CA takes place at multiple levels and across all functions of an organization. It is the responsibility of the management to establish effective and efficient control activities, which can be a preventive, detective, or corrective in nature.

Preventive: These types of CA are relatively cost-effective in nature as these are implemented upfront with the intention to prevent the loss of assets in the first place.
Detective: If the preventive CA prove ineffective, then these type of control activities kick in wherein the errors or irregularities that can adversely affect the assets are identified.
Corrective: Once the detective CA identifies the errors or irregularities, then these types of CA are implemented with the sole intention of fixing the issues at hand. In some cases, overhauling of the existing system is required to put in place a new system to prevent the issues.

Types of Control Activities

Although the following is not an exhaustive list of alternatives available to management, these are some of the most commonly used CA:

Authorization: These types of CA are put in place to ensure that all transactions within the organization are carried out according to the limits and exceptions that have been stated in the policy framework or granted by the appropriate officials.
Review & approval: These types of CA are put in place to ensure that the appropriate personnel reviews all transactions for accuracy and completeness.
Verification: These control activities include various computer and manual controls that are put in place to ensure that all accounting information is captured correctly.
Reconciliation: These control activities include validation of accounting information recorded in systems by comparing them with the source data.It helps in ensuring that the financial records are absolutely correct.
Physical security over assets: These types of CA are put in place to ensure that the assets are protected from losses or damages due to negligence, fraud, theft, natural disaster, accident etc.
Segregation of duties: These types of control activities help in reducing the risk of human error, negligence or fraud by involving more than one person in a particular process.
Education, training & coaching: These types of control activities help in reducing the risk of error due to inefficiency in operations by providing proper education and training to the personnel so that they perform their duties commendably. However, it is important to review the education and training programs periodically to ensure that they remain updated as per the current industrial and organizational practices.
Performance planning &evaluation: These types of control activities establish the key performance indicators that the organization can use to identify the unexpected and unusual changes in trends. These changes can be the precursor of something much worse and hence require deeper investigation. The evaluations are usually carried out at multiple levels within the organization or found appropriate by the management.

Examples of Control Activities

Now, let us look at some of the examples to understand how the CA help in an actual organizational set-up.

Example #1

Over the years, technology has evolved to offer a very high level of accuracy. However, the outputs are still based on the inputs made by humans. Hence, the risk of inaccurate output due to erroneous and incorrect input is always there. To prevent the risk of human error, negligence or fraud, the duties can be segregated among two persons so that no one person handles the entire process. The first person will input the transactions, while the second person will authorize the transactions. This control system can mitigate the risk to a large extent only if the two persons don’t end up colluding to deceive the system.

Example #2

A particular company designed some new policies to review and reconcile the accounts receivable to ensure timely detection of the delinquent accounts and planning of appropriate actions. The new policies mandate weekly reconciliation of the accounts receivable recorded in the system to the available receipts by the Accountant. The Assistant Controller should then review the reconciliation. At the end of the month, the Account Receivable Supervisor should age the outstanding receivable balances, which the Assistant Controller should then review. Finally, the delinquent accounts should be taken up for further investigation, while the Controller should approve the written-off bad debt.

Conclusion

Control activities are the actions taken by the management at multiple levels and across all functions of an organization to either mitigate or minimize risk.
There are three major types of CA – Preventive control activities, Detective control activities, and Corrective control activities.
Authorization, review & approval, verification, reconciliation, physical security over assets, segregation of duties, education, training & coaching, and performance planning & evaluation some of the most commonly used CA.