Summary
Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.
Control activities serve as mechanisms for managing the achievement of an entity’s objectives and are very much a part of the processes by which an entity strives to achieve those objectives. They do not exist simply for their own sake or because having them is the right or proper thing to do.
Control activities can support one or more of the entity’s operations, reporting, and compliance objectives. For example, an online retailer’s controls over the security of its information technology affect the processing of accurate and valid transactions with consumers, the protection of consumers’ confidential credit card information, and the availability and security of its website. In this case, control activities are necessary to support the reporting, compliance, and operations objectives.
Principles relating to the Control Activities component
Selects and Develops Control Activities
Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning:
Selects and Develops General Controls over Technology
Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives.
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning:
Deploys through Policies and Procedures
Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning:
Overview
Control activities are the actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system.
Principles
10.1 Management should design control activities to achieve objectives and respond to risks.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Response to Objectives and Risks
10.2 Management designs control activities in response to the entity’s objectives and risks to achieve an effective internal control system. Control activities are the policies, procedures, techniques, and mechanisms that enforce management’s directives to achieve the entity’s objectives and address related risks. As part of the control environment component, management defines responsibilities, assigns them to key roles, and delegates authority to achieve the entity’s objectives. As part of the risk assessment component, management identifies the risks related to the entity and its objectives, including its service organizations; the entity’s risk tolerance; and risk responses. Management designs control activities to fulfill defined responsibilities and address identified risk responses.
Design of Appropriate Types of Control Activities
10.3 Management designs appropriate types of control activities for the entity’s internal control system. Control activities help management fulfill responsibilities and address identified risk responses in the internal control system. The common control activity categories listed in figure 6 are meant only to illustrate the range and variety of control activities that may be useful to management. The list is not all inclusive and may not include particular control activities that an entity may need.
Figure 6: Examples of Common Categories of Control Activities
Top-level reviews of actual performance
Management tracks major entity achievements and compares these to the plans, goals, and objectives set by the entity.
Reviews by management at the functional or activity level
Management compares actual performance to planned or expected results throughout the organization and analyzes significant differences.
Management of human capital
Effective management of an entity’s workforce, its human capital, is essential to achieving results and an important part of internal control. Only when the right personnel for the job are on board and are provided the right training, tools, structure, incentives, and responsibilities is operational success possible. Management continually assesses the knowledge, skills, and ability needs of the entity so that the entity is able to obtain a workforce that has the required knowledge, skills, and abilities to achieve organizational goals. Training is aimed at developing and retaining employee knowledge, skills, and abilities to meet changing organizational needs. Management provides qualified and continuous supervision so that internal control objectives are achieved. Management designs a performance evaluation and feedback system, supplemented by an effective rewards system, to help employees understand the connection between their performance and the entity’s success. As part of its human capital planning, management also considers how best to retain valuable employees, plan for their eventual departure, and maintain a continuity of needed skills and abilities.
Controls over information processing
A variety of control activities are used in information processing. Examples include edit checks of data entered; accounting for transactions in numerical sequences; comparing file totals with control accounts; and controlling access to data, files, and programs.
Physical control over vulnerable assets
Management establishes physical control to secure and safeguard vulnerable assets. Examples include security for and limited access to assets such as cash, securities, inventories, and equipment that might be vulnerable to risk of loss or unauthorized use. Management periodically counts and compares such assets to control records.
Establishment and review of performance measures and indicators
Management establishes activities to monitor performance measures and indicators. These may include comparisons and assessments relating different sets of data to one another so that analyses of the relationships can be made and appropriate actions taken. Management designs controls aimed at validating the propriety and integrity of both entity and individual performance measures and indicators.
Segregation of duties
Management divides or segregates key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event.
Proper execution of transactions
Transactions are authorized and executed only by persons acting within the scope of their authority. This is the principal means of assuring that only valid transactions to exchange, transfer, use, or commit resources are initiated or entered into. Management clearly communicates authorizations to personnel.
Accurate and timely recording of transactions
Transactions are promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. This applies to the entire process or life cycle of a transaction or event from its initiation and authorization through its final classification in summary records. In addition, management designs control activities so that all transactions are completely and accurately recorded.Access restrictions to and accountability for resources and records
Management limits access to resources and records to authorized individuals, and assigns and maintains accountability for their custody and use. Management may periodically compare resources with the recorded accountability to help reduce the risk of errors, fraud, misuse, or unauthorized alteration.Appropriate documentation of transactions and internal control
Management clearly documents internal control and all transactions and other significant events in a manner that allows the documentation to be readily available for examination. The documentation may appear in management directives, administrative policies, or operating manuals, in either paper or electronic form. Documentation and records are properly managed and maintained.
An entity’s internal control is flexible to allow management to tailor control activities to meet the entity’s special needs. The specific control activities used by a given entity may be different from those used by others based on a number of factors. These factors could include specific threats the entity faces and risks it incurs; differences in objectives; managerial judgment; size and complexity of the entity; operational environment; sensitivity and value of data; and requirements for system reliability, availability, and performance.
