In its Framework Volume, COSO Control Activities “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.” They should be performed at all levels in an organization’s process cycle.

Principle 10: Selects and develops controls activities.

Principle 11: Selects and develops general controls over technology.

Principle 12: Control activities established through policies and procedures.

Discussion. While the objective of Control Activities should be the most familiar to the CCO or compliance practitioner, this objective demonstrates the inter-relatedness of all the five COSO Objectives and the corporate functions in your organization. It is your control environment and then risk assessment that should lead you to this point. It is the Control Activities objective that lays the groundwork for a living, breathing compliance program going forward.

This objective requires that you have new ways of capturing, gathering, confirming the accuracy and completeness of the information and the controls reporting it. The Control Activities regarding the policies and procedures needed is certainly an important consideration going forward.

Three key takeaways:

  1. Think of a “second set of eyes” as a primary control activity.
  2. SODs must always be employed.
  3. Control Activities should be performed at all levels in the business process cycle and this speaks directly to the operationalization of your compliance program.