Академический Документы
Профессиональный Документы
Культура Документы
As a business entity grows, there is a greater need for the effective implementation and periodic
upgrade of controls. The controlling function must be indispensable in order to attain a sustainable
development. Control activities must be performed at all levels of the entity, at various stages of the
business operations, and over the technological environment. These policies, procedures and
techniques provide reasonable assurance that management’s directives in mitigating risks to meet the
organization’s objectives are carried out. There must be an appropriate balance between a risk brought
about by a business practice and the level of control required for such activity.
In terms of taxonomy, there are three common forms of controls. These are administrative,
physical and logical controls. The said controls are essential to have an effective control environment.
However, they do not provide a clear cut guidance as to the degree to which the controls mitigate the
risk. To address this issue, an alternative classification has been used. Control activities are divided
mainly into two, preventive and detective.
Preventive Controls
b. Segregation of Duties
Incompatible duties such as authorization, recording and custody are not delegated
to the same employee to reduce risks of error or inappropriate action
Detective Controls
a. Reconciliations
Records are compared to documents or records independently maintained with the
same balance for verification
Any difference is investigated and proper action is taken
b. Reviews of Performance
Actual performance is compared to budgets, forecasts, prior period or other
benchmarks by management to measure the extent to which goals and objectives
have been met or being achieved and to identify material deviations, unexpected
results or unusual conditions that would require further review
c. Analytical Reviews
Analytical reviews are done to examine whether the relationships between different
sets of data are consistent and valid
d. Independent Review
After every process, another person reviews the work of the prior for proper
authorization, complete and proper supporting source documents and for accuracy
a. Security of Assets
Access to liquid assets, assets with alternative uses, dangerous assets, vital
documents, critical systems, and confidential information are restricted only to
authorized employees
Access controls such as locked doors, key pad systems, card key systems, badge
systems, locked filing cabinets, terminal locks, computer passwords, menu
protection, automatic callback for remote access, two-factor authentication, smart
cards, and data encryption are implemented and installed
Surveillance cameras, logs, intrusion alarms are used to detect unauthorized access.
Inventory tags are maintained and physical inventory counts are performed
periodically
Fidelity bonds are maintained with Cashier
Staff wearing IDs with names and pictures
Removing access of dismissed staff
Information Systems
a. General Controls
Changes in the system are initiated and authorized only by the user department
The CIS department is independent of all departments that provide input data
or use output data which is the result of the processing done by the CIS
department
Duties within the CIS department are properly segregated
Definite lines of authority are provided by the CIS department
Physical and logical access to computers is only limited to operators and other
authorized personnel
Passwords and two-step verification are installed to restrict access
Logical access is monitored and documented though the system’s extensive
capabilities for logging
Authorized persons can only perform limited functions
Computers are encrypted with passwords to limit access to data files and
programs only to authorized personnel
Any process or device which may be used to copy confidential information is
disabled
Computer files are copied daily to tape or disks and are secured off-site
The grandfather, father and son practice is implemented in order to keep the
two most recent generation of master files and transaction files
b. Application Controls