A control is a task or action that has the intent to mitigate a risk for the respective control objective.
            Control activities should be integrated with risk assessment, that is, the risks identified in risk
            assessment are assigned controls where the level of control is linked to the level of the risk (for example,
            a high-power control for a high risk). It includes the P&P that are designed to ensure management’s
            guidelines for internal controls.

            If the process is followed properly (effective risk assessment, followed by control activities developed
            from the identified risks, with controls linked to the assessed risk), the actions necessary to address the
            risks to the entity’s business model, goals, and objectives are taken.

            Control activities should permeate the entity at all levels — business processes, information systems, and
            financial reporting processes. They would include important accounting activities, including the following:

              Authorizations
              Verifications
              Reconciliations
              Reviews
              Access rights
              Protection of assets
              Segregation of duties

            Control activities are chosen and developed considering their potential ability to mitigate risks to
            achieving financial reporting objectives and key IT goals and strategies. In order to be deployed, controls
            are also subject to a cost-benefit analysis. That is, controls that cost more than the quantifiable amount
            of potential loss are simply not deployed, and an exposure exists, which will probably need to be covered
            by insurance or some other alternative means.
            Control activities are generally seen to fall into two broad categories: physical and computer.


            Physical controls include controls whose objective addresses independent verification, transaction
            authorization, segregation of duties, supervision, accounting records and audit trail, and physical access
            controls. Computer controls are subdivided into general controls and application controls.

            Control activities can be either preventive or detective. Timing plays a key role in determining if a control
            is preventive or detective. A preventive control mitigates the risk of an unintended activity before it starts.
            A detective control takes effect after a process has started. These controls can be either manual or
            automated, such as verifications, business performance reviews, reconciliations, and approvals.

            The information and communication element involves the timely identification, documentation, and
            communication of relevant information necessary for employees and stakeholders to carry out their
            responsibilities. This element would include the financial reporting systems and their ability to properly
            capture data, report information, and assist management in decision-making and managing the
            business.

            Although this element obviously includes internal reporting, it also includes external reporting to the
            appropriate external parties (for example, customers, vendors, regulators, banks, and shareholders).




            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-24