Quick reference guide
Audit and Risk
Control activities
Controls can be categorised in many ways, for example by their objective, degree of dependence on IT and the nature of the control activity
Control objective
Prevent – to prevent errors or fraud
that could result in a misstatement in
the financial statements
Detect and correct – to detect errors
or fraud that have occurred and to
correct the potential misstatement
Dependence on IT
Manual – no automation is required to
perform the control activity
IT dependent manual control – some
element of automation is required to
perform the control activity, usually in
the form of a report from an IT system
IT application control – fully automated
control activity (are either embedded
i.e specifically programmed and cannot
be changed by users or configurable
i.e control’s operation can be modified)
© 2023 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.
Page 1 of 1
AR-1-5-4-1_QRG_Controls_03
Example
All employees must submit a timesheet that
is approved by their immediate supervisor
before they will be paid each week
The credit controller reviews the aged debtors
report each month for customers with
outstanding accounts aged over 30 days, and
contacts each of these customers to follow up
on their payment
Example
A key is required to open the locked storage
area of the warehouse containing high-value
inventory items
The accountant reconciles the bank balance
each month by using an electronic copy
of the bank statement and comparing the
information against the balance recorded in
the accounting system
The sales system configured so that it will
not allow a user to process a customer order
if accepting the customer order would cause
the customer to exceed their credit limit
Nature of
Example
control activity*
Authorisation Authority to hire new employees is assigned to the HR manager
Performance Sales manager reviews actual sales against those forecast on a monthly basis to
review detect any unusual trends or deviations from expectations
Segregation Different people are responsible for maintaining the list of suppliers and
of duties processing payments to suppliers
Reconciliation Monthly bank reconciliation prepared and discrepancies investigated
Physical control All employees must use their ID swipe cards to gain access to the entity’s premises
IT application controls (ITACs)
ITACs operate within individual applications or programs at the transaction level over the input,
processing or output of data.
Type of ITAC Example
Edit check – automated check on whether Required fields in forms, or forms requiring a date to
data is in the correct format or incomplete be input in a certain way (e.g. ‘dd/mm/yyyy’)
Validation – automated check on whether Only valid customer reference numbers can be
the data meets specific criteria entered when creating sales invoices
Calculation – automatic calculation based The aging of invoices in an aged debtors report
on a formula
Interface – ensures data is accurately and A report generated when the sales system has
completely transferred from one system uploaded the end-of-day file to the server, which
to another contains the number of data records successfully
uploaded and the number of data records which
were rejected
* This list is not exhaustive