10.4 Control activities can be either preventive or detective. The main difference between preventive and detective control activities is the timing of a control activity within an entity’s operations. A preventive control activity prevents an entity from failing to achieve an objective or address a risk. A detective control activity discovers when an entity is not achieving an objective or addressing a risk before the entity’s operation has concluded and corrects the actions so that the entity achieves the objective or addresses the risk.
10.5 Management evaluates the purpose of the control activity as well as the effect a deficiency would have on the entity in achieving its objectives. If the control activity is for a significant purpose or the impact of a deficiency would be significant to achieving the entity’s objectives, management may design both preventive and detective control activities.
10.6 Control activities can be implemented in either an automated or a manual manner. Automated control activities are either wholly or partially automated through the entity’s information technology. Manual control activities are performed by individuals with minor use of the entity’s information technology. Automated control activities tend to be more reliable because they are less susceptible to human error and are typically more efficient. If the entity relies on information technology in its operations, management designs control activities so that the information technology continues to operate properly.
Design of Control Activities at Various Levels
10.7 Management designs control activities at the appropriate levels in the organizational structure.
10.8 Management designs control activities for appropriate coverage of objectives and risks in the operations. Operational processes transform inputs into outputs to achieve the organization’s objectives. Management designs entity-level control activities, transaction control activities, or both depending on the level of precision needed so that the entity meets its objectives and addresses related risks.
10.9 Entity-level controls are controls that have a pervasive effect on an entity’s internal control system and may pertain to multiple components. Entity-level controls may include controls related to the entity’s risk assessment process, control environment, service organizations, management override, and monitoring.
10.10 Transaction control activities are actions built directly into operational processes to support the entity in achieving its objectives and addressing related risks. “Transactions” tends to be associated with financial processes (e.g., payables transactions), while “activities” is more generally applied to operational or compliance processes. For the purposes of this standard, “transactions” covers both definitions. Management may design a variety of transaction control activities for operational processes, which may include verifications, reconciliations, authorizations and approvals, physical control activities, and supervisory control activities.
10.11 When choosing between entity-level and transaction control activities, management evaluates the level of precision needed for the operational processes to meet the entity’s objectives and address related risks. In determining the necessary level of precision for a control activity, management evaluates the following:
Segregation of Duties
10.12 Management considers segregation of duties in designing control activity responsibilities so that incompatible duties are segregated and, where such segregation is not practical, designs alternative control activities to address the risk.
10.13 Segregation of duties helps prevent fraud, waste, and abuse in the internal control system. Management considers the need to separate control activities related to authority, custody, and accounting of operations to achieve adequate segregation of duties. In particular, segregation of duties can address the risk of management override. Management override circumvents existing control activities and increases fraud risk. Management addresses this risk through segregation of duties, but cannot absolutely prevent it because of the risk of collusion, where two or more employees act together to commit fraud.
10.14 If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.
11.1 Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Design of the Entity’s Information System
11.2 Management designs the entity’s information system to respond to the entity’s objectives and risks.
11.3 Management designs the entity’s information system to obtain and process information to meet each operational process’s information requirements and to respond to the entity’s objectives and risks. An information system is the people, processes, data, and technology that management organizes to obtain, communicate, or dispose of information. An information system represents the life cycle of information used for the entity’s operational processes that enables the entity to obtain, store, and process quality information. An information system includes both manual and technology-enabled information processes. Technology-enabled information processes are commonly referred to as information technology. As part of the control environment component, management defines responsibilities, assigns them to key roles, and delegates authority to achieve the entity’s objectives. As part of the risk assessment component, management identifies the risks related to the entity and its objectives, including its service organizations; the entity’s risk tolerance; and risk responses. Management designs control activities to fulfill defined responsibilities and address the identified risk responses for the entity’s information system.
11.4 Management designs the entity’s information system and the use of information technology by considering the defined information requirements for each of the entity’s operational processes.35 Information technology enables information related to operational processes to become available to the entity on a timelier basis. Additionally, information technology may enhance internal control over security and confidentiality of information by appropriately restricting access. Although information technology implies specific types of control activities, information technology is not a “stand-alone” control consideration. It is an integral part of most control activities.
11.5 Management also evaluates information processing objectives to meet the defined information requirements. Information processing objectives may include the following:
Design of Appropriate Types of Control Activities
11.6 Management designs appropriate types of control activities in the entity’s information system for coverage of information processing objectives for operational processes. For information systems, there are two main types of control activities: general and application control activities.
11.7 Information system general controls (at the entity-wide, system, and application levels) are the policies and procedures that apply to all or a large segment of an entity’s information systems. General controls facilitate the proper operation of information systems by creating the environment for proper operation of application controls. General controls include security management, logical and physical access, configuration management, segregation of duties, and contingency planning.
