The following points of focus highlight important characteristics relating to this principle:

Control activities support all the components of internal control, but are particularly aligned with the Risk Assessment component. Along with assessing risks, management identifies and puts into effect actions needed to carry out specific risk responses. Typically, control activities are not needed when an entity chooses to either accept or avoid a specific risk. There may, however, be instances where the organization decides to avoid a risk and chooses to develop control activities to avoid that risk. The action to reduce or share a risk serves as a focal point for selecting and developing control activities. The nature and extent of the risk response and any associated control activities will depend, at least in part, on the desired level of risk mitigation acceptable to management.

Control activities are those actions that help ensure that responses to assessed risks, as well as other management directives such as establishing standards of conduct in the control environment, are carried out properly and in a timely manner. For example, suppose a company sets an operations objective "to meet or exceed sales targets for the ensuing reporting period," and management identifies a risk that the organization's personnel have insufficient knowledge about current and potential customers’ needs. Management's response to address this identified risk includes developing buying histories for existing customers and undertaking market research initiatives to increase the organization's understanding of how to attract potential customers. Control activities might include tracking the progress of the development of the customer buying histories against established timetables, and taking steps to help ensure the quality of the reported marketing data.

Because each entity has its own set of objectives and implementation approaches, there will be differences in objectives, risk, risk responses, and related control activities. Even if two entities have identical objectives and structures, their control activities could be different. Each entity is managed by different people with different skills who use individual judgment in effecting internal control. Moreover, controls reflect the environment and industry in which an entity operates, as well as the complexity of its organization, its history and its culture, nature, and scope of operations.

Entity-specific factors can impact the control activities needed to support the system of internal control. For instance:

Business processes are established across the entity to enable organizations to achieve their objectives. These business processes may be common to all businesses (such as purchasing, payables, or sales processing) or unique to a particular industry (such as claims processing, trust services, or drilling operations). Each of these processes transforms inputs into outputs through a series of transactions or activities. ^{fn 14} Control activities that directly support the actions to mitigate transaction processing risks in an entity's business processes are often called "application controls" or "transaction controls." ^{fn 15}

Transaction controls are the most fundamental control activities in an entity since they directly address risk responses in the business processes in place to meet management's objectives. Transaction controls are selected and developed wherever the business process may reside, ranging from the organization's financial consolidations process at the entity level to the customer support process at a particular operating unit.

A business process will likely cover many objectives and sub-objectives, each with its own set of risks and risk responses. A common way to consolidate these business process risks into a more manageable form is to group them according to information-processing objectives ^{fn 16} of completeness, accuracy, and validity.

The following information-processing objective definitions are used in the Framework. ^{fn 17}

The risk of untimely transaction processing may be considered a separate risk or included as part of the completeness or accuracy information-processing objective. Restricted access is an important consideration for most business processes and is often included as an information-processing objective because without appropriately restricting access over transactions in a business process, the control activities in that business process can be overridden and segregation of duties may not be achieved.

Restricted access is especially important where technology is integral to an organization's processes or business. For example, many organizations use ERP applications. Configuring the security in these applications to address restricted access can become very complex and requires technical knowledge and a structured approach. Considerations for restricted access are discussed in more detail under the Security Management Processes section of Principle 11.

While the information-processing objectives are most often associated with financial processes and transactions, the concept can be applied to any activity in an organization. For instance, a candy maker will strive to have control activities in place to help ensure that all the ingredients are included in its cooking process (completeness), in the right amounts (accuracy), and from approved vendors whose products passed quality testing (validity).

As another example, the information-processing objectives and related control activities also apply to management's decision-making processes over critical judgments and estimates. In this situation, management should consider the completeness of the identification of significant factors affecting estimates for which it must develop and support assumptions. Similarly, management should consider the validity and reasonableness of those assumptions and the accuracy of its estimation models.

This does not mean that if management considers the information-processing objectives the organization will never make a faulty judgment or estimate; judgments and estimates are always subject to human error. However, when appropriate control activities are in place, and the information management uses is, in its judgment, accurate, complete, and valid, then the likelihood of better decision making is improved.

A variety of transaction control activities can be selected and developed, including the following:

Control activities can be preventive or detective, and organizations usually select a mix. The major difference is the timing of when the control activity occurs. A preventive control is designed to avoid an unintended event or result at the time of initial occurrence (e.g., upon initially recording a financial transaction or upon initiating a manufacturing process). A detective control is designed to discover an unintended event or result after the initial processing has occurred but before the ultimate objective has concluded (e.g., issuing financial reports or completing a manufacturing process). In both cases the critical part of the control activity is the action taken to correct or avoid an unintended event or result.

