Policies reflect management’s statement of what should be done to effect control. Such statements may be documented, explicitly stated in communic- ations, or implied through management’s actions and decisions. Procedures consist of actions that implement a policy.
Control activities specifically relate to those policies and procedures that con- tribute to the mitigation of risks to the achievement of objectives to accept- able levels. A policy, for instance, might call for review of customer trading activities by a securities dealer retail branch manager. The procedure is the review itself, performed in a timely manner and with attention given to factors set forth in the policy, such as the nature and volume of securities traded, and their relation to customer net worth and age.
Policies and procedures are often communicated orally. Unwritten policies can be effective where the policy is a long-standing and well-understood practice, and in smaller organizations where communications channels involve limited management layers and close interaction with and supervision of personnel. Though a cost-effective alternative for some entities, unwritten policies and procedures can be easier to circumvent, be costly to the organization if there is turnover in personnel, and can reduce accountability. When subject to ex- ternal party review, policies and procedures would be expected to be formally documented.24
But whether or not a policy is in writing, it must establish clear responsibility and accountability, which ultimately resides with the management of the en- tity and subunit where the risk resides. Procedures should be clear on the re- sponsibilities of personnel performing the control activity. Also, policies need to be deployed thoughtfully and conscientiously, and the related procedures must be timely and be performed diligently and consistently by competent personnel.
Timeliness
The procedures should include the timing of when a control activity and any follow-up corrective actions are performed. Untimely procedures can reduce the usefulness of the control activity. For example, a regular review of user accounts for inappropriate access rights is conducted by the business process owner on a timely basis to reduce the risk of unauthorized access to an ac- ceptable level. Longer intervals between reviews increase the potential for untimely detection of unauthorized access.
Return to Table of Contents
Corrective Action
In conducting a control activity, matters identified for follow-up should be in- vestigated and, if appropriate, corrective action taken. For example, consider a case where a reconciliation of cash accounts detects a discrepancy in one of the accounts. The accounting clerk follows up with the person in charge of re- cording cash and determines that a cash receipt was not posted properly. The receipt is reapplied and the correction is reflected in the reconciliation. Competence
A well-designed control activity generally cannot be conducted without com- petent personnel with sufficient authority to perform the control activity. The level of competency required to perform a control activity will depend on factors such as the complexity of the control activity and the complexity and volume of the underlying transactions. Furthermore, a procedure will not be useful if performed by rote, without a sharp, continuing focus on the risks to which the policy is directed. Sufficient authority may be needed to fully per- form all aspects of the control such as taking corrective action.
Periodic Reassessment
Management should periodically reassess policies and procedures and related control activities for continued relevance and effectiveness, unrelated to be- ing responsive to significant changes in the entity’s risks or objectives.
Significant changes would be evaluated through the risk assessment process. Changes in people, process, and technology may reduce the effectiveness of control activities or make some control activities redundant. Whenever one of these changes occurs, management should reassess the relevance of the ex- isting controls and refresh them when necessary. For example, management may upgrade the purchasing module of an ERP system and introduce auto- mated transaction control activities that cause the old manual control activit- ies to be redundant and, hence, no longer necessary.
Footnotes
14 The term “transactions” tends to be associated with financial processes (e.g., payables transactions), while “activities” is more generally applied to operational or compliance processes. For the purposes of the Framework, the term “transactions” applies to both.
Continue Reading
15 The term “transaction controls” is used in the Framework to refer to both manual and automated controls.
Continue Reading
16 While related in concept and terminology, information-processing objectives and financial statement assertions are different. Financial statement assertions are specific to the reliability of financial reporting, while information-processing objectives apply to transaction processing.
Continue Reading
17 Information-processing objectives refers to an entity’s goals for control activities and thus are sub-objectives in the context of a system of internal control.
Continue Reading
18 Supervisory reviews can be either control activities or monitoring activities. The differ- ence is discussed further in Chapter 9, Monitoring Activities.
Continue Reading
19 “Technology” is a broad term. In the Framework its use applies to technology that is computerized, including software applications running on a computer, manufacturing controls systems, etc.
Continue Reading
20 Business performance reviews can be either control activities or monitoring activities. The difference is discussed further in Chapter 9, Monitoring Activities.
Continue Reading
21 The Framework prefers the term “alternative controls” over “compensating controls.” The latter term has been used to describe additional control activities put in place when segregation of duties could not be achieved. However, this term has evolved to
refer to control activities that mitigate the impact of an identified control deficiency when evaluating the operating effectiveness of controls and is used in this context in the Framework.
Continue Reading
22 Terminology typically used to describe these controls includes “general computer con- trols,” “general controls,” or “information technology controls.” The term “technology general controls” is used here to refer to “general control activities over technology.”
Continue Reading
23 There are many names for this process. One common name is “systems development life cycle” (SDLC).
Continue Reading
24 See the discussion on documentation in Chapter 4, Additional Considerations.
Continue Reading Return to Table of Contents Return to Top
BREAK