Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ Paper 5 — Auditing & Ethics/ Core Audit Concepts
Microlesson · 5-min read

Components of Internal Control — Control Activities

## Component 4: Control Activities

### Definition

Control activities are policies and procedures that help ensure that management directives are carried out.

---

### Scope of Auditor's Understanding

The auditor obtains an understanding of control activities relevant to the audit — specifically those related to:

  • Significant classes of transactions
  • Account balances
  • Disclosures in the financial statements
  • Assertions the auditor considers relevant in the risk assessment process

> The auditor does not need to understand all control activities — only those tied to significant areas and relevant assertions.

---

### Five Types of Control Activities

TypeDescriptionExample
AuthorizationTransactions require proper approvalExpense approval limits; authorization matrix
Performance ReviewsComparing actual results against expectationsBudget vs. actual variance analysis; trend comparison
Segregation of DutiesSeparating authorization, recording, and custodyDifferent people raising PO, receiving goods, approving payment
Physical ControlsRestricting physical access to assetsLocked warehouses, safes, access-controlled server rooms
Information ProcessingIT and manual controls over data accuracyEdit checks, reconciliations, batch totals

---

### Segregation of Duties — Key Principle

The three functions that should be separated to reduce fraud/error risk:

1. Authorization of transactions

2. Recording of transactions

3. Physical custody of assets

> When one person handles two or more of these functions, risk of undetected fraud or error rises significantly.

Worked example

### Example 1

Multiple control activities in one process: In a payables cycle — (a) Purchase manager raises PO [Authorization], (b) Warehouse staff record goods received [Segregation + Recording], (c) Accounts team matches PO × GRN × invoice before payment [Information processing], (d) CFO reviews monthly AP ageing report [Performance review], (e) No single person controls all steps [Segregation of duties]. This illustrates all five types of control activities operating together.

### Example 2

Segregation failure and audit response: In a small firm, Ramesh alone orders raw materials, receives deliveries, and approves supplier invoices for payment. All three functions — authorization, custody, and recording — sit with one person. Ramesh could fabricate purchases and siphon funds. The auditor has no control to rely on here and must perform extensive substantive procedures: confirm supplier balances independently, vouch purchases to underlying delivery documentation, and perform cut-off testing.

⚠️ Common exam mistakes

  • Thinking the auditor must understand all control activities — only those related to significant transaction classes and relevant assertions are required
  • Forgetting 'Performance Reviews' as a type of control activity — students often list only authorization and segregation of duties, missing three of the five types
  • Confusing control activities (one component of IC) with internal controls as a whole — control activities are the fourth of five components, not a synonym for all of IC
Reference:
← Previous
Comparative Information in Aud
Next →
Components of Internal Control
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic