## Component 4: Control Activities

### Definition

Control activities are the policies and procedures that help ensure that management directives are carried out.

They are applied at various organisational and functional levels and exist within both IT and manual systems.

### Audit Scope for Control Activities

The auditor needs to understand only those control activities that relate to:

Significant classes of transactions
Significant account balances
Disclosures in the financial statements
Assertions that the auditor finds relevant in their risk assessment

> The auditor is not required to understand all control activities — only those relevant to audit risk.

### Types of Control Activities Relevant to Audit

Type	Examples
Performance reviews	Comparing actual results with budgets, forecasts, prior periods; variance analysis
Information processing controls	Checking arithmetical accuracy, program change controls, batch totals, sequence checks
Physical controls	Physical security over assets, authorisation requirements
Segregation of duties	Separating authorisation, recording, and custody functions

Worked example

### Example 1

Performance review control: A retail chain compares monthly store-level gross margin to budget. A store showing a 15% favourable variance prompts investigation — which reveals the store manager is under-recording cost of goods sold. The performance review control detects a potential misstatement.

### Example 2

Information processing control: A payroll system automatically checks that the total of all individual payslips equals the payroll register total (batch total control). This arithmetic check prevents keying errors from reaching the general ledger undetected.

### Example 3

Segregation of duties: In an accounts payable process, one employee creates vendors in the master file, a second approves invoices, and a third releases payments. No single employee can both create a vendor and approve payment to that vendor — this segregation prevents fictitious vendor fraud.

⚠️ Common exam mistakes

Thinking the auditor must understand ALL control activities of the entity — in fact, only those relevant to significant classes of transactions and risk-relevant assertions.
Confusing control activities (specific policies and procedures) with the control environment (the overall culture and tone) — they are separate components.
Treating performance reviews as only financial — non-financial KPIs (e.g., units produced, customer returns) are also performance review control activities.
Forgetting that control activities exist in BOTH IT and manual systems — a control activity is not inherently computerised.

Reference:

Now that you've read this — what's next?

Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.

🔥 Drill 5 Qs on this → ✍️ Adaptive practice →