Principle 10 - Design Control Activities
10.01 Management should design control activities to achieve objectives
and respond to risks.
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
- Response to Objectives and Risks
- Design of Appropriate Types of Control Activities
- Design of Control Activities at Various Levels
- Segregation of Duties
Response to Objectives and Risks
10.02 Management designs control activities in response to the entity’s objectives and risks to achieve an effective internal control system. Control activities are the policies, procedures, techniques, and mechanisms that enforce management’s directives to achieve the entity’s objectives and address related risks. As part of the control environment component, management defines responsibilities, assigns them to key roles, and delegates authority to achieve the entity’s objectives. As part of the risk assessment component, management identifies the risks related to the entity and its objectives, including its service organizations; the entity’s risk tolerance; and risk responses. Management designs control activities to fulfill defined responsibilities and address identified risk responses.
Design of Appropriate Types of Control Activities
10.03 Management designs appropriate types of control activities for the entity’s internal control system. Control activities help management fulfill responsibilities and address identified risk responses in the internal control system. The common control activity categories listed in figure 6 are meant only to illustrate the range and variety of control activities that may be useful to management. The list is not all inclusive and may not include particular control activities that an entity may need.
Figure 6: Examples of Common Categories of Control Activities
- Top-level reviews of actual performance
- Reviews by management at the functional or activity level
- Management of human capital
- Controls over information processing
- Physical control over vulnerable assets
- Establishment and review of performance measures and indicators
- Segregation of duties
- Proper execution of transactions
- Accurate and timely recording of transactions
- Access restrictions to and accountability for resources and records
- Appropriate documentation of transactions and internal control
Top-level reviews of actual performance
Management tracks major entity achievements and compares these to the plans, goals, and objectives set by the entity.
Reviews by management at the functional or activity level
Management compares actual performance to planned or expected results throughout the organization and analyzes significant differences.
Management of human capital
Effective management of an entity’s workforce, its human capital, is essential to achieving results and an important part of internal control. Only when the right personnel for the job are on board and are provided the right training, tools, structure, incentives, and responsibilities is operational success possible. Management continually assesses the knowledge, skills, and ability needs of the entity so that the entity is able to obtain a workforce that has the required knowledge, skills, and abilities to achieve organizational goals. Training is aimed at developing and retaining employee knowledge, skills, and abilities to meet changing organizational needs. Management provides qualified and continuous supervision so that internal control objectives are achieved. Management designs a performance evaluation and feedback system, supplemented by an effective rewards system, to help employees understand the connection between their performance and the entity’s success. As part of its human capital planning, management also considers how best to retain valuable employees, plan for their eventual departure, and maintain a continuity of needed skills and abilities.
Controls over information processing
A variety of control activities are used in information processing. Examples include edit checks of data entered; accounting for transactions in numerical sequences; comparing file totals with control accounts; and controlling access to data, files, and programs.
Physical control over vulnerable assets
Management establishes physical control to secure and safeguard vulnerable assets. Examples include security for and limited access to assets such as cash, securities, inventories, and equipment that might be vulnerable to risk of loss or unauthorized use. Management periodically counts and compares such assets to control records.
Establishment and review of performance measures and indicators
Management establishes activities to monitor performance measures and indicators. These may include comparisons and assessments relating different sets of data to one another so that analyses of the relationships can be made and appropriate actions taken. Management designs controls aimed at validating the propriety and integrity of both entity and individual performance measures and indicators.
Segregation of duties
Management divides or segregates key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event.
Proper execution of transactions
Transactions are authorized and executed only by persons acting within the scope of their authority. This is the principal means of assuring that only valid transactions to exchange, transfer, use, or commit resources are initiated or entered into. Management clearly communicates authorizations to personnel.
Accurate and timely recording of transactions
Transactions are promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. This applies to the entire process or life cycle of a transaction or event from its initiation and authorization through its final classification in summary records. In addition, management designs control activities so that all transactions are completely and accurately recorded.
Access restrictions to and accountability for resources and records
Management limits access to resources and records to authorized individuals, and assigns and maintains accountability for their custody and use. Management may periodically compare resources with the recorded accountability to help reduce the risk of errors, fraud, misuse, or unauthorized alteration.
