What Are Control Activities in Accounting?

Control activities are the policies and procedures that help ensure management’s directives are carried out. These actions are designed to mitigate risks, promote operational efficiency, and ensure the reliability of financial reporting and compliance with applicable laws. They are performed at all levels of an organization and across various business processes and technology environments.

The Role of Control Activities in Risk Management

Control activities are a direct response to risks identified through a formal risk assessment process. They are specifically designed to address and mitigate potential events that could prevent an organization from achieving its goals. The purpose of these activities is to reduce identified risks to an acceptable level, ensuring the company can operate with confidence in its financial and operational outcomes.

These activities are a component of a broader internal control framework. The most widely recognized model is the Internal Control – Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This framework, often used by public companies to comply with regulations like the Sarbanes-Oxley Act (SOX), situates control activities as one of its five components. Within this structure, they are the specific actions taken to put risk management policies into practice.

The relationship between risk and control is continuous. As business environments change, new risks emerge, and existing ones evolve. Consequently, an organization must continuously assess its risks to ensure that its control activities remain relevant and effective. This process helps maintain the integrity of financial reporting and safeguard company assets.

Common Categories of Control Activities

Control activities can be categorized to address various risks within an organization. These categories include a mix of preventive controls, which are designed to stop errors or irregularities from happening, and detective controls, which are intended to find issues after they have occurred.

Segregation of Duties

A principle of internal control is the segregation of duties, which involves dividing responsibilities for authorizing transactions, recording them, and maintaining custody of the related assets. The goal is to ensure that no single individual has control over all aspects of a transaction, thereby reducing the risk of errors and fraudulent activity. For example, the employee who approves a purchase order should not be the same person who receives the purchased goods or processes the payment to the vendor.

Authorizations and Approvals

Formal authorizations and approvals ensure that transactions are valid and align with management’s intentions. These controls take the form of approvals from individuals with the appropriate level of authority. A common example is requiring a manager’s signature on employee expense reports that exceed a specific dollar amount, such as $500. Another instance is requiring senior management approval for capital expenditures or the hiring of new personnel.

Verifications and Reconciliations

Verifications and reconciliations are detective controls used to compare different sets of data to ensure they are accurate and in agreement. The most common example is a bank reconciliation, where a company’s cash records are compared to its bank statement. This process helps to identify discrepancies, such as unrecorded bank fees or outstanding checks, and allows for timely correction. Verifying the mathematical accuracy of a vendor’s invoice before payment is another control that prevents overpayment.

Physical Controls

Physical controls pertain to the safeguarding of assets. These measures are designed to limit access to valuable resources and protect them from theft or damage. Examples include keeping cash in a locked safe, storing inventory in a secure warehouse with restricted access, and using password protection to secure computer systems. Periodic physical counts of inventory or cash can also be compared to accounting records to detect any discrepancies.

Designing and Implementing Control Activities

The process of designing and implementing control activities is systematic and tied directly to an organization’s objectives and risks. It begins with a clear identification of a specific business objective, such as ensuring all sales transactions are accurately recorded in the general ledger.

Once the objective is defined, the next step is to identify the risks that could prevent its achievement. For the objective of accurate sales recording, a potential risk is that a salesperson makes a sale, but the transaction is never entered into the accounting system. Another risk could be a data entry error where the wrong amount is recorded.

With risks identified, the organization can design specific control activities. To address the risk of unrecorded sales, a company might implement a control requiring the use of pre-numbered sales invoices and a daily reconciliation of the sequence of invoices issued against the entries in the sales journal. For the risk of data entry errors, a control could involve having a second employee review and verify the accuracy of sales data entered into the system.

Documentation is an important part of implementation. The organization must document the control, detailing who is responsible for performing it, the frequency of its performance, and the evidence that should be retained to prove it was completed. This documentation also outlines the procedures for investigating and correcting any errors discovered.

Monitoring and Testing Control Effectiveness

After control activities are implemented, their effectiveness must be monitored over time to ensure they are operating as intended. This is a continuous cycle of evaluation and improvement. Monitoring can be broken down into two main types of activities: ongoing monitoring and separate evaluations.

Ongoing monitoring is integrated into the regular activities of an organization and is a responsibility of management. It includes routine operational tasks that also serve to confirm that controls are functioning. For instance, a manager’s regular review of departmental budget-to-actual spending reports can serve as a monitoring control, as it may highlight unusual variances that could indicate a control failure.

Separate evaluations, often referred to as testing, are periodic assessments of control effectiveness. This testing is frequently performed by internal or external auditors to provide an independent perspective. Auditors use several methods to test a control’s effectiveness:

• Inquiry, which involves asking the employee responsible for the control how they perform it.
• Observation, where they watch the employee perform the control activity.
• Inspection of documentation, which involves examining the evidence that a control was performed, such as reviewing a signed and dated bank reconciliation.
• Re-performance, where they independently execute the control procedure themselves to verify that it achieves the desired outcome.

The results of these tests help determine if controls are reliable or if deficiencies need to be addressed.