Return to CHAPTER 20

state seal 20.25
Control Activities


July 1, 2008

What are control activities?

Control activities are the policies, procedures, techniques, and mechanisms that help ensure that management's response to reduce risks identified during the risk assessment process is carried out. In other words, control activities are actions taken to minimize risk. The need for a control activity is established in the risk assessment process. When the assessment identifies a significant risk to the achievement of an agency's objective, a corresponding control activity or activities is determined and implemented.


Control activities can be preventive or detective:

Preventive activities are designed to deter the occurrence of an undesirable event. The development of these controls involves predicting potential problems before they occur and implementing procedures to avoid them.

Detective activities are designed to identify undesirable events that do occur and alert management about what has happened. This enables management to take corrective action promptly.


Internal control activities can be incorporated into the following:

  • Policies
  • Procedures
  • Sequences or combinations of procedures
  • Assignments of duties, responsibilities, and authorities
  • Physical arrangements or processes
  • Combinations of the above.           


July 1, 2008

How should control activities be incorporated into an agency's internal control plan?

Control activities occur at all levels and functions of the agency. Management should establish control activities that are effective and efficient. When designing and implementing control activities, management should aim to get the maximum benefit at the lowest possible cost. Consideration should be given to the following:

  • The cost of the control activity should not exceed the cost that would be incurred by the agency if the undesirable event occurred.
  • Management should build control activities into business processes and systems as the processes and systems are being designed. Adding control activities after the development of a process or system is generally more costly.
  • The allocation of resources among control activities should be based on the likelihood and impact of the risk. Refer to Subsection 20.15.40.b.
  • For any given risk, there may be multiple appropriate control activities that can be put into place, either individually or in combination with other control activities.
  • Excessive use of controls could impede productivity.


July 1, 2008

Commonly used control activities

The following are descriptions of some commonly used control activities. This is not an exhaustive listing of the alternatives available to management.


Authorization – Control activities in this category are designed to provide reasonable assurance that all transactions are within the limits set by policy or that exceptions to policy have been granted by the appropriate officials.


Review and approval – Control activities in this category are designed to provide reasonable assurance that transactions have been reviewed for accuracy and completeness by appropriate personnel.


Verification – Control activities in this category include a variety of computer and manual controls designed to provide reasonable assurance that all accounting information has been correctly captured.


Reconciliation – Control activities in this category are designed to provide reasonable assurance of the accuracy of financial records through the periodic comparison of source documents to data recorded in accounting information systems.


Physical security over assets – Control activities in this category are designed to provide reasonable assurance that assets are safeguarded and protected from loss or damage due to accident, natural disaster, negligence or intentional acts of fraud, theft or abuse.


Segregation of duties – Control activities in this category reduce the risk of error and fraud by requiring that more than one person is involved in completing a particular fiscal process.


Education, training and coaching – Control activities in this category reduce the risk of error and inefficiency in operations by ensuring that personnel have the proper education and training to perform their duties effectively. Education and training programs should be periodically reviewed and updated to conform to any changes in the agency environment or fiscal processing procedures.


Performance planning and evaluation – Control activities in this category establish key performance indicators for the agency that may be used to identify unexpected results or unusual trends in data which could indicate situations that require further investigation and/or corrective actions. Evaluations may be done at multiple levels within the agency, as appropriate: the agency as a whole; major initiatives; specific functions; or specific activities.

Performance reviews may focus on compliance, financial or operational issues. For example, financial reviews should be made of actual performance versus budgets, forecasts and performance in prior periods.

20.25.30.b Although control activity procedures are not intended to increase staffing levels, acceptable procedures are to be established and followed which may require changes in existing workloads and/or additional staff position(s). However, a periodic thorough internal review of control activities may identify policies and procedures that are no longer required. It is recognized that some small to medium size operations may not be able to institute internal control procedures on the same level as larger, more complex agencies. In those cases where staffing may prohibit or restrict the appropriate segregation of duties, management must either have more active oversight of operations or utilize personnel from other units to the extent possible as compensating controls.


July 1, 2008

What are some limitations of control activities?


Control activities, no matter how well designed and executed, can provide only reasonable assurance regarding achievement of objectives. The likelihood of achievement is affected by limitations inherent in all control systems. These limitations include the following:

Judgment – The effectiveness of controls will be limited by the fact that decisions must be made with human judgment in the time available, based on information at hand and under the pressures to conduct business.

Breakdowns – Even if control activities are well designed, they can break down. Personnel may misunderstand instructions or simply make mistakes. Errors may also stem from new technology and the complexity of computerized information systems.

Management override – Even in an effectively controlled agency, high-level personnel may be able to override prescribed policies or procedures for personal gain or advantage. This should not be confused with management intervention, which represents management actions to depart from prescribed policies or procedures for legitimate purposes.

Collusion – Collusion between two or more individuals can result in control failures. Individuals acting collectively often can alter financial data or other management information in a manner that cannot be identified by the control system.

Costs versus benefit – In determining whether a particular control activity should be established, the cost of establishing the control must be considered along with the risk of failure and the potential impact. Excessive control is costly and counterproductive. Too little control presents undue risk. Agencies should make a conscious effort to strike an appropriate balance.

Resource limitations – Every agency must prioritize control activities because resources are not available to put every control activity into practice. 


July 1, 2008

What internal control documentation is required?

Documentation involves preserving evidence that substantiates a decision, event, transaction or system. Documentation should be complete, accurate and clearly written. It should be recorded timely and in a format that can be used efficiently.

At a minimum, documentation should be retained of the following:

  • Key policies, procedures and processes.
  • The annual assurance required in Subsection 20.15.50.a.


Agencies should strive to develop documentation of its processes that includes:

  • The control objective as related to a desired goal or condition.
  • The flow of information and documents through the process or function.
  • The control activities in place over the function. 

Documentation should be considered in making decisions about the internal controls in place over a specific process. The documentation should be sufficient to allow the agency to:

  • Conclude as to the overall soundness of the internal controls.
  • Be aware of the existence of internal control weaknesses, if any.
  • Formulate the agency’s plan of action for addressing internal control weaknesses and improving the internal controls where necessary. 

Click here if you would like to print a PDF Version of this document.
Return to CHAPTER 20