Control Activities

As a business entity grows, there is a greater need for the effective implementation and periodic
upgrade of controls. The controlling function must be indispensable in order to attain a sustainable
development. Control activities must be performed at all levels of the entity, at various stages of the
business operations, and over the technological environment. These policies, procedures and
techniques provide reasonable assurance that management’s directives in mitigating risks to meet the
organization’s objectives are carried out. There must be an appropriate balance between a risk brought
about by a business practice and the level of control required for such activity.

In terms of taxonomy, there are three common forms of controls. These are administrative,
physical and logical controls. The said controls are essential to have an effective control environment.
However, they do not provide a clear cut guidance as to the degree to which the controls mitigate the
risk. To address this issue, an alternative classification has been used. Control activities are divided
mainly into two, preventive and detective.

Preventive Controls

a. Approvals, Authorizations and Verifications

 Employees are authorized to perform only certain activities or access areas within
limited parameters
 Management specifies activities which are subject to supervisory approval before
their execution
 A supervisor’s approval implies that he has verified and validated that such
transaction conforms to the established policies and procedures
 Forms are prenumbered and are not signed in blank
 Proper supporting source documents must be present to verify proper authorization

b. Segregation of Duties
 Incompatible duties such as authorization, recording and custody are not delegated
to the same employee to reduce risks of error or inappropriate action

Detective Controls

a. Reconciliations
 Records are compared to documents or records independently maintained with the
same balance for verification
 Any difference is investigated and proper action is taken

b. Reviews of Performance
 Actual performance is compared to budgets, forecasts, prior period or other
benchmarks by management to measure the extent to which goals and objectives
have been met or being achieved and to identify material deviations, unexpected
results or unusual conditions that would require further review
 c. Analytical Reviews
 Analytical reviews are done to examine whether the relationships between different
sets of data are consistent and valid
d. Independent Review
 After every process, another person reviews the work of the prior for proper
authorization, complete and proper supporting source documents and for accuracy

Preventive and Detective Controls

a. Security of Assets
 Access to liquid assets, assets with alternative uses, dangerous assets, vital
documents, critical systems, and confidential information are restricted only to
authorized employees
 Access controls such as locked doors, key pad systems, card key systems, badge
systems, locked filing cabinets, terminal locks, computer passwords, menu
protection, automatic callback for remote access, two-factor authentication, smart
cards, and data encryption are implemented and installed
 Surveillance cameras, logs, intrusion alarms are used to detect unauthorized access.
 Inventory tags are maintained and physical inventory counts are performed
periodically
 Fidelity bonds are maintained with Cashier
 Staff wearing IDs with names and pictures
 Removing access of dismissed staff

b. Protection of records and documents

 Fireproof storage areas, locked filing cabinets, backup files and off-site storage are
built, installed or utilized to protect records and documents
 Access to blank checks and documents are limited to authorized personnel

Information Systems

a. General Controls

a.1. Organization Controls

 Changes in the system are initiated and authorized only by the user department
 The CIS department is independent of all departments that provide input data
or use output data which is the result of the processing done by the CIS
department
 Duties within the CIS department are properly segregated
 Definite lines of authority are provided by the CIS department

a.2. Systems development and documentation controls

 Software development and changes are approved by the appropriate level of

management
  The program is periodically tested and modified, if needed by the user and CIS
department to ensure that it is functioning as planned
 There is complete if not, adequate documentation of the systems

a.3. Access Controls

 Physical and logical access to computers is only limited to operators and other
authorized personnel
 Passwords and two-step verification are installed to restrict access
 Logical access is monitored and documented though the system’s extensive
capabilities for logging
 Authorized persons can only perform limited functions
 Computers are encrypted with passwords to limit access to data files and
programs only to authorized personnel
 Any process or device which may be used to copy confidential information is
disabled

a.4. Data Recovery Controls

 Computer files are copied daily to tape or disks and are secured off-site
 The grandfather, father and son practice is implemented in order to keep the
two most recent generation of master files and transaction files

a.5. Monitoring Controls

 Periodic evaluation of the adequacy and effectiveness of the overall operations

of the CIS is conducted
 Problems or incidents are identified, resolved, reviewed, and analyzed in a
timely manner
 Log analysis is periodically conducted to review access logs

b. Application Controls

b.1. Input Controls

 Only authorized individuals are allowed to input data into the system
 Key verification- data is to be entered twice (if possible, by different operators)
to ensure that there are no key-entry errors committed
 Field check- provides assurance that the data conforms with the required field
format
 Validity check- data being entered is compared with valid information in the
masterfile to check the authenticity of the input. Any invalid input is rejected by
the computer
 Self-checking digit- numeric digit added to a document number used to detect
common transposition errors in data submitted for processing
 Limit check- ensures that data to be processed do not exceed the
predetermined limit or a reasonable amount
  Control totals- computed based on the data submitted for processing to ensure
completeness before and after processing. Financial totals, hash totals and
record counts are used.

b.2. Processing Controls

 Input controls also cover the processing of transactions to provide reasonable

assurance that input data are processed accurately and that data are not lost,
added, excluded, duplicated or improperly altered.

b.3. Output Controls

 The CIS output is periodically reviewed by personnel knowledgeable of the

format of the output for reasonableness
 To ensure completeness, control totals are compared with those computed
prior to processing
 Outputs are restricted only to authorized personnel who will be using such
outputs in order to maintain confidentiality