Management establishes control activities that are built into business processes and employees’ day-
               to-day activities through policies establishing what is expected and relevant procedures specifying
               actions.

               Policies are management’s statements of what should be done to effect control. A government
               agency might establish a conflict-of-interest policy, which includes a prohibition against agency
               employees from accepting a gift of any amount from a vendor. Procedures that could be
               implemented to provide assurance that this portion of the policy is adhered to would include activities
               such as requiring new-employee training concerning the policy and having all employees sign
               annually a document stating that they understand and have complied with this portion of the policy.

               The framework notes that unwritten policies can be effective where the policy has existed for a long
               time and is a well-understood practice. This can be particularly applicable in smaller entities where
               communication channels involve few levels of management and where there is close interaction with
               and supervision of personnel.

               However, the framework notes further that unwritten policies and procedures can be easier to thwart,
               can be expensive to the entity if there is employee turnover, and can decrease accountability. If the
               policies and procedures are subject to external-party review, such as a community bank that is visited
               annually by regulators, then the policies and procedures would be expected to be formally
               documented.

              Point of focus — Establishes responsibility and accountability for executing policies and procedures

               Management establishes responsibility and accountability for control activities with management (or
               other designated personnel) of the business unit or function in which the relevant risks reside.

               In the example of the jewelry store discussed previously, the owner-manager would assign the daily
               count of inventory to certain experienced supervisors. Another employee might be assigned
               responsibility for activating burglar alarms.

              Point of focus — Performs in a timely manner

               Responsible personnel perform control activities in a timely manner as prescribed by the policies and
               procedures.

               The procedures should include when a control activity and any follow-up corrective actions are
               performed. Untimely procedures can reduce the value of the control activity.
               In the jewelry store example, the owner-manager should compare daily the physical inventory count
               reports with the inventory per the books. A delay in the review might increase the likelihood of not
               detecting cumulatively material inventory shortages resulting from employee or customer theft or
               error.

              Point of focus — Takes corrective action

               Responsible personnel investigate and act on matters identified as a result of executing control
               activities. If necessary, corrective action should be taken.

               In the jewelry store example, the owner-manager investigated a shortage in the physical inventory
               kept in the glass display cabinets. The amount of inventory on the daily count sheet was lower than
               the amount on the books. Another count was made by the owner-manager (follow-up action). It was
               discovered that the actual inventory kept in the glass display cabinets did indeed agree with the



            © 2020 Association of International Certified Professional Accountants. All rights reserved.    5-20