9 The COSO framework: control activities

Adequate segregation of duties

The concentration of power in the hands of one or a few individuals can result in a high risk of fraud and abuse. For this reason, COSO (2017) recommends that organisations segregate certain jobs by:

• separating the custody of assets from accounting (custody of cash and data entry for cash receipts)
• separating the authorisation of transactions from the custody of related assets
• separating IT duties from user departments (e.g. designing and updating information systems).

Proper authorisation

COSO (2017) suggests that any transaction or activity should only be authorised by those with the requisite authority to give such permission. Proper authorisation is needed in order to hold people accountable for their responsibilities.

Adequate documentation and records

Having proper documentation is another vital internal control. Documents should be pre-numbered consecutively to facilitate control over missing documents; prepared at the time a transaction takes place to minimise errors; designed for multiple uses to minimise the number of different forms; and constructed in a manner that encourages correct preparation (e.g. they should contain instructions, spaces for authorisation and columns for numerical data) (Arens, Elder and Beasley, 2014; COSO, 2017).

Physical control over assets and records

This can be defined as using physical precautions to protect assets and an organisation’s resources (Arens, Elder and Beasley, 2014). Examples of physical safeguards include securely locking stockroom doors, appointing security guards, using strong passwords and backups to secure computer files and avoid data loss, installing CCTV cameras and investing in cybersecurity.