Return to CHAPTER 20


state seal 20.24
Control Activities

20.24.10

July 1, 2017

Control activities overview
 

Control activities are policies, procedures, techniques, and mechanisms that help ensure that risks to the achievement of an agency’s objectives are mitigated. Control activities are performed at all levels of the agency, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature. Preventive controls are designed to deter the occurrence of an undesirable event by implementing procedures to avoid them. Detective controls are designed to identify undesirable events that do occur and alert management about what has happened.

When designing and implementing control activities, management should consider cost versus benefit and the likelihood and impact of the associated risk. Building control activities into business processes and systems as they are being designed is generally more cost-effective than adding them later.

20.24.20

July 1, 2017

Control activities principles
 

There are three principles relating to control activities.

  1. Management designs control activities to achieve its objectives and respond to risks.
  1. Management designs its information systems and related control activities to achieve its objectives and respond to risks.
  1. The agency implements control activities through policies and procedures.

20.24.30

July 1, 2017

Principle 10 – Designs control activities
 

Management designs control activities to achieve its objectives and respond to risks. The following points of focus highlight important characteristics relating to this principle.

  • Integrates with risk assessment – Control activities help ensure that risk responses that address and mitigate risks are carried out.
  • Considers agency-specific factors – Control activities address the environment, complexity, nature, and scope of operations, as well as the specific characteristics of the agency.
  • Evaluates a mix of control activity types – Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls.
  • Considers at what level activities are applied – Control activities are applied at various levels in the agency.
  • Addresses segregation of duties – Where segregation of duties is not practical, appropriate alternate control activities are utilized.

20.24.40

July 1, 2017

Principle 11 – Designs information systems and related control activities

 

Management designs its information systems and related control activities to achieve its objectives and respond to risks, taking into consideration Office of the Chief Information Officer policies as applicable. The following points of focus highlight important characteristics relating to this principle.

  • Designs information systems and appropriate control activities – Management designs (1) its information system to obtain, store, and process quality information and (2) appropriate control activities including defining responsibilities, assigning them to key roles, and delegating authority.
  • Establishes relevant technology infrastructure control activities – Management selects and implements control activities over the technology infrastructure, which are designed to help ensure the completeness, accuracy, and availability of technology processing.
  • Establishes relevant security control activities – Management selects and implements control activities that are designed to restrict technology access rights to authorized users commensurate with their job responsibilities and to prevent unauthorized use of and changes to the agency’s information system.
  • Establishes relevant technology control activities – Management selects and implements control activities over the acquisition, development, and maintenance of technology assets.

20.24.50

July 1, 2017

Principle 12 – Implements control activities through policies and procedures
 

The agency implements control activities through policies and procedures. The following points of focus highlight important characteristics relating to this principle.

  • Establishes policies and procedures to achieve its objectives and respond to risks – The agency establishes policies and procedures that (1) assign responsibility for operational objectives and related risks and (2) incorporate control activities. Policies and procedures may address the timing of when a control activity occurs and any follow up corrective actions to be performed by competent employees if deficiencies are identified.
  • Reassesses policies and procedures – The agency periodically reviews policies, procedures, and related control activities for continued relevance and effectiveness, and refreshes them when necessary.


Click here if you would like to print a PDF Version of this document.
Return to CHAPTER 20