Once risks have been identified and mapped to relevant financial statements assertions, management determines relevant business processes and selects and develops control activities to address each risk. Management involves relevant stakeholders to identify the appropriate control activities. This includes those individuals responsible for the risks in their areas, finance personnel responsible for financial reporting, and other control experts, such as internal auditors or others who have relevant specialized knowledge. A centralized group responsible for financial reporting or control activities periodically reviews the risk control matrices to help ensure that the entity's financial reporting risks are being addressed.

The selection and development of control activities is achieved through various methods, and may include the following:

Management considers the segregation of duties and a mix of transaction control activities and business process reviews. Management considers using automated controls whenever the systems in place make it possible. These are supplemented by manual control activities where automated controls are not available.

A multi-million-dollar consumer products company, Prescott International, holds a number of workshops to select and develop appropriate control activities for each identified risk relating to financial statement assertions for revenue recognition. The meetings are attended by employees from various departments—credit, shipping, billing, and customer service—who review the list of activities and link them to risks identified in the company's risk assessment.

After these workshops, Prescott International is able to select and develop policies and procedures appropriate to its business. The controller reviews the matrix of control activities and risks in order to identify any potential risks not previously noted, recommend additional control activities if necessary, and remove unnecessary control activities.

A multi-million-dollar manufacturer of sporting goods equipment, Go Rite Sports, develops a matrix in conjunction with its risk assessment process. The matrix sets out:

Matters such as general ledger maintenance, accruals, management estimates and reserves, period-end close and consolidation procedures, financial statement preparation, and regulatory filings and disclosures are all considered when building the matrix. The risks and controls are described in sufficient detail in the matrix to allow Go Rite's management and others to evaluate whether, if implemented and operating as intended, these actions can sufficiently mitigate the financial reporting risks. As part of this evaluation, management reviews the type of control activity (e.g., preventive versus detective, manual versus automated) to determine if the mix is appropriate. The following illustration is an excerpt of one of Go Rite's risk and control matrices with accompanying flowchart. ^{fn 16}

Extract of Procure to Pay Business Process Flowchart

Extract of Procure to Pay Risk and Controls Matrix

Indigo Brewing is a large global beer brewing company. It has created a standard inventory of risk and control activities that it uses as a basis for all its brewing subsidiaries. It created the inventory by customizing a generic inventory of brewing industry risks and control activities that it obtained from Risk Reverse Inc. with Indigo entity-specific considerations. Some of the entity-specific considerations include:

Following Indigo's recent acquisition of another brewery in China, management used the standard risk and control inventory to develop and select the necessary control activities. It customized this list based on the unique circumstances in the region and to suit the newly merged company, giving the functional leaders responsibility for addressing these risks by implementing control activities in their specific areas.

The organization outsources some of its operations to a third party, which may or may not issue a "report on controls at a service organization" following an appropriate local or international standard. Although the organization may rely on an outsourced service provider to conduct processes, policies, and procedures on behalf of the entity, management retains ultimate responsibility for designing, implementing, and conducting an effective and efficient system of internal control.

Management obtains an understanding of the service organization's activities and whether those activities impact significant classes of transactions, accounts, or disclosures in the company's reporting process. In determining the significance of the service organization's processes to the financial statements, the entity considers the following factors:

If management determines that the service organization's processes are significant to internal control over external financial reporting, then it:

If a report on controls at a service organization is available, management can use it to determine what financially significant processes are covered, whether appropriate control activities are in place, and what control activities are required in its own organization to address external financial reporting risks.

If an appropriate report does not exist, management can use the entity's own resources, such as internal audit, to review the control activities and ensure that any external financial reporting risks are mitigated by the combination of its own control activities and those of the service organization.

Green Grow Now is a 250-person company that packages and distributes organic produce. It uses a third-party service, Jennssen Inc., to process payroll, which is considered significant to the company's financial reporting because employee costs are a large part of Green Grow Now's expenses.

Jennssen Inc. engages a service auditor to audit its control activities over transaction initiation, processing, and recording, and to issue an SSAE 16 (SOC1) ^{fn 17} report on controls. When Green Grow Now obtains the report, it assesses whether the described control objectives and control activities performed by Jennssen impact internal control over external financial reporting related to the existence, completeness, and valuation of payroll expense.

