Page 67 - Internal Auditing Standards
P. 67

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts




        Control activities are the policies and procedures that help ensure that management’s directives are
        carried out. Examples include controls to ensure that goods are not shipped to a bad credit risk, or that
        only authorized purchases are made. These controls address risks that, if not mitigated, would threaten the
        achievement of the entity’s objectives.
        Control activities (whether within information or manual systems) are designed to mitigate the risks involved
        in everyday activities such as transaction processing (business processes such as sales, purchases, and payroll)
        and safeguarding of assets.


        Business processes are structured sets of activities designed to produce a specified output. Business process
        controls can generally be classified as preventive, detective and corrective, or compensating or steering, as

        outlined in the exhibit below.
        Exhibit 5.6-1


          Controls             Description
          Classifi cation

          Preventive           Avoid errors or irregularities.
          Controls

          Detective Controls   Identify errors or irregularities after they have occurred so corrective action can be
                               taken.
          Compensating         Provide some assurance where resource limitations may preclude other more direct
          Controls             controls.
          Steering Controls    Guide actions towards the desired objectives.
          (e.g., Policies)


        The nature of business process controls will vary based on the risks involved and the specifi c application.

        Typical controls at the business process level would include the matters set out below.

        Exhibit 5.6-2

          Controls         Description                                  Examples

          Segregation      These controls can reduce the                The employee responsible for the accounts
          of Duties        opportunities for a person to be in a        receivable processing has no access to cash
                           position to both perpetrate and conceal      receipts.
                           errors or fraud.
          Authorization    These controls define who has the            Assigning responsibility to authorize:

          Controls         authority to approve various routine and     •     Hiring of new employees;
                           non-routine transactions and events.         •     Making  investments;
                                                                        •     Ordering goods and services; and
                                                                        •     Extending credit to a customer.
          Account          This includes preparing and reviewing        Reconciliations of bank accounts, sales
          Reconciliations account reconciliations on a timely basis     transactions, intercompany balances,
                           and taking any necessary corrective          suspense accounts, etc.
                           actions.



                                                                                                                   65
   62   63   64   65   66   67   68   69   70   71   72