Control activities are the third aspect of COSO standards of internal control examined in a series of articles being published in Inside UNC Charlotte.
University management establishes policies and procedures to mitigate risks to achieving objectives. These are known as control activities and are the core of the internal control framework. They are performed at all levels of the University, at various stages within all business processes and throughout the technology environment. They may be preventive (user ID and password) or detective (Travel Office review of reimbursement requests) in nature and may encompass a range of manual and automated activities. Typical control activities include:
- Authorizations
- Approvals
- Verifications
- Reconciliations
- Business performance reviews
- Segregation of duties
Segregation of duties (SOD) is typically built into the selection and development of control activities. The principle of SOD is based on sharing responsibilities within a key process and dispersing the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are less manageable, less detectable and more likely. Installing effective and efficient segregation practices at the department level can be challenging in small offices. Where segregation of duties is not practical, management selects and develops alternative control activities. Compensating controls, such as more frequent reporting and reconciling of activities, may be required to offset operational constraints.
Future Inside UNC Charlotte articles will expand on the remaining layers of the internal controls framework. Employees who have questions about the article or who want to talk about how the framework applies to their department should call the Internal Audit Department at 704-687-5693 or email Internal_Audit@uncc.edu.
Risk assessment was the second COSO standard of control featured.