Green Grow Now considers the test results in the report and whether any exceptions have been identified. It also considers the period covered by the report and concludes that it needs additional evidence of the operation of control activities for the period not covered. The management communicates directly with Jennssen to inquire about any changes to its processes; Jennssen confirms in writing that no changes have been made.

Based on this information, Green Grow Now concludes that no further action is needed. It also reviews the control activities that it is expected to have in place in its own organization (as specified by the user control activities in the SSAE 16 report) to verify they are implemented and operating as intended.

Funnell Medi-Quip is a 500-person medical equipment manufacturer that decides to outsource its treasury function to a service organization, Oxford Financial Experts. A report on control activities is not available.

The management of Funnell Medi-Quip evaluates the nature of the control activities of Oxford Financial Experts and its own control activities over Oxford. The management team determines that the risk of material omission and misstatement associated with the financial statement assertions affected by the processes of the Oxford is high. Funnell Medi-Quip concludes that additional information is needed to evaluate the design and operating effectiveness of Oxford's control activities. The management team performs tests at Oxford, using the internal audit group to verify that the control activities are implemented and operating as intended. Funnell also tests its own user control activities.

Once risks have been identified and mapped to relevant financial statement assertions, management determines relevant business processes and selects and develops control activities to address each risk. Management considers using automated controls whenever the systems in place make it possible. These are supplemented by manual control activities when automated controls are not available. Management also considers a mix of transaction control activities and business performance reviews. In its selection and development of control activities, management considers the likelihood that a control might fail to operate effectively. In assessing the risk of failure, management assesses various factors, which may include:

Certain financial reporting elements, such as those involving significant accounting estimates, related party transactions, or critical accounting policies, will generally have higher risk for both material omission and misstatement to the financial reporting element and control failure. In these situations a combination of control activities is usually selected and developed by management to adequately address the risks of a financial reporting element.

During initial compliance efforts, EJ's Corporation faced uncertainty in determining how many controls were needed to achieve management's objectives. Amid such uncertainty duplicate control activities were deployed. EJ's management is re-evaluating its existing controls to:

In balancing its control activities within the processing of journal entries in the financial reporting cycle, EJ's Corporation focuses on the following preventive control activities:

The following detective control activities complement these control activities:

As part of its regular assessment of control activities, Mountain High University reviews the mix of preventive and detective control activities and finds a high proportion of detective control activities. This high proportion of detective control activities is resulting in the processing of transactions to be slow, labor intensive, and error prone as a considerable amount of time is spent fixing errors that occurred earlier in the process. To address the problems management implements more preventive controls earlier in the process, through automated controls, such as edit checks and automated data verification, and review and approval controls at transaction initiation to reduce the number of errors that need to be detected and corrected after transactions are processed.

The senior management of Zephyr Corp., a multinational consumer products company, reviews the monthly and quarterly income statement and balance sheet analysis in order to prevent or detect on a timely basis material omission and misstatements to one or more financial statement assertions. This analysis compares the current year results against prior year actual results, the current year budget, and the latest forecast. It also includes key performance indicators such as gross margin, accounts receivable, inventory turnover days, and return on equity.

To begin the analysis, the CFO of each of the company's five business units reviews the balance sheet and income statement in detail to identify and explain any variances from budget and prior year actual results over a predetermined threshold (which varies by business unit). The threshold, which ranges from 5% to 10% of pre-tax income, has been developed by senior management to help detect potentially material differences considering the following factors:

The analysis is then submitted to Zephyr's corporate center for review. Senior management hold monthly meetings with the representatives from each business unit (usually a business unit CFO) to understand why there are significant differences that are exceeding predefined thresholds and to determine whether corrective action is necessary.

