Components of internal control - Control activities and segr...

Learning Outcomes

By studying this article, you will be able to explain the role of control activities and segregation of duties within internal control systems. You will identify common types of control activities, understand the principle of effective division of responsibilities, and recognise how auditors evaluate, test, and report on the effectiveness of these controls. You will also be prepared to identify deficiencies and recommend improvements in scenarios.

ACCA Audit and Assurance (AA) Syllabus

For ACCA Audit and Assurance (AA), you are required to understand how control activities and segregation of duties contribute to a reliable internal control system. In particular, this article addresses:

• The five components of internal control, emphasising control activities.
• Types and purposes of specific control activities, including authorisation, reconciliation, verifications, and physical controls.
• The principle and benefits of segregation of duties.
• Examples of direct and indirect controls and their relevance in audit procedures.
• How auditors assess, test, and report on control activities and segregation of duties.
• Identifying and recommending improvements to deficiencies in control systems.

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

1. Which of the following is an example of a direct control activity?
   1. Annual general meeting
   2. Monthly bank reconciliation
   3. Company vision statement
   4. Corporate social responsibility strategy

2. Why is segregation of duties important in internal control systems?

3. Match each type of control activity with an example:

   • Authorisation ⟶ **____**
   • Physical control ⟶ **____**
   • Reconciliation ⟶ **____**

4. In an entity where one employee both prepares and approves bank payments, what control deficiency exists, and what recommendation would you provide?

Introduction

Internal control is a structured process that helps an entity achieve reliable financial reporting, operational efficiency, and compliance with laws. Within this framework, control activities are the procedures established to prevent, detect, and correct errors or fraud. A critical feature of many control activities is segregation of duties, which divides key responsibilities among different people to reduce the risk of intentional wrongdoing or error.

Key Term: control activities
Specific policies and procedures designed to ensure that management directives are carried out and that risks to achieving objectives are mitigated.

Understanding Control Activities

Control activities are the backbone of the internal control system. They are implemented at all levels of an organisation—over processes, transactions, and at the overall entity level. These activities are critical in preventing and detecting material misstatement, whether due to error or fraud.

Types of Control Activities

Typical control activities include:

• Authorisation: Ensuring that only properly approved transactions take place.
• Reconciliation: Regular comparison of independent records to identify differences.
• Verification: Checking accuracy, completeness, or quality of transactions or balances.
• Physical controls: Securing assets and records (e.g., locked storerooms, passwords).
• Segregation of duties: Assigning different steps in key processes to different individuals.
• Supervisory controls: Ongoing review of work by senior personnel.

Each type of activity plays a distinct role in managing risks. For example, authorisation limits access to assets, while verification checks that transactions are valid and recorded accurately.

Key Term: authorisation
The granting of approval by a responsible person before a transaction is processed.

Key Term: reconciliation
The process of comparing two independent sets of data to ensure their consistency and accuracy.

Key Term: physical control
Measures taken to safeguard assets or documents from theft, loss, or unauthorised use.

Worked Example 1.1

A clerk prepares monthly bank reconciliations, which are then reviewed and signed off by the finance manager. What control activities are present, and how do they reduce risk?

Answer:
Bank reconciliation is a control activity that helps detect errors or fraud in cash records. The review by the manager adds a layer of supervisory control, increasing oversight and ensuring the clerk’s work is independently checked.

Segregation of Duties

Segregation of duties (SOD) is the division of transactions or decision-making steps among different people. The aim is to ensure that no single person has responsibility for all parts of a transaction, reducing the risk of both unintentional errors and deliberate fraud.

Proper SOD means that duties such as authorising transactions, recording them, and maintaining custody of assets are performed by separate individuals.

Key Term: segregation of duties
The allocation of related responsibilities to different people, so that no single person controls all aspects of a key process. Main duties to segregate:

• Initiating or authorising transactions (e.g., approving purchases)
• Recording or processing (e.g., bookkeeping entries)
• Custody or stewardship of assets (e.g., holding inventory or cash)
• Reviewing and reconciling records

Failure to segregate duties increases the risk of both errors (going undetected) and fraud (being perpetrated and concealed by the same person).

Worked Example 1.2

A company’s cashier is responsible for both collecting cash from customers and updating the sales ledger. Identify the risk and recommend a control improvement.

Answer:
The risk is that the cashier could misappropriate cash without detection, as they both handle the cash and record receipts. A recommended control is to have one person collect cash and another record it, followed by regular reconciliation with deposits.

Direct vs Indirect Controls

Direct controls focus specifically on the accuracy or completeness of specific transactions or balances (e.g., reviewing and signing payroll reports for accuracy). Indirect controls support the overall control environment—such as management’s attitude or company policies—but do not directly act on transactions.

Evaluating and Testing Controls

Auditors assess whether control activities—and segregation of duties in particular—are appropriately designed and operating effectively. This involves:

• System walkthroughs: Tracing transactions through the process to observe controls.
• Inquiry and observation: Asking staff to demonstrate controls and observing them being performed.
• Inspection: Reviewing documentation for evidence of controls (signatures, segregation, reconciliations).

If controls are designed and implemented correctly, the auditor may place more reliance on them and reduce substantive testing.

Key Term: test of control
An audit procedure performed to evaluate the operating effectiveness of a control in preventing, or detecting and correcting, material misstatements.

Common Deficiencies and Auditor Recommendations

When reviewing systems, the auditor seeks to identify where control activities or segregation of duties are weak or absent. Regular problems include:

• One individual performing incompatible duties (e.g., initiating and approving payments).
• Absence of independent review over critical reconciliations.
• Poor documentation of authorisation or supervisory controls.

Recommendations may include introducing dual signatories, rotating duties, implementing independent reconciliations, or strengthening physical controls.

Worked Example 1.3

A purchase ledger clerk can both add new suppliers and authorise payments. What is the deficiency and solution?

Answer:
The clerk can create false suppliers and approve fake payments, leading to fraud. Recommended solution: Only allow senior staff to authorise payments, and segregate supplier creation from payment approval.

Exam Warning

In the exam, you must not simply list types of controls—always explain how each control (e.g., segregation of duties) addresses a specific risk. Marks are lost for generic answers.

Revision Tip

When you identify a deficiency, always state the risk it creates (e.g., fraud, overpayment) and recommend a practical control addressing both the specific weakness and its cause.

Summary

Control activities are the practical procedures that bring internal control to life. Segregation of duties is a core principle ensuring that no single person can cause and conceal errors or fraud. Auditors must understand, test, and evaluate these controls, identify any deficiencies, and provide actionable recommendations to management.

Key Point Checklist

This article has covered the following key knowledge points:

• Explain the purpose and types of control activities within internal control systems.
• Define segregation of duties and its importance in preventing and detecting fraud and errors.
• Distinguish direct from indirect controls, and identify which is tested by auditors.
• Describe how auditors evaluate, test, and document control activities and segregation of duties.
• Identify practical control deficiencies, explain the risks, and recommend improvements.

Key Terms and Concepts

• control activities
• authorisation
• reconciliation
• physical control
• segregation of duties
• test of control