Your Role in Internal Control - Episode 6, Control Activities

"Auditor" comes from the Latin audire, "to hear," "a listener." Does your work include audit-like responsibilities? If you review, verify, evaluate, grade, consult, or troubleshoot, the answer is "yes!" Control activities help you carry out your responsibilities so WSU, your college, and your department can realize its goals or objectives.

Control Activites

In episode five, we discussed risk assessment, a core component of our internal control pyramid. Another core component is control activities, the actions taken in response to your risk assessment.

Internal Control Pyramid

Control activities are the policies and procedures that help ensure that directives are carried out.

They ensure necessary actions are taken to address anticipated risks to the achievement of the organization's objectives. 

Control Activities in Everyday Life

Control activities are not unique to higher education, business, or other organizations. Everyday life examples of internal control and risk management you likely engage in include:

  • Making a grocery list
  • Saving for retirement
  • Purchasing insurance
  • Setting your alarm clock
  • Locking your home or car
  • Approving children's activities
  • Visiting your doctor and dentist annually
  • Servicing your vehicle at regular intervals
  • Being alert to online scams and phishing attempts
  • Reviewing your checking account and credit card statements

That's ten ranging from activities as simple as waking up on time or not forgetting to pick up something at the store to taking steps to avoid financial catastrophe. What others come to mind?

Control Activity Categories

Control activities provide direction and prevent, find, and fix problems!

Control Categories

Directive Controls

Directive controls are part of the information and communication system. They provide guidance and direction for moving forward and encourage the right things to happen.

The WSU Policies and Procedures Manual is the prime example of directive control, as are processes developed by Financial Operations, Human Resources, and your college or department. Policies and procedures simplify our decision-making by providing sanctioned guidance. 

Another example is training programs that the university requires, including FERPA, IT security awareness, and preventing harassment and discrimination. You could also make a case for categorizing these as preventive controls.

Of course, simply providing guidance isn't enough on its own. We need to build controls into our processes and make them routine. Let's look at preventive controls.

Preventive Controls

Preventive controls proactively counter errors, fraud, or other unintended consequences before they happen. Four essential preventive controls include:

  1. Security - Safeguarding assets, data, or other vital items. 
  2. Approval - Consenting to or sanctioning officially.
  3. Authorization - Granting approval authority or power to act downward. 
  4. Segregation of duties - Separating some aspects of a transaction so one person does not have complete control from beginning to end.

Fraud can occur when a trusted employee receives little or no oversight, opening a window of opportunity. Most employees won't act on this opportunity, but some will.

For most people, embezzlement is not a career choice but a crime of opportunity. It may even start as an innocent error that goes unnoticed. We previously discussed opportunities arising from poor oversight in Corrupt Couple Cause Chaos, The Art of Noticing - Part 1, and St. Louis Shenanigans.

Segregation of duties does not require a large staff or complicated procedures. Supervisors in small departments can compensate by boosting the detective controls at their disposal, essentially conducting regular mini-audits to ensure critical activities are on track.

Be transparent, and don't do this work in secret. You want your team to know you're paying attention! The simple knowledge that you're watching may be your best preventive control. But that does not suggest you must be a micromanager or constantly looking over your team's shoulders.

Regular use of control activities lets your team know you are engaged and interested, not that you don't trust them. Your team should understand that you ask questions and expect answers.

Of course, there will occasionally be mistakes. You find those with detective controls.

Detective Controls

Detective controls alert you to errors, fraud, or other unintended consequences so you can act to correct the problem. Four essential detective controls include:

  1. Review - Examining something to monitor activities or aid evaluation. 
  2. Verification - Determining or testing accuracy by comparison or investigation.
  3. Reconciliation - Analyzing to resolve differences or establish a close relationship. 
  4. Variance analysis - Comparing actual to expected results and investigating significant differences.

Detective working.


The many financial and statistical reports the university makes available allow you to use any of the four detective controls depending on your role and responsibilities. Reports comparing actual revenue and expenses to budgeted amounts facilitate variance analysis.

Our last step is to take corrective action when a detective control alerts us to a problem.

Corrective Controls

Corrective controls are planned steps for reacting to an oversight, error, or more significant problem or event.

A corrective control can be routine, such as when Financial Operations follows up because you didn't upload original receipts with the required details for your pcard purchases.

WSU's Crisis Management Plan is a far more complex example. Because of its complexity, the university periodically practices business continuity planning by conducting a tabletop exercise.

What controls do you most rely on in your area of influence?