Skip to main content

Control Actions: Principle 10 – Selecting and Developing Control Actions

Principle 10:  Selecting and Developing Control Actions

The organization selects and develops control actions to reduce risks to acceptable levels in achieving objectives.

Focus Points:

Control actions serve as a mechanism that enables an organization to achieve its objectives and is an integral part of the organization’s processes to achieve those objectives.

The following focal points highlight essential features of this principle:

  • Combined with Risk Assessment, Control actions help ensure responses that address and reduce risks.

Control actions support all components of internal control but are precisely aligned with the Risk Assessment component. With risk assessment, management identifies and implements the measures necessary to implement specific responses to risks. Control actions are not required when an organization accepts or avoids a particular risk. However, there are situations where the organization decides to avoid a risk and develops control actions to avoid that risk. It serves as a focal point for selecting and developing prevention and control actions to reduce or share this risk. The nature and extent of the response to the risk and any associated control action will also depend, in part, on the level of risk mitigation desired by management that is acceptable to management.

When determining what measures to take to reduce risk, management considers all aspects of the organization’s internal control components and the relevant business processes, information technology, and locations where control actions are needed.

  • Considers Organization-Specific Factors: It evaluates how the environment, complexity, nature, and scope of activities, as well as the unique characteristics of the organization, affect the selection and development of control actions.

Factors specific to the organization may affect the control actions required to operate internal control systems. For example:

  • An organization’s environment and complexity and the nature and scope of its activities influence, physically and logically, the organization’s control actions.
  • The responses to risks and control actions adopted by highly regulated organizations are more complex than those of less regulated organizations.
  • The scope and nature of risk responses and control actions of multinational organizations operating in various fields often require a more complex internal control structure than for an organization operating domestically whose activities are not as complex as those of multinational companies.
  • The control actions of an organization with a sophisticated enterprise resource planning (ERP/ERP) system will differ from those of an organization using an ordinary computerized accounting system.
  • The control conditions of an organization whose activities are decentralized and emphasize local autonomy and innovation differ from those of organizations that carry out their activities with a fixed and overly centralized system.
  • Identifies Relevant Business Processes: Management determines which business processes need control actions.

In order for organizations to achieve their goals, business processes are determined throughout the organization. These business processes may be similar in all businesses (such as purchasing, sales, and financing) or specific to a particular sector (such as damage compensation transactions or drilling activities). Each process transforms inputs into outputs through a series of operations or actions. Control actions that directly support measures to reduce the risks of processing (recording) business transactions in an organization’s business processes are often referred to as “application controls” or “transaction controls.”

A business process can consist of many objectives and sub-objectives, and all of these objectives have their own risks and responses to those risks. To bring together these risks in business processes in a more manageable way, the most common method is to group them according to information-processing purposes related to completeness, accuracy, and validity. Definitions regarding information processing purposes in the framework are as follows:

  • Completeness – All transactions that occur are recorded.
  • Accuracy – Transactions are recorded in the correct account and in the correct amount and time at each step of the accounting process.
  • Validity – Recorded transactions represent economic events that actually occur and are executed according to predetermined procedures. For example, An example of validity in the context of operations would be sourcing the parts used to manufacture a car from an authorized supplier.
  • Considers a Mix of Control Action Types: Control actions include a range of diverse controls and may involve striking a balance between approaches taken to mitigate risks, considering both manual and automatic controls and preventive and detective controls.

Various process control actions can be selected and developed, including the following:

  • Authorizations and Approvals: An authorization verifies that a transaction is valid. For example, a supervisor approves an expense report after reviewing whether the expense information is reasonable and in accordance with the organization’s policies. An example of an automatic approval would be comparing an invoice unit price to the corresponding purchase order unit price at a previously established tolerance level.
  • Verifications: Verifications compare two or more account items with each other or compare an account item with a policy. Verifications generally address the completeness, accuracy, and validity of processing business facts.
  • Physical Controls: Equipment, inventories, securities, cash, and other assets are physically protected (restricted physical access), counted at regular intervals, and compared to the amounts seen in control records.
  • Controls over Immutable Data: Immutable data, such as a price master file, is often used to support transaction processing in a business process.
  • Reconciliations: Reconciliation is the comparison of two or more data elements and taking action to reach a consensus regarding the data if a difference is detected. Reconciliations generally address the completeness and/or accuracy of transactions subject to the process.
  • Administrative Controls: Administrative controls evaluate whether other control actions (e.g., specific verifications, reconciliations, etc.) are performed both entirely and accurately and in accordance with policies and procedures. For example, a manager can review whether reconciliation transactions are carried out in accordance with policy.

Control actions and technology affect each other in two ways:

  • Technology supports business processes – When technology is incorporated into an organization’s business processes, such as robotic automation in a manufacturing facility, control actions are required to reduce the risk of the technology failing to continue operating as required to achieve the organization’s objectives.
  • Technology Used to Automate Control Actions – Control actions in an organization are either partially or fully automated through technology. For example, ERP Application.

Most business processes employ a mix of manual and automated controls, depending on the level of technology availability in the organization. Automated controls are more reliable, although the technology-general controls discussed later in this chapter vary depending on whether they are implemented and working. Because they are less affected by human decisions and errors and generally work more efficiently.

  • Evaluate At What Levels Its Activities Are Executed: Management evaluates control actions at various levels of the organization.

Organizations select and develop a mix of controls used at the transaction-processing level and control actions that operate more broadly and generally occur at higher levels of the organization. These broader control actions usually consist of operating performance or analytical reviews that involve comparing a number of different data, either operational or financial. Relationships are analyzed and investigated, and corrective action is taken as necessary if they do not comply with policy and expectations. 

Process controls and business performance reviews at different levels work together to provide a layered approach to the organization’s risks and are integrated into the control mix within the organization.

For example, an operating unit may have business performance reviews that include the percentage of purchase orders on the purchasing process and the percentage of returns relative to total purchase orders. By examining unexpected results and unusual trends, management can identify situations where key purchasing objectives may not have been achieved.

  • Addresses Separation of Duties: Management separates incompatible duties and develops alternative control actions where duties cannot be separated.

When selecting or developing control actions, management should consider whether tasks are divided or distributed among different individuals in order to reduce the risk of error or improper or fraudulent actions. Such assessment should include the legal environment, regulatory requirements, and stakeholders’ expectations. Such separation of duties generally requires separating the responsibility for recording, authorizing, and approving transactions from the responsibility for managing the relevant asset. 

For example, A Manager who authorizes credit sales should not be responsible for maintaining accounts receivable records or processing cash (collection-disbursement) receipts. A system access request submitted by a salesperson to change product pricing files or commission rates should be denied.

Segregation of duties may indicate significant risks associated with management misconduct. Violating existing control actions by management is a frequently used method to commit fraud. Separation of duties is essential to mitigate the risk of fraud.

However, separation of duties may sometimes be inconvenient, cost-effective, or feasible. For example, small companies establish alternative control actions in such situations. In the example above, if the salesperson can change product-price files, a detective control action could be implemented by appointing personnel not affiliated with the sales unit to review whether this salesperson changed prices and, if so, under what circumstances.


  • Dr. Davut Pehlivanlı, Current Internal Audit Practices, Beta 