Embedded within the internal control process are controls, which consist of policies and procedures. Policies reflect management or board statements of what should be done to effect control. Procedures are actions that implement policies. Organizations select and develop controls within each component to effect relevant principles. Controls are interrelated and may support multiple objectives and principles.

The Framework does not prescribe specific controls that must be selected, developed, and deployed for an effective system of internal control. That determination is a function of management judgment based on factors unique to each entity, such as:

Management is expected to obtain persuasive evidence to support its determination that components and relevant principles are present and functioning. Management considers controls in conjunction with its assessment of components and relevant principles. Understanding how controls effect principles through their selection, development, and deployment can provide persuasive evidence to support management's assessment of whether the entity's system of internal control is effective. The absence of controls necessary to effect relevant principles would represent an internal control deficiency. The Framework allows judgment in assessing the potential impact of a control deficiency on the presence and functioning of a relevant principle. Management may consider other controls (whether or not associated with that particular component or principle) that compensate for an internal control deficiency.