Page 243 - COSO Guidance Book
P. 243
– Reconciliations — Reconciliations compare two or more data elements and, if differences are
identified, action is taken to bring the data into agreement. Reconciliations generally address the
completeness or accuracy of processing transactions.
An example of reconciliation includes comparing the balance of cash per the books with the
balance of cash per the bank by appropriate personnel. Another example would be comparing a
physical count of inventory with the amounts contained in the books. Often, these controls are
categorized as manual and detective as they frequently require an appropriate employee to take
corrective action if the amounts do not reconcile.
– Supervisory controls — Supervisory controls assess whether other transaction control activities
(for example, verifications, reconciliations, authorizations and approvals, controls over standing
data, and physical control activities) are being performed completely, accurately, and according to
policy and procedures. Management normally uses judgment to select and develop supervisory
controls over higher-risk transactions.
In one of the previous examples, the IT accounts-payable system required the owner-manager’s
approval for any disbursement greater than $5,000. This was considered by management to be a
high-risk transaction and, as previously noted, is an example of automated, preventive, detective,
and manual control.
It is important to note that higher risk is not necessarily associated just with transactions or items
of a significant monetary value. For example, one entity that is a retail store placed low-priced
costume jewelry near the sales registers. This is because the store had experienced a volume of
theft of these items and it was believed that placement of this inventory near the sales register
would decrease the extent of shoplifting as the inventory was under relatively constant
observation by the check-out clerk.
Point of focus — Considers at what level activities are applied
Management considers control activities at different levels in the entity.
The framework states that, in addition to controls that operate at the transaction-processing level, the
organization selects and develops a mix of control activities that operate more broadly and that
usually occur at higher levels in the entity.
Furthermore, the framework notes that these broader control activities usually are business
performance or analytical reviews involving comparisons of operating or financial data with some
criteria (for example, budget or industry statistics). The comparisons are made and corrective actions
are taken when the relationships do not accord with policy or expectations. Also, transaction controls
and business performance reviews at different levels operate in conjunction to provide a layered
approach to addressing the organization’s risks and are integral to the mix of controls within the
organization.
For example, an entity that is a not-for-profit might adopt a budget based on an expectation that the
amount of cash donations obtained by volunteers who collect the donations outside major retail
stores during certain holidays would be similar to previous years. The donor would place cash in a
locked bucket that would be collected by the not-for-profit’s staff. The locked buckets would be
opened and the cash counted in the presence of several staff members.
© 2020 Association of International Certified Professional Accountants. All rights reserved. 5-9
