Skip to main content

Control Activities: Deploying Policies & Procedures

Principle 12: Enforces through Policies and Procedures

The organization controls actions through policies that set expectations and implement procedures.

Focus Points:

The following focal points highlight essential features of this principle:

  • Establishes Policies and Procedures to Support the Transmission of Management’s Instructions – Management establishes control actions built into the daily actions of business processes and employees through policies that set expectations and procedures that determine appropriate actions.

Policies: It reflects management’s explanations of what needs to be done to implement controls. These statements may be documented, explicitly stated in communications, or implied by management actions and decisions. Procedures consist of activities related to the implementation of this policy.

Control actions relate specifically to policies and procedures that will contribute to reducing risks to achieving objectives to acceptable levels. For example, a policy may require a retail branch manager to review customers’ trades at a securities brokerage firm. The procedure is the review itself and is carried out promptly and with attention to the factors prescribed in the policy, such as the relationship between the nature and volume of the securities subject to the transaction and the net value and age of the securities held by the client.

Policies and procedures are usually communicated verbally. Unwritten policies can be effective in organizations where the policy has existed for a long time, and its application is understood, as well as in smaller organizations that have communication channels that involve a limited number of levels of management and where management can keep staff in close interaction and supervision. Although a cost-effective alternative for some organizations, unwritten policies, and procedures can be more easily circumvented, can also be more costly in organizations with high staff turnover, and can reduce accountability.  Policies and procedures are expected to be formally documented in case of external review.

  • Establishes Responsibility and Accountability for Implementation of Policies and Procedures – Management exercises responsibility and accountability for control actions in conjunction with management (or other authorized personnel) of the business unit or function that contains the relevant risks.

However, whether a policy is written or not, it should establish the responsibilities and accountability that ultimately belong to the management of the business and its subunit where the risks are located. In addition, policies must be implemented thoughtfully and fairly, and their procedures must be carried out diligently and consistently, on time, and by competent personnel.

  • Performs Control Actions promptly – Responsible personnel perform control actions promptly, as defined in the relevant policies and procedures.

The timing of a control action and any subsequent corrective actions should be specified in the procedures. Untimely applied procedures may reduce the usefulness of the control action. For example, the relevant business process owner regularly reviews user accounts for improper access rights to reduce the risk of unauthorized access to an acceptable level. The longer the intervals between reviews, the greater the chance that unauthorized access will not be detected promptly.

  • Takes Corrective Action – Responsible personnel investigate problems identified as a result of implementing control actions and take necessary action.

When carrying out a control action, problems identified for follow-up should be investigated and, if appropriate, corrective action taken as necessary. For example, let’s say a reconciliation between cash accounts detects a difference in one of the accounts. The accounting officer and the personnel responsible for keeping cash records investigate the difference and determine that a cash receipt has not been properly recorded in the accounting records. In this case, the cash receipt is processed again, and the account reconciliation reflects the correction.

  • Performs Control Actions Using Competent Personnel- Performs control actions diligently and with constant focus, with the help of competent personnel with sufficient authority.

A well-designed control action often cannot be implemented without personnel with sufficient authority to perform that control action. The level of competence required to complete a control action varies depending on factors such as the complexity of the control action and the complexity and volume of the underlying operations. Moreover, a procedure will not be applicable if it is implemented by rote and without a clear and constant focus on the risks covered by the relevant policy. Sufficient authority may be required to fully exercise all control aspects, such as taking corrective action.

  • Reassesses Policies and Procedures – Management periodically reviews control actions to determine whether they remain valid and renews them as necessary.

Management should periodically re-evaluate policies, procedures, and related control actions for ongoing suitability and effectiveness, regardless of being sensitive to significant changes in the organization’s risks and objectives. Considerable differences are evaluated through the risk assessment process. Changes in people, processes, and technology may reduce the effectiveness of control actions or make some control actions unnecessary. 

Whenever such changes occur, management should reassess the appropriateness of existing controls and replace them if necessary. For example, management may upgrade an ERP system’s purchasing module and begin implementing automated transaction control actions, making the old manual control actions idle and unnecessary.


  • Dr. Davut Pehlivanlı, Current Internal Audit Practices, Beta 2010
  • Prof. Dr. Nejat Bozkurt, Accounting Audit, Alfa 1998
  • Prof.Dr.Nejat Bozkurt, TÜRMOB Independent Audit Training Lecture Notes, 2012
  • Dr.Özgür Çatıkkaş, KGK, Marmara University. Corporate Governance Lecture Notes, 2013
  • İSMMMO-Practical Information for Internal Audit in SMEs, 2013
  • Turkish Internal Audit Institute,
  • Alp Buluch, Article, Internal Control, Hurses, 19 March 2013
  • Turkish Commercial Code No. 6102
  • International Internal Auditing Standards,
  • Treadway Commission Supporting Institutions Committee, Internal Control-Integrated Framework, 2013
  • Public Financial Management and Control Law
  • Public Internal Control Standards
  • Public Internal Control Guide

Bu gönderi şu adreste de mevcuttur: Türkçe