1. Authorization and approval procedures
Authorizing and executing transactions and events are only done by persons acting within the scope of their authority. Authorization is the principal means of ensuring that only valid transactions and events are initiated as intended by management. Authorization procedures, which should be documented and clearly communicated to managers and employees, should include the specific conditions and terms under which authorizations are to be made. Conforming to the terms of an authorization means that employees act in accordance with directives and within the limitations established by management or legislation.
2. Segregation of duties (authorizing, processing, recording, reviewing)
To reduce the risk of error, waste, or wrongful acts and the risk of not detecting such problems, no single individual or team should control all key stages of a transaction or event. Rather, duties and responsibilities should be assigned systematically to a number of individuals to ensure that effective checks and balances exist. Key duties include authorizing and recording transactions, processing, and reviewing or auditing transactions. Collusion, however, can reduce or destroy the effectiveness of this internal control activity. A small organisation may have too few employees to fully implement this control. In such cases, management must be aware of the risks and compensate with other controls. Rotation of employees may help ensure that one person does not deal with all the key aspects of transactions or events for an undue length of time. Also,Control activities include a range of policies and procedures as diverse as..
1. Authorization and approval procedures
Authorizing and executing transactions and events are only done by persons acting within the scope of their authority. Authorization is the principal means of ensuring that only valid transactions and events are initiated as intended by management. Authorization procedures, which should be documented and clearly communicated to managers and employees, should include the specific conditions and terms under which authorizations are to be made. Conforming to the terms of an authorization means that employees act in accordance with directives and within the limitations established by management or legislation.
2. Segregation of duties (authorizing, processing, recording, reviewing)
To reduce the risk of error, waste, or wrongful acts and the risk of not detecting such problems, no single individual or team should control all key stages of a transaction or event. Rather, duties and responsibilities should be assigned systematically to a number of individuals to ensure that effective checks and balances exist. Key duties include authorizing and recording transactions, processing, and reviewing or auditing transactions. Collusion, however, can reduce or destroy the effectiveness
of this internal control activity. A small organisation may have too few employees to fully implement this control. In such cases, management must be aware of the risks and compensate with other controls. Rotation of employees may help ensure that one person does not deal with all the key aspects of transactions or events for an undue length of time. Also,monitoring of internal control which is discussed separately in section 2.5.8. supervision (assigning, reviewing and approving, guidance and training)
Competent supervision helps to ensure that internal control objectives are achieved. Assigning, reviewing, and approving an employee’s work encompasses:
• clearly communicating the duties, responsibilities, and accountabilities assigned each staff member;
• systematically reviewing each member’s work to the extent necessary;
• approving work at critical points to ensure that it flows as intended.
A supervisor’s delegation of work should not diminish the supervisor’s accountability for these responsibilities and duties. Supervisors also provide their employees with the necessary guidance and training to help ensure that errors, waste, and wrongful acts are minimized and that management directives are understood and achieved.
The abovementioned list is not exhaustive but enumerates the most common preventive and detective control activities. Control activities 1
– 3 are preventive, 4 – 6 are more detective while 7 – 8 are both preventive and detective. Entities should reach an adequate balance between detective and preventive control activities, whereby often a mix of controls is used to compensate for the particular disadvantages of individual controls.
Once a control activity is implemented, it is essential that assurance about its effectiveness is obtained. Consequently corrective actions are a necessary complement to control activities. Moreover, it must be clear that control activities form only a component of internal control. They should be integrated with the other four components of internal control.
Examples
We refer the reader to the annexes for integrated examples on each of the objectives and the components of internal control.