For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CPE for Government Auditors

Chapter 11: Control Activities

Time to get to the nitty-gritty!

Most accounting professionals resonate with the control activities chapter of the Green Book because it includes controls that come to mind most readily – things like segregation of duties, authorization, and review.  The control activities chapter is where the rubber hits the road, where the nitty meets the gritty, when push comes to shove… how many idioms can I spew?  Let’s keep count.  I’ve shared 3 so far!

Examples of control activities can be found all around us.  I did my best to explain internal controls to my 13-year-old daughter because she wanted to know what I was writing about.  And although I tried to make it relevant to her experience, she became bored with my explanation very quickly (internal controls have a way of doing that…).

I reminded her about the cool vending machine we used at a café the day before. Instead of giving money to the people behind the counter who were preparing the food, customers put cash or a credit card into a vending machine that described the price, content, and preparation method of the food in several languages.  The buttons had large pictures of each food item.  Once the customer made the choice, the vending machine spit out a ticket that the customer took to the counter to give to the cook, who then prepared and delivered the order.

The vending machine, I told her, is a control that helps ensure that the people behind the counter don’t pocket any cash and lets the owner of the restaurant track how many meals were sold.  The vending machine also helped speed the process of ordering for the tourists because many of them did not speak the same language as the people behind the counter…. a fabulous way to get your ducks in a row. (4!)

Note that reconciliations don’t belong in this chapter

Because of the nature of some of the items sold (like ice cream bars) the owner could also match the sales to the items consumed.  The reconciliation of sales records from the vending machine to items sold brings up an important point that defies most people’s expectations for this chapter:  Reconciliations are NOT a control activity; they are a monitoring activity.

Check out this excerpt from chapter X of the Green Book on monitoring:

16.05 Management performs ongoing monitoring of the design and operating effectiveness of the internal control system as part of the normal course of operations. Ongoing monitoring includes regular management and supervisory activities, comparisons, reconciliations, and other routine actions. 

I really want to talk about reconciliations in this chapter, as you will see below as I brainstorm ideas around our case study, but we will talk more about reconciliations when we get to the chapters on monitoring.

The best list in the whole green book

Now back to the chapter under consideration, the control activities chapter.  One of my favorite features of the Green Book is Figure 6, a convenient list of common controls that is a piece of cake (5!) to read.  We will discuss each in turn.

Figure 6: Examples of Common Categories of Control Activities

  • Top-level reviews of actual performance
  • Reviews by management at the functional or activity level
  • Management of human capital
  • Controls over information processing
  • Physical control over vulnerable assets
  • Establishment and review of performance measures and indicators
  • Segregation of duties
  • Proper execution of transactions
  • Accurate and timely recording of transactions
  • Access restrictions to and accountability for resources and records
  • Appropriate documentation of transactions and internal controls

Let’s continue our case study about the high school coach using the purchasing card. Remember, our control objective is: Do controls prevent the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?  In our last chapter, we talked about integrating controls.  And in order to make that seem more natural, I am going to reorder the list from Figure 6.   No worries! All the points are there  just not in the same order.

Accurate and timely recording of transactions

The Green Book Recommends: Transactions are promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. This applies to the entire process or life cycle of a transaction or event from its initiation and authorization through its final classification in summary records. In addition, management designs control activities so that all transactions are completely and accurately recorded.

When the coach uses the card, the credit card company records the amount and date of the transaction, classifies the transaction, and discloses the vendor.  That is a lot of good information and a very good control if you want to ensure that what he purchased was not personal. But it is not all the information we need because we don’t know what he bought exactly.

For instance, if he buys 14 things at Walmart, all we see is the $231 total on the credit card statement, not what he actually purchased. It would be best if he would turn in his receipts to accounting so they can record what was purchased more specifically.  And it would be best if the coach was required to turn in receipts frequently, let’s say, weekly and that accounting records the transaction based on the receipt soon after.  One way to ensure the information is recorded accurately is for someone to reconcile the receipts to the credit card statement and then to the accounting records… but whoops, that is getting us into monitoring, isn’t it?

Controls over information processing

The Green Book recommends: A variety of control activities are used in information processing. Examples include edit checks of data entered; accounting for transactions in numerical sequences; comparing file totals with control accounts; and controlling access to data, files, and programs,

Ensure that the coach and his staff do not have the ability to alter credit card transaction data in the accounting system.

The accounting system should contain edit checks to ensure that obviously erroneous data cannot be entered.  Someone in accounting should double-check the entries for reasonableness. And ding it, I am back to reconciliations again!

The double entry accounting system (you know, that debit and credit stuff) helps make sure that the amounts are recorded accurately because the first transaction records the purchase and an equal accounts payable.  Then when the credit card bill is paid, the payment clears out the accounts payable and an equal amount comes out of cash.  If these transactions don’t balance, the accounting department knows that a recording error occurred.

The other data entered into the accounting system, such as the vendor and the items purchased, could be manipulated to cover up a personal transaction… that is why you need the next control…

Segregation of duties

The Green Book recommends: Management divides or segregates key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event. 

The person who makes the charges (the coach) should not record the transactions (the accountant) or approve the credit card payment (the manager) or prepare the reconciliation (ding it… I’m back to reconciliations again!)

Appropriate documentation of transactions and internal control

The Green Book recommends: Management clearly documents internal control and all transactions and other significant events in a manner that allows the documentation to be readily available for examination. The documentation may appear in management directives, administrative policies, or operating manuals, in either paper or electronic form. Documentation and records are properly managed and maintained. 

