Control
activities are the policies and
procedures that help ensure that management directives are carried out. Control
activities, whether within IT or manual systems, have various objectives and
are applied at various organizational and functional levels. Examples of specific
control activities include those relating to the following:
- Authorization.
- Performance reviews.
- Information processing.
- Physical controls.
- Segregation of duties.
An
auditor would be required to conduct a walk through test to confirm the
understanding as documented. Identify the preventive (exercised before
occurrence of transactions and event) and detective and corrective (exercised
after occurrence of transactions and event) controls established by management
to support its assertions. Preventive, detective and corrective controls can
be:
- Application controls
- IT-dependent manual controls
- Manual controls
Application controls are automated controls
processed by the entity’s IT applications without manual interference. Examples
of Application controls are Edit Checks, Validations, Automatic calculations,
Authorizations etc.
IT-dependent manual controls are controls in which we
consider both the manual and automated aspect of the control e.g. a review of a
computer generated sales orders report to determine that all sales are
invoiced.
Manual controls are those controls that
are operated completely manually e.g. bank reconciliations when the entity
reconciles cash to bank statement.
Recommendation
Controls are
performed to check the accuracy, completeness, and authorization of
transactions. A concept called The Internal Control Stream
is introduced by Thomas P. Houck in his book “Why and How Audits Must Change:
Practical Guidance to Improve Your Audits”.
According to Thomas P. Houck this concept help auditors better understand
the many controls that can exist in a company. The "stream"
represents the path that a transaction follows as it moves from inception to
its ultimate resting place in the financial statements. Controls can be located
at different spots along the stream. Upstream controls help to ensure that
transactions are properly entered into the computer system. Information
technology controls are automated controls that help to prevent misstatements.
Downstream controls come into play after information is processed in a computer
system. An auditor is required to apply appropriate tests of controls to assess
the reasonableness of design of system of internal control by enquiring
relevant client personnel and documenting the same.