In its Framework Volume, COSO Control Activities “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.” They should be performed at all levels in an organization’s process cycle.
Principle 10: Select and develops control activities.
Principle 11: Selects and develops general controls over technology.
Principle 12: Control activities established through policies and procedures.
While the objective of Control Activities should be the most familiar to the CCO or compliance practitioner, this objective demonstrates the interrelatedness of all the five COSO Objectives and the corporate functions in your organization. It is your control environment and then risk assessment that should lead you to this point. The Control Activities objective lays the groundwork for a living, breathing compliance program going forward.
This objective requires new ways of capturing, gathering, and confirming the accuracy and completeness of the information and the controls reporting it. The Control Activities regarding the necessary policies and procedures are an important consideration going forward.
Three key takeaways:
- Think of a “second set of eyes” as a primary control activity.
- SODs must always be employed.
- Control Activities should be performed at all levels in the business process cycle, which speaks directly to operationalizing your compliance program.