The credit card company and the receipts will provide documentation of the transaction.  The statements and the receipts should be kept electronically or physically so that they can be examined later in case a question arises about the transaction later in the process.

The second part of the sentence – proper documentation of internal control – is redundant of a principle under “Control Environment” called “Documentation of the Internal Control System.” (See a discussion about overlap between the components below.) But obviously, you need to write down the internal controls so that you can repeat them and so that you can train new employees on how things work.

Access restrictions and accountability for resources and records

The Green Book recommends: Management limits access to resources and records to authorized individuals, and assigns and maintains accountability for their custody and use. Management may periodically compare resources with the recorded accountability to help reduce the risk of errors, fraud, misuse, or unauthorized alteration. 

Each person in the process should have access to only the information they need!  For instance, the coach should not have access to the accounting records!  The accounting records should be password protected.  Also, the coach should keep the credit card to himself and not share it with others.

Reviews by management at the functional or activity level

The Green Book recommends: Management compares actual performance to planned or expected results throughout the organization and analyzes significant differences. 

Management receives a summary of spending on the purchasing card per department and discusses unusual items monthly during the budget update meetings.

Proper execution of transactions

The Green Book recommends: Transactions are authorized and executed only by persons acting within the scope of their authority. This is the principal means of assuring that only valid transactions to exchange, transfer, use, or commit resources are initiated or entered into. Management clearly communicates authorizations to personnel. 

Only the coach can use his purchasing card.  It cannot be used by his assistant or other employees.  As the manager reviews the receipts, they should be instructed to verify that the coach made and signed the purchases – not a student or someone who is not authorized to make purchases.

Establishment and review of performance measures and indicators

The Green Book recommends: Management establishes activities to monitor performance measures and indicators. These may include comparisons and assessments relating different sets of data to one another so that analyses of the relationships can be made and appropriate actions taken. Management designs controls aimed at validating the propriety and integrity of both entity and individual performance measures and indicators. 

If we are specifically concerned about purchasing card holders using their card for personal purchases, the person performing reconciliations could count how many transactions had to be corrected or charged back to employees for this reason.  But this seems a little silly…

Top level reviews of actual performance

The Green Book recommends: Management tracks major entity achievements and compares these to the plans, goals, and objectives set by the entity.

The executive team of the district could set clear goals for the purchasing card program and evaluate, periodically, if those goals have been achieved.

Management of human capital

The Green Book recommends: Effective management of an entity’s workforce, its human capital, is essential to achieving results and an important part of internal control. Only when the right personnel for the job are on board and are provided the right training, tools, structure, incentives, and responsibilities is operational success possible. Management continually assesses the knowledge, skills, and ability needs of the entity so that the entity is able to obtain a workforce that has the required knowledge, skills, and abilities to achieve organizational goals. Training is aimed at developing and retaining employee knowledge, skills, and abilities to meet changing organizational needs. Management provides qualified and continuous supervision so that internal control objectives are achieved. Management designs a performance evaluation and feedback system, supplemented by an effective rewards system, to help employees understand the connection between their performance and the entity’s success. As part of its human capital planning, management also considers how best to retain valuable employees, plan for their eventual departure, and maintain a continuity of needed skills and abilities. 

The school district needs to make sure that the professionals using the card and controlling the use of the card are qualified to do their jobs and are upstanding citizens by screening employees before they are hired and running a scan on their criminal record every year. The district should also conduct a training session regarding allowable uses of the card for all employees before cards are issued.

Physical controls over vulnerable assets

The Green Book recommends: Management establishes physical control to secure and safeguard vulnerable assets. Examples include security for and limited access to assets such as cash, securities, inventories, and equipment that might be vulnerable to risk of loss or unauthorized use. Management periodically counts and compares such assets to control records

I do not think this is applicable to our control objective…which is to ensure the coach does not use his purchasing card for personal purchases.  But I have had some folks argue with me about this and say that the card is a vulnerable asset.  I don’t think a credit card is an ‘asset’ but instead a tool.  But if you want to have the coach check the card out from some authoritative figure in the organization every time he wants to use it, you can do that.

That is way too many controls

Holy cow (6)!  That is a massive number of controls – so obviously, most organizations could not do everything on this list.  But remember, we are going to cull out silly, unrealistic and repetitive controls after we have covered all of the components of the COSO model.


Before moving on to the other three components (information and communication, monitoring and control environment), I need to explain that the five components and the principles blend together in spots.

The concepts aren’t always clean cut (7) and distinct from each other.  For instance, the first item on the list at figure 6 is “Top level reviews of actual performance.”  I could easily argue, and find references in the Green Book, that ‘top level reviews’ also belongs under ‘monitoring’ and ‘control environment.’  This happens again and again in the Green Book as we will see as we progress.    After we are all done covering each of the five components, I will make a list of the places where I see overlap… but that activity is premature now.

I am not sure the COSO folks or the GAO will ever be able to make the layers and principles more distinct.  But I do expect some clarity as time goes on, so we need to give them more time. The COSO model is less than 30 years old and has only been significantly revised once. The GAO’s Yellow Book has been in existence since the 70’s and is revised (in my memory) every five years or so. The more we all use the model and the more revisions the COSO model goes through, the better it will become.  Practice makes perfect! (8!)

Next time, we will dig into the third component of internal controls – information and communication.

Stay Up-To-Date

Sign up here to have the lastest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.



Lost your password?