11.8 Application controls, sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to achieve validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Application controls include controls over input, processing, output, master file, interface, and data management system controls.
Design of Information Technology Infrastructure
11.9 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. Information technology requires an infrastructure in which to operate, including communication networks for linking information technologies, computing resources for applications to operate, and electricity to power the information technology. An entity’s information technology infrastructure can be complex. It may be shared by different units within the entity or outsourced either to service organizations or to location-independent technology services. Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure.
11.10 Management continues to evaluate changes in the use of information technology and designs new control activities when these changes are incorporated into the entity’s information technology infrastructure. Management also designs control activities needed to maintain the information technology infrastructure. Maintaining technology often includes backup and recovery procedures, as well as continuity of operations plans, depending on the risks and consequences of a full or partial power systems outage.
Design of Security Management
11.11 Management designs control activities for security management of the entity’s information system for appropriate access by internal and external sources to protect the entity’s information system. Objectives for security management include confidentiality, integrity, and availability. Confidentiality means that data, reports, and other outputs are safeguarded against unauthorized access. Integrity means that information is safeguarded against improper modification or destruction, which includes ensuring information’s nonrepudiation and authenticity. Availability means that data, reports, and other relevant information are readily available to users when needed.
11.12 Security management includes the information processes and control activities related to access rights in an entity’s information technology, including who has the ability to execute transactions. Security management includes access rights across various levels of data, operating system (system software), network, application, and physical layers. Management designs control activities over access to protect an entity from inappropriate access and unauthorized use of the system. These control activities support appropriate segregation of duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or error.
11.13 Management evaluates security threats to information technology, which can be from both internal and external sources. External threats are particularly important for entities that depend on telecommunications networks and the Internet. External threats have become prevalent in today’s highly interconnected business environments, and continual effort is required to address these risks. Internal threats may come from former or disgruntled employees. They pose unique risks because they may be both motivated to work against the entity and better equipped to succeed in carrying out a malicious act as they have greater access to and knowledge of the entity’s security management systems and processes.
11.14 Management designs control activities to limit user access to information technology through authorization control activities such as providing a unique user identification or token to authorized users. These control activities may restrict authorized users to the applications or functions commensurate with their assigned responsibilities, supporting an appropriate segregation of duties. Management designs other control activities to promptly update access rights when employees change job functions or leave the entity. Management also designs control activities for access rights when different information technology elements are connected to each other.
Design of Information Technology Acquisition, Development, and Maintenance
11.15 Management designs control activities over the acquisition, development, and maintenance of information technology. Management may use a systems development life cycle (SDLC) framework in designing control activities. An SDLC provides a structure for a new information technology design by outlining specific phases and documenting requirements, approvals, and checkpoints within control activities over the acquisition, development, and maintenance of technology. Through an SDLC, management designs control activities over changes to technology. This may involve requiring authorization of change requests; reviewing the changes, approvals, and testing results; and designing protocols to determine whether changes are made properly. Depending on the size and complexity of the entity, development of information technology and changes to the information technology may be included in one SDLC or two separate methodologies. Management evaluates the objectives and risks of the new technology in designing control activities over its SDLC.
11.16 Management may acquire information technology through packaged software from vendors. Management incorporates methodologies for the acquisition of vendor packages into its information technology development and designs control activities over their selection, ongoing development, and maintenance. Control activities for the development, maintenance, and change of application software prevent unauthorized programs or modifications to existing programs.
11.17 Another alternative is outsourcing the development of information technology to service organizations. As for an SDLC developed internally, management designs control activities to meet objectives and address related risks. Management also evaluates the unique risks that using a service organization presents for the completeness, accuracy, and validity of information submitted to and received from the service organization.
12.1 Management should implement control activities through policies.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Documentation of Responsibilities through Policies
12.2 Management documents in policies the internal control responsibilities of the organization.
12.3 Management documents in policies for each unit its responsibility for an operational process’s objectives and related risks, and control activity design, implementation, and operating effectiveness. Each unit, with guidance from management, determines the policies necessary to operate the process based on the objectives and related risks for the operational process. Each unit also documents policies in the appropriate level of detail to allow management to effectively monitor the control activity.
12.4 Those in key roles for the unit may further define policies through day-to-day procedures, depending on the rate of change in the operating environment and complexity of the operational process. Procedures may include the timing of when a control activity occurs and any follow-up corrective actions to be performed by competent personnel if deficiencies are identified. Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities.
Periodic Review of Control Activities
12.5 Management periodically reviews policies, procedures, and related control activities for continued relevance and effectiveness in achieving the entity’s objectives or addressing related risks. If there is a significant change in an entity’s process, management reviews this process in a timely manner after the change to determine that the control activities are designed and implemented appropriately. Changes may occur in personnel, operational processes, or information technology. Regulators; legislators; and in the federal environment, the Office of Management and Budget and the Department of the Treasury may also change either an entity’s objectives or how an entity is to achieve an objective. Management considers these changes in its periodic review.