Appropriate documentation of transactions and internal control
Management clearly documents internal control and all transactions and other significant events in a manner that allows the documentation to be readily available for examination. The documentation may appear in management directives, administrative policies, or operating manuals, in either paper or electronic form. Documentation and records are properly managed and maintained.
An entity’s internal control is flexible to allow management to tailor control activities to meet the entity’s special needs. The specific control activities used by a given entity may be different from those used by others based on a number of factors. These factors could include specific threats the entity faces and risks it incurs; differences in objectives; managerial judgment; size and complexity of the entity; operational environment; sensitivity and value of data; and requirements for system reliability, availability, and performance.
10.04 Control activities can be either preventive or detective. The main difference between preventive and detective control activities is the timing of a control activity within an entity’s operations. A preventive control activity prevents an entity from failing to achieve an objective or address a risk. A detective control activity discovers when an entity is not achieving an objective or addressing a risk before the entity’s operation has concluded and corrects the actions so that the entity achieves the objective or addresses the risk.
10.05 Management evaluates the purpose of the control activity as well as the effect a deficiency would have on the entity in achieving its objectives. If the control activity is for a significant purpose or the impact of a deficiency would be significant to achieving the entity’s objectives, management may design both preventive and detective control activities.
10.06 Control activities can be implemented in either an automated or a manual manner. Automated control activities are either wholly or partially automated through the entity’s information technology. Manual control activities are performed by individuals with minor use of the entity’s information technology. Automated control activities tend to be more reliable because they are less susceptible to human error and are typically more efficient. If the entity relies on information technology in its operations, management designs control activities so that the information technology continues to operate properly.
Design of Control Activities at Various Levels
10.07 Management designs control activities at the appropriate levels in the organizational structure.
10.08 Management designs control activities for appropriate coverage of objectives and risks in the operations. Operational processes transform inputs into outputs to achieve the organization’s objectives. Management designs entity-level control activities, transaction control activities, or both depending on the level of precision needed so that the entity meets its objectives and addresses related risks.
10.09 Entity-level controls are controls that have a pervasive effect on an entity’s internal control system and may pertain to multiple components. Entity-level controls may include controls related to the entity’s risk assessment process, control environment, service organizations, management override, and monitoring.
10.10 Transaction control activities are actions built directly into operational processes to support the entity in achieving its objectives and addressing related risks. “Transactions” tends to be associated with financial processes (e.g., payables transactions), while “activities” is more generally applied to operational or compliance processes. For the purposes of this standard, “transactions” covers both definitions. Management may design a variety of transaction control activities for operational processes, which may include verifications, reconciliations, authorizations and approvals, physical control activities, and supervisory control activities.
10.11 When choosing between entity-level and transaction control activities, management evaluates the level of precision needed for the operational processes to meet the entity’s objectives and address related risks. In determining the necessary level of precision for a control activity, management evaluates the following:
- Purpose of the control activity - A control activity that functions to prevent or detect generally is more precise than a control activity that merely identifies and explains differences.
- Level of aggregation - A control activity that is performed at a more granular level generally is more precise than one performed at a higher level. For example, an analysis of obligations by budget object class normally is more precise than an analysis of total obligations for the entity.
- Consistency of performance - A control activity that is performed routinely and consistently generally is more precise than one performed sporadically.
- Correlation to relevant operational processes - A control activity that is directly related to an operational process generally is more likely to prevent or detect than a control activity that is only indirectly related.
Segregation of Duties
10.12 Management considers segregation of duties in designing control activity responsibilities so that incompatible duties are segregated and, where such segregation is not practical, designs alternative control activities to address the risk.
10.13 Segregation of duties helps prevent fraud, waste, and abuse in the internal control system. Management considers the need to separate control activities related to authority, custody, and accounting of operations to achieve adequate segregation of duties. In particular, segregation of duties can address the risk of management override. Management override circumvents existing control activities and increases fraud risk. Management addresses this risk through segregation of duties, but cannot absolutely prevent it because of the risk of collusion, where two or more employees act together to commit fraud.
10.14 If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.