Summary
Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.
Control activities serve as mechanisms for managing the achievement of an entity’s objectives and are very much a part of the processes by which an entity strives to achieve those objectives. They do not exist simply for their own sake or because having them is the right or proper thing to do.
Control activities can support one or more of the entity’s operations, reporting, and compliance objectives. For example, an online retailer’s controls over the security of its information technology affect the processing of accurate and valid transactions with consumers, the protection of consumers’ confidential credit card information, and the availability and security of its website. In this case, control activities are necessary to support the reporting, compliance, and operations objectives.
Principles relating to the Control Activities component
Selects and Develops Control Activities
Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning:
Selects and Develops General Controls over Technology
Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives.
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning:
Deploys through Policies and Procedures
Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning: