In Part III of our series to better understand and implement the COSO framework, we covered Risk Assessment.  This article will focus on Control Activities, which is the third of five internal control components of the COSO Framework.

There are three principles related to the Control Activities component of internal control.

  • The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  • The entity selects and develops general control activities over technology to support the achievement of financial reporting objectives.
  • The entity deploys control activities through policies that establish what is expected and procedures that put policies into action.

In previous articles, it was discussed that an Organization needs to determine the overall objectives it is hoping to accomplish, as well as what risks are involved in meeting those objectives.  The next step is determining what control activities need to be implemented to mitigate such risks and assist in the Organization achieving its overall objectives.  This can primarily be achieved in two steps:  1) a policy that establishes what should be done and 2) a procedures that implements the policy.

An Organization may elect to communicate policies orally or in writing.  The size of the Organization may play a large role in such a decision. Whether an Organization chooses written or oral, the underlying important factor is that such policies are implemented consistently.

How should control activities be selected?  Think through the processes in place at your Organization.  Would it give you a stronger internal control process if any of the following were implemented over various transactions at your Organization?

  • Authorization/approval – Is a member of management approving purchases, in order to ensure the validity of transactions?
  • Verification – Are purchase orders being compared to invoices/receiving tickets to ensure all products ordered were entered into the general ledger?
  • Physical controls – Who has access to the physical assets, such as secured facilities, cash, inventory, etc.? Are counts performed periodically to verify the assets on hand?
  • Reconciliations – Are bank reconciliations being reviewed by management or a board member?

Additionally, keep in mind that when selecting control activities, they can be either preventive or detective.  Preventive controls are designed to prevent invalid unauthorized transactions from occurring or assets from being misappropriated.  Like their name, the objective is to prevent errors or fraud that could result in a misstatement to the financial statements.  Examples of preventive controls are as follows:

  • Segregation of duties (see additional discussion below for examples)
  • Pre-approval of transactions
  • Computer passwords
  • Job rotations or forced vacations
  • Physical controls over assets

On the other hand, detective controls are designed to identify errors or fraud in transactions that have already occurred.  Their objective is to detect errors or fraud that may have already occurred and could potentially misstate the financial statements.  Examples of detective controls are as follows:

  • Surprise cash counts
  • Reconciliations
  • Internal audits
  • Monitoring

While it may be more desirable to implement preventive controls and potentially stop a problem from occurring, they can break down or be circumvented.  Thus, companies often implement a combination of both preventive and detective controls to achieve a specific control objective.

Segregation (separation) of duties within the various areas of an Organization contribute to a stronger internal control structure.  The following provides examples regarding proper segregation:

Cash Receipts

  • Is the mail opened and a list of daily receipts prepared separate from the individual entering such figures into the general ledger?
  • Is someone other than the cash register attendant maintaining custody to the cash register tape and comparing its reading with the content of cash in the register?

Cash Disbursements

  • Are check signers individuals other than those who might have access to the general ledger?
  • If signature stamps are utilized, are they kept in a restricted area, separate from people with access to purchases, receiving, shipping, check preparation, bookkeeping, etc.?

Additionally, technology is an ever-increasing component that needs to be considered when determining control activities within an Organization.  As more and more purchases are made and bills are paid electronically, it is still imperative to have approval and review processes in place for electronic transactions, no different than any other transaction within the Organization.

Once an Organization can determine the proper processes that provide a strong internal control structure for them, monitoring such processes will be the next step in developing the overall internal control framework, and will be discussed in a future newsletter.

Future KT newsletters will review the remaining two components of internal control and their corresponding COSO Framework Principles.  Please contact Traci Hanson, Shelley Goodrich, or Sandra Weaver with specific questions.  The Framework can be purchased from COSO’s website at