When selecting and developing control activities, the organization considers the precision of the control activity—that is, how exact it will be in preventing or detecting an unintended event or result. For example, suppose the purchasing manager of a company reviews all purchases over $1 million. This control activity may mitigate the risk of errors over $1 million, helping to cap the entity's exposure, but it does not cover all transactions. In contrast, an automated edit check that compares prices on all purchase orders to the price master file and produces a report of variances that is reviewed by a purchasing supervisor addresses accuracy for all transactions. Control activity precision is closely linked to the organization's risk tolerance for a particular objective (i.e., the tighter the risk tolerance, the more precise the actions to mitigate the risk and the related control activities need to be).

When selecting and developing control activities it is important to understand what a particular control is designed to accomplish (i.e., the specific risk response the control addresses) and whether it has been developed and implemented as designed to mitigate the risk. For example, in one entity sales orders undergo an automated or manual edit check that matches a customer's billing address and zip code to information in a standing data file of valid customer relationships. If the match fails, corrective action is taken. This control activity helps achieve the accuracy information-processing objective.

However, it does not help achieve the completeness information-processing objective (i.e., whether all approved sales orders are being processed). Another control activity, such as sequentially numbering approved sales orders and then checking if all have been processed, would be needed to address completeness.

Control activities and technology ^{fn 19} relate to each other in two ways:

Most business processes have a mix of manual and automated controls, depending on the availability of technology in the entity. Automated controls tend to be more reliable, subject to whether technology general controls, discussed later in this chapter, are implemented and operating, since they are less susceptible to human judgment and error, and are typically more efficient.

In addition to controls that operate at the transaction-processing level, the organization selects and develops a mix of control activities that operate more broadly and that typically take place at higher levels in the organization. These broader control activities usually are business performance or analytical reviews ^{fn 20} involving comparisons of different sets of operating or financial data. The relationships are analyzed and investigated and corrective actions are taken when not in line with policy or expectations. Transaction controls and business performance reviews at different levels work together to provide a layered approach to addressing the organization's risks and are integral to the mix of controls within the organization.

For example, an operating unit may have business performance reviews over the procurement process that include purchase price variances, the percentage of orders that are rush purchase orders, and the percentage of returns to total purchase orders. By investigating any unexpected results or unusual trends, management may detect circumstances where the underlying procurement objectives may not have been achieved.

Another form of business performance review occurs when senior management conducts reviews of actual performance versus budgets, forecasts, prior periods, and competitor results. Major initiatives are tracked—such as marketing programs, improvements to production processes, and cost containment or reduction programs—to measure the extent to which targets are being reached. Management reviews the status of new product development, joint venture opportunities, or financing needs. Management actions taken to analyze and follow up on such reporting are control activities.

The scope of a business performance review (i.e., how many detailed risks it covers) will tend to be greater than for a transaction control. Also, the span of the review across the organization will tend to be greater as a business performance review is usually performed at higher levels in the organization than a transaction control. However, to effectively respond to a set of risks, the review must be precise enough to detect all errors that exceed the risk tolerance. A transaction control may address a single specific risk, whereas an operating unit business performance review typically addresses a number of risks. For example, the business performance review over rush purchase orders covers several risks in the procurement process but may not address risks concerning the accuracy and completeness of processing specific transactions.

Most business performance reviews are detective in nature because they typically occur after transactions have already taken place and been processed. So while higher-level controls are important in the mix of control activities, it is difficult to fully and efficiently address business process risks without transaction controls.

When selecting and developing control activities management should consider whether duties are divided or segregated among different people to reduce the risk of error or inappropriate or fraudulent actions. Such consideration should include the legal environment, regulatory requirements, and stakeholder expectations. This segregation of duties generally entails dividing the responsibility for recording, authorizing, and approving transactions, and handling the related asset. For instance, a manager authorizing credit sales is not responsible for maintaining accounts receivable records or handling cash receipts. If one person is able to perform all these activities he or she could, for example, create a fictitious sale that could go undetected. Similarly, salespersons should not have the ability to modify product price files or commission rates. A control activity in this area could include reviewing access requests to the system to determine whether segregation of duties is being maintained. For example, a request for a salesperson to have system access to modify product price files or commission rates should be rejected.

The segregation of duties can address important risks relating to management override. Management override circumvents existing controls and is an often-used means of committing fraud. The segregation of duties is fundamental to mitigating fraud risks because it reduces, but can't absolutely prevent, the possibility of one person acting alone. However, there is always the risk that management can override control activities. Collusion is needed to perform fraudulent activities when key process responsibilities are divided between at least two employees. Also, the segregation of duties reduces errors by having more than one person performing or reviewing transactions in a process, increasing the likelihood of an error being found.

However, sometimes segregation is not practical, cost effective, or feasible. For instance, small companies may lack sufficient resources to achieve ideal segregation, and the cost of hiring additional staff may be prohibitive. In these situations, management institutes alternative ^{fn 21} control activities. In the example above, if the salesperson can modify product price files, a detective control activity can be put in place to have personnel unrelated to the sales function periodically review whether and under what circumstances the salesperson changed prices.