BUSACT702 · Accounting Information Systems
Internal Controls: Activity -> Risk -> Control
This chapter is the second core skill of University of Auckland BUSACT 702: evaluating a process for control. You learn the purpose and types of controls (preventive, detective, corrective), the activity -> risk -> control technique for working through a process one step at a time, and key principles such as segregation of duties. Alongside the flowchart, 'read this narrative, identify the risks and recommend controls' is a standard assessed task, delivered as a three-column table.
What this chapter covers
- 01Purpose of internal control: safeguard assets, ensure reliable records, promote efficiency and compliance
- 02Control types: preventive (stop it happening), detective (find it after), corrective (fix it and prevent recurrence)
- 03The activity -> risk -> control technique: for each activity, name the risk/weakness, then the control that corrects it (a three-column table)
- 04Segregation of duties: separate authorisation, recording and custody so no one person controls a whole transaction
- 05Recurring controls: independent authorisation, sequential (pre-)numbering of documents, exception reporting, blind purchase orders, three-way match
- 06More controls: credit checks and limits, periodic stocktakes, independent master-data maintenance, dual signatories, regular bank reconciliations, edit/validity checks, barcodes/RFID
- 07Anti-fraud/anti-kickback controls: gift and conflict-of-interest policies, job rotation, enforced annual leave, supplier audits
- 08How controls read off a flowchart: a documented weakness (e.g. one person doing sales, billing and shipping) is a segregation-of-duties finding
Spotting a control weakness and recommending the fix
- +1Weakness 1 — segregation of duties. One person (Nancy) controls sales order, billing AND shipping — three duties that should be separated. Risk: she could create fictitious sales, ship goods to a favoured party and bill incorrectly with no independent check.
- +1Control for 1. Segregate the duties: assign order entry, billing and shipping to different people (or add independent review/authorisation of each step), so no single person both records and has custody of the transaction.
- +1Weakness 2 — order prepared regardless of remittance. Preparing a sales order without confirming the remittance/credit position risks selling to non-paying customers and overstating receivables.
- +1Control for 2. Require an independent credit check / credit-limit approval before the order is created, and match the order to the remittance or an approved credit line; use accounts-receivable ageing and exception reporting to catch overdue accounts.
Key terms
- Preventive control
- A control that stops an error or fraud before it happens — e.g. requiring authorisation before a payment, or a credit check before a sale.
- Detective control
- A control that finds an error or fraud after it has happened — e.g. a bank reconciliation, an exception report or an independent stocktake.
- Corrective control
- A control that fixes a problem once detected and prevents its recurrence — e.g. re-running a failed batch and adding an edit check.
- Segregation of duties
- Separating the authorisation, recording and custody of a transaction across different people so no one individual can commit and conceal an error or fraud.
- Three-way match
- Matching the purchase order, the goods-received (receiving) report and the supplier invoice before payment, so you only pay for goods ordered and received at the agreed price.
- Exception reporting
- A detective control that flags transactions falling outside expected parameters (e.g. an over-limit order or an unusually large payment) for review.
Internal Controls: Activity -> Risk -> Control FAQ
What is the activity -> risk -> control technique?
It is the course's method for evaluating a process: take each activity in turn, name the risk or weakness at that step, then state the internal control that corrects it. You present it as a three-column table across the whole transaction cycle.
What is the difference between preventive, detective and corrective controls?
Preventive controls stop a problem before it happens; detective controls find it afterwards; corrective controls fix it and stop it recurring. A strong system layers all three.
Why is segregation of duties so heavily emphasised?
Because concentrating authorisation, recording and custody in one person is the single most common and most dangerous weakness — it lets someone both commit and conceal a fraud. It is the finding the cases are built to expose, so flag it whenever you see it.
How do I find controls from a flowchart or narrative?
Walk it step by step. At each activity ask: what could go wrong here (the risk), and what control would prevent, detect or correct it? Common answers are segregation of duties, independent authorisation, sequential numbering, three-way match, credit checks and bank reconciliations.
Can Sia drill me on risk-and-control analysis?
Yes — paste a process narrative and Sia will build the activity -> risk -> control table with you and check your reasoning, as a study aid. It does not complete graded assessments for you; University of Auckland academic-integrity rules apply.
Exam move
Build a controls memory sheet you can apply to any narrative: the three control types (preventive/detective/corrective) and the recurring controls (segregation of duties, independent authorisation, sequential numbering, blind POs, three-way match, credit checks, stocktakes, bank reconciliations, exception reporting, edit checks). Then drill the Porcelain and Polyanna style cases: for each activity write risk then control, in a strict three-column table, always leading with any segregation-of-duties breach. Practise reading controls straight off a flowchart, because the secure test can ask you to critique as well as draw. Confirm which cases and depth your quarter emphasises on Canvas.
Working through Internal Controls: Activity -> Risk -> Control in BUSACT 702? Sia is AskSia’s AI Accounting tutor — ask any BUSACT 702 Internal Controls: Activity -> Risk -> Control question and get a clear, step-by-step explanation grounded in how BUSACT 702 is taught and assessed. Read this chapter free, then take your hardest questions to Sia.