COSO Internal Control Components: Control Activities
PERHAPS THE CORE ELEMENT IN the overall COSO internal control framework, control activities are actions—established through enterprise policies and procedures—that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of an enterprise, at various stages within business units and processes, and over the technology environment. These control activities may be preventive or detective in nature and may encompass a range of manual and automated activities, such as authorizations and approvals, verifications, reconciliations, and business performance reviews. A basic or fundamental internal control, segregation of duties, is typically built into the selection and development of COSO control activities. Where internal controls are not effective or even practical for the segregation of duties, management must select and develop alternative control activities.
Control activities are an area where, on one hand, basic internal control activity concepts have not changed all that much from the original COSO internal control framework. For example, segregation of duties is a basic internal control concept that really has not changed all that much. The person or the automated function that initiates a financial transaction should not be the same person or process that approves it. On the other hand, there have been massive changes ...