Summary

Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.

Control activities serve as mechanisms for managing the achievement of an entity’s objectives and are very much a part of the processes by which an entity strives to achieve those objectives. They do not exist simply for their own sake or because having them is the right or proper thing to do.

Control activities can support one or more of the entity’s operations, reporting, and compliance objectives. For example, an online retailer’s controls over the security of its information technology affect the processing of accurate and valid transactions with consumers, the protection of consumers’ confidential credit card information, and the availability and security of its website. In this case, control activities are necessary to support the reporting, compliance, and operations objectives.

Principles relating to the Control Activities component

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.


11. The organization selects and develops general control activities over technology to support the achievement of objectives.


12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.

Selects and Develops Control Activities

Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Integrates with Risk Assessment—Control activities help ensure that risk responses that address and mitigate risks are carried out.
• Considers Entity-Specific Factors—Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities.
• Determines Relevant Business Processes—Management determines which relevant business processes require control activities.
• Evaluates a Mix of Control Activity Types—Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls.

Selects and Develops General Controls over Technology

Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Determines Dependency between the Use of Technology in Business Processes and Technology General Controls—Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls.
• Establishes Relevant Technology Infrastructure Control Activities—Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
• Establishes Relevant Security Management Process Control Activities— Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.
• Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities—Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives.

Deploys through Policies and Procedures

Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Establishes Policies and Procedures to Support Deployment of Management’s Directives—Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions.
• Establishes Responsibility and Accountability for Executing Policies and Procedures—Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside.
• Performs in a Timely Manner—Responsible personnel perform control activities in a timely manner as defined by the policies and procedures.
• Takes Corrective Action—Responsible personnel investigate and act on matters identified as a result of executing control activities.
• Performs Using Competent Personnel—Competent personnel with sufficient authority perform control activities with diligence and continuing focus.
• Reassesses Policies and Procedures—Management periodically reviews control activities to determine their continued relevance, and refreshes them when necessary.