Once the Risk Assessment component is implemented and the risks which threaten the achievement of the entity’s objectives are identified and assessed, the onus is on the management and board of the entity to establish control activities that would eliminate these risks or reduce their occurrences to the barest minimum or at least an acceptable level. Matrices can be drawn up to indicate the risks that the organization is exposed to as well as the controls that can be put in place to limit them. Also, authorization limits can be set to reduce the entity’s exposure to the possibilities of one man’s fraudulent activities. Duties can be duly segregated to prevent one man seeing through all stages of a transaction. These can, at least, limit the occurrences of fraudulent practices even if it does not totally eradicate them.

An entity can employ several approaches to meet this principle such as Using Matrices, Workshops, or an Inventory of Control Activities to Map Identified Risks to Control Activities, Implementing or Monitoring Control Activities when Outsourcing to a Third Party, Considering the Types of Control Activities, Considering Alternative Control Activities to the Segregation of Duties, Identifying Incompatible Functions.

Since the advent of technology, a lot of business processes have become computerized and automated. However, even though technology works to a very high level of accuracy, its outputs are based on the inputs fed into it. As a result, there are risks of producing inaccurate outputs through errors and misstatement in the input. There is therefore just as much need to place controls around the electronic business process as there is over the manual/people operated processes. For that reason, duties can also be segregated amongst different personnel, so one person does not handle too many processes. One person could be made to input transactions while another person would have the duty of authorizing the transaction. This provides a level risk mitigation and confidence in reports but this is only subject to avoidance of collusion among these personnel.

The Framework provides entity’s willing to apply it with the following approaches to achieving this principle. They include Using Risk and Control Matrices to Document Technology Dependencies, Evaluating End-User Computing, Implementing or Monitoring Control Activities when Outsourcing IT Functions to a Third Party, Configuring the IT Infrastructure to Support Restricted Access and Segregation of Duties, Configuring IT to Support the Complete, Accurate, and Valid Processing of Transactions and Data, Administering Security and Access, Applying a System Development Life Cycle over Packaged Software, Applying a System Development Life Cycle over Software Developed In-House.

The prior principles on Risk Assessment component state that the organization should select and develop control activities, including control activities over technology, that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. This principle however elaborates that even though the previous principles are important, their objectives would not be fulfilled except they are properly documented and implemented as policies. These policies, after being developed, can be cascaded throughout the organization by leaders in various positions and parts of the entity. The policies, apart from being assessed on a regular basis, should also be reviewed when there is a specific need for such.

Approaches to applying this principle include Developing and Documenting Policies and Procedures, Deploying Control Activities through Business Unit or Functional Leaders, Conducting Regular and Ad Hoc Assessments of Control Activities. Although these approaches are recommended by the Framework, they should not be seen as an exhaustive list. An entity may take steps of its own, especially when not addressed by the Framework.