Evaluating Control Activities During Performance Audits

Written By Parker Skaats

After exploring the control environment and risk assessment in previous posts, we now focus on another crucial component of internal control—control activities. This post is the third in our series of five, providing a comprehensive overview of the five components of internal control as specified in the Green Book.

Understanding Control Activities

Control activities are the actions taken to address risks and execute the organization’s objectives, forming the backbone of effective internal control. These activities include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. Each control activity is designed to prevent, detect, and correct errors or irregularities that can impede the organization’s ability to achieve its objectives.

The Three Principles of Control Activities

Principle #10: Management should design control activities to achieve objectives and respond to risks.

  • Management designs control activities in response to the entity’s objectives and risks to achieve an effective internal control system. Control activities are the policies, procedures, techniques, and mechanisms that enforce management’s directives to achieve the entity’s objectives and address related risks. As part of the control environment component, management defines responsibilities, assigns them to key roles, and delegates authority to achieve the entity’s objectives. As part of the risk assessment component, management identifies the risks related to the entity and its objectives, including its service organizations; the entity’s risk tolerance; and risk responses. Management designs control activities to fulfill defined responsibilities and address identified risk responses.

  • Management designs appropriate types of control activities for the entity’s internal control system.

  • Management designs control activities at the appropriate levels in the organizational structure. Management designs entity-level control activities, transaction control activities, or both depending on the level of precision needed so that the entity meets its objectives and addresses related risks.

  • Management considers segregation of duties in designing control activity responsibilities so that incompatible duties are segregated and, where such segregation is not practical, designs alternative control activities to address the risk.

Principle #11: Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.

  • Management designs the entity’s information system to respond to the entity’s objectives and risks. Management designs the entity’s information system to obtain and process information to meet each operational process’s information requirements and to respond to the entity’s objectives and risks.

  • Management designs appropriate types of control activities in the entity’s information system for coverage of information processing objectives for operational processes. For information systems, there are two main types of control activities: general and application control activities. Information system general controls (at the entity-wide, system, and application levels) are the policies and procedures that apply to all or a large segment of an entity’s information systems. Application controls, sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to achieve validity, completeness, accuracy, and confidentiality of transactions and data during application processing.

Principle #12: Management should implement control activities through policies.

  • Management documents in policies the internal control responsibilities of the organization. Management documents in policies for each unit its responsibility for an operational process’s objectives and related risks, and control activity design, implementation, and operating effectiveness.

  • Management periodically reviews policies, procedures, and related control activities for continued relevance and effectiveness in achieving the entity’s objectives or addressing related risks. If there is a significant change in an entity’s process, management reviews this process in a timely manner after the change to determine that the control activities are designed and implemented appropriately.

Evaluating Control Activities during Performance Audits

Evaluating control activities during a performance audit is an essential process that involves a meticulous examination of the mechanisms put in place to manage and mitigate risks, and ensure the achievement of organizational objectives. Auditors assess the design and implementation of these control activities to determine whether they are appropriate for the risks faced and are integrated effectively across the organizational structure. This involves analyzing whether control activities are suitably designed at the entity and transaction levels.

Additionally, the assessment includes a review of the entity’s information systems to ensure that both general and application controls are robust enough to support valid, complete, accurate, and confidential transaction processing. Auditors also scrutinize management’s policies that dictate the responsibilities related to control activities to confirm they are up-to-date, effectively implemented, and continuously reviewed for relevance and effectiveness, particularly after significant operational changes. This comprehensive evaluation helps ensure that control activities are not only aligned with the entity's objectives and risk responses but are also capable of adapting to changes within the operational environment.

Conclusion

Thorough evaluation of control activities within performance audits is crucial for ensuring that an organization's internal controls are both effective and adaptive to changes. By systematically assessing the design, implementation, and operation of these activities, auditors can provide valuable insights into how well an organization manages its risks and achieves its objectives. This process not only reinforces the integrity and efficiency of the entity’s operations but also strengthens its overall governance structure. As we continue our series on the components of internal control, we remain committed to deepening the understanding of these elements, ensuring that auditors are well-equipped to enhance the accountability and effectiveness of government operations.

Parker Skaats
Previous

Information & Communication Component of Internal Control
Next

Evaluating Risk Assessment in Performance Audits