INGRESOS ANUALES PROCEDENTES DE LAS ADMINISTRACIONES PÚBLICAS (CON

A variety of transaction control activities can be selected and developed, in- cluding the following:

•

valid (i.e., it represents an actual economic event or is within an entity’s policy). An authorization typically takes the form of an approval by a high- er level of management or of verification and a determination if the trans- action is valid. For example, a supervisor approves an expense report after reviewing whether the expenses seem reasonable and within policy. An example of an automated approval is where an invoice unit cost is automatically compared with the related purchase order unit cost within a pre-established tolerance level. Invoices within the tolerance level are automatically approved for payment. Those invoices outside the tolerance level are flagged for additional investigation.

•

compare an item with a policy, and perform a follow-up action when the two items do not match or the item is not consistent with policy. Examples include computer matching or a reasonableness check. Verifica- tions generally address the completeness, accuracy, or validity of pro- cessing transactions.

•

sets are secured physically (e.g., in locked or guarded storage areas with physical access restricted to authorized personnel) and are periodically counted and compared with amounts shown on control records.

•

is often used to support the processing of transactions within a business process. Control activities over the processes to populate, update, and maintain the accuracy, completeness, and validity of this data are put in place by the organization.

•

differences are identified, action is taken to bring the data into agree- ment. For example, a reconciliation is performed over daily cash flows with net positions reported centrally for overnight transfer and invest- ment. Reconciliations generally address the completeness and/or accuracy of processing transactions.

•

tion control activities (i.e., particular verifications, reconciliations, author- izations and approvals, controls over standing data, and physical control activities) are being performed completely, accurately, and according to policy and procedures. Management normally uses judgment to select and develop supervisory controls over higher risk transactions. For instance, a supervisor may review18whether an accounting clerk performs a recon- ciliation according to policy. This can be a high-level review (e.g., check- ing if the reconciliation spreadsheet has been completed) or a more de- tailed review, (e.g., checking to see if any reconciling items have been fol- lowed up and corrected or an appropriate explanation is provided).

Control activities can be preventive or detective, and organizations usually select a mix. The major difference is the timing of when the control activity occurs. A preventive control is designed to avoid an unintended event or res- ult at the time of initial occurrence (e.g., upon initially recording a financial transaction or upon initiating a manufacturing process). A detective control is designed to discover an unintended event or result after the initial processing has occurred but before the ultimate objective has concluded (e.g., issuing financial reports or completing a manufacturing process). In both cases the critical part of the control activity is the action taken to correct or avoid an unintended event or result.

When selecting and developing control activities, the organization considers the precision of the control activity—that is, how exact it will be in preventing or detecting an unintended event or result. For example, suppose the pur- chasing manager of a company reviews all purchases over $1 million. This control activity may mitigate the risk of errors over $1 million, helping to cap the entity’s exposure, but it does not cover all transactions. In contrast, an automated edit check that compares prices on all purchase orders to the price master file and produces a report of variances that is reviewed by a purchasing supervisor addresses accuracy for all transactions. Control activity precision is closely linked to the organization’s risk tolerance for a particular objective (i.e., the tighter the risk tolerance, the more precise the actions to mitigate the risk and the related control activities need to be).

When selecting and developing control activities it is important to understand what a particular control is designed to accomplish (i.e., the specific risk re- sponse the control addresses) and whether it has been developed and imple- mented as designed to mitigate the risk. For example, in one entity sales or- ders undergo an automated or manual edit check that matches a customer’s billing address and zip code to information in a standing data file of valid cus- tomer relationships. If the match fails, corrective action is taken. This control activity helps achieve the accuracy information-processing objective. However, it does not help achieve the completeness information-processing objective (i.e., whether all approved sales orders are being processed). Another control activity, such as sequentially numbering approved sales

orders and then checking if all have been processed, would be needed to ad- dress completeness.