–  Validity — Recorded transactions represent economic events that actually occurred and were
                   executed according to prescribed procedures. Validity is generally achieved through control
                   activities that include the authorization of transactions as specified by an organization’s
                   established policies and procedures (such as approval by one having the authority to do so).

                   For example, the board of directors (those charged with governance) might require its approval
                   before management can purchase assets that cost more than $10,000.


                   Untimely transaction processing and restricted access

                   The framework notes that the risk of untimely transaction processing may be considered a
                   separate risk or included as part of the completeness or accuracy information-processing
                   objective. For example, an entity that is a textile manufacturer might, due to the bookkeeper’s
                   illness, not pay vendors within a stated time period; the entity might incur unexpected costs, such
                   as loss of a purchase discount.

                   The framework also notes that restricted access is a significant consideration for most business
                   processes and is often included as an information-processing objective. Without suitably limiting
                   access over transactions in a business process, the control activities in that business process
                   can be overridden and segregation duties may not be obtained.

                   Restricted access is particularly important where technology is essential to an entity’s processes.
                   Many accounting software packages used by entities are delivered with default access rights.
                   Appropriate management personnel should establish access rights for application and operating-
                   system software, data items, and so forth for employees in accordance with the employees’
                   areas of authority and responsibility.
              Point of focus — Evaluates a mix of control activity types

               Control activities include a range and variety of controls and may include a balance of approaches to
               mitigate risks, considering both manual and automated controls and preventive and detective
               controls.

               Examples of these approaches and types of controls are provided in the following information.

               The mix of transaction control activities that can be chosen and developed include the following
               types from the framework:
               –  Authorizations and approvals — An authorization provides assurance that a transaction is valid (it
                   represents an actual economic event or is executed within an entity’s policy). An authorization
                   usually takes the form of an approval by a higher level of management or of verification and a
                   determination that the transaction is valid.

                   Authorization has classically been categorized into two categories: general and specific. For
                   instance, an entity’s retail clerk typically has general authorization to process sales and related
                   transactions and does not need to seek approval to execute these routine transactions. Specific
                   authorization for certain types of transactions (unusual or material) is often noted in the entity’s
                   policies. For example, one entity’s policy states that two officers must approve any wire transfer
                   in excess of $10,000.


            © 2020 Association of International Certified Professional Accountants. All rights reserved.    5-6