Finance management at the Judge Mint Company (JMC) is responsible for preparing accounting estimates relating to the valuation of trade receivables on a monthly and quarterly basis. Management estimates the underlying allowance for uncollectible receivables considering:

Management's assessment of customers’ ability and intent to pay outstanding receivables is subjective and susceptible to error. Accordingly, management selects, develops, and deploys a mix of control activities to help mitigate this valuation risk, including the following:

Gentry Co., a large decentralized industrial products company, has identified the account reconciliations part of the financial reporting process as a critical control activity for reducing the risk of material omission and misstatement in the financial statements. The number of accounts in the company's books has increased significantly over the years as new processes and transactions have been added, other entities have been formed or acquired, and the number of employees has grown. Today, a large volume of accounts are reconciled manually on a monthly basis, but this is a time-consuming process that is prone to error.

Gentry Co. is considering implementing account reconciliation software, which would help automate the process and allow Jeremy Brewster, who is responsible for the process, to spend more time on the more subjective and complex areas of account reconciliation.

Gentry has identified the following benefits that would arise out of using an automated account reconciliation tool:

Gentry Co. decides to implement a partial automated process. It uses both qualitative and quantitative factors to determine which reconciliations will be automated and which will continue to be manual. The factors considered favorable to automation include low complexity of transactions, absence of significant judgments and estimates, low number of manual journal entries and adjustments, low susceptibility of transactions to fraud, and high-volume, low-dollar value of transactions, combined with low degree of variation against the expected account balance.

Where resource or other constraints compromise the ability to appropriately segregate duties, management considers alternative control activities, such as timely periodic management reviews of reports that are prepared in sufficient detail for misstatements to be identified.

Luther Optical is a multi-million-dollar designer, manufacturer, and distributor of consumer and industrial optical products. There are two staff members in the purchasing department, each of whom is authorized to prepare, authorize, and issue purchase orders up to $5,000. Because no one reviews these purchase orders before they are sent to vendors, there is a risk that unintentional errors or intentional fraudulent acts will result in inventory valuation errors, obsolescence, or shortages due to diverted shipments. To reduce this risk to an acceptable level, management relies on a combination of control activities carried out by other staff members. These include, but are not limited to, the following:

Using automated tools, organization charts, process flowcharts, or other means by which activities are documented, management identifies incompatibilities in functions that are needed to appropriately segregate duties. These incompatible functions are considered when developing or revising the policies for granting access to assets and systems. The policies are regularly updated to reflect changing responsibilities and activities.

Finansis Corporation is a manufacturer of bicycles that recently implemented an enterprise resource planning system but continues to use its legacy procurement application. Management has identified a risk that personnel perform incompatible functions across the entity's financial reporting systems, and in turn, have inappropriate access to those systems. The CFO, Steve Wu, has formed a task force of representatives from finance, accounting, operations, internal audit, compliance, and IT to review process flowcharts and procedure manuals and to assess the financial reporting risks of the same person being able to perform two incompatible functions (e.g., bill creation and payments). The task force has now created a matrix of incompatible functions across the financial reporting processes and assessed any business justification for the incompatibility. If the business justification is deemed valid, the task force evaluates the sufficiency of alternative controls selected, developed, and deployed. If the justification is found not valid or not existing, the task force develops a recommendation for the controller to implement a policy for segregating the functions.

Senior finance, operations, IT, internal audit, and compliance management have reviewed and approved the task force's recommendations. Commensurate with the policy changes, IT has updated access rights across the various systems. Control activities were selected and deployed to help ensure that the segregation of duties is maintained, including policies and procedures for user management and IT's review and approval of access requests. The policies also include the segregation of duties as criteria in the annual review of access rights performed by user management for each financial reporting relevant system.

Frencorp is a multi-billion-dollar public industrial products manufacturer. Recently it installed and configured a governance, risk, and compliance access management application. The purpose is to assess sensitive access and segregation-of-duty risks and conflicts during the development of security roles and the assignment of those roles to end users. The application allows Frencorp to define processes and transactions that should not be combined in a security role or assigned to the same end user. It prevents the assignment of any access that is deemed incompatible.

Furthermore, the application routinely scans security roles and end-user access, generates reports of access risks and conflicts, and routes the reports to the appropriate people for review. If a user requires access to conflicting transactions, the application recommends a mitigating control activity. Frencorp management's review of the access risks and conflicts reports and mitigating control activity decisions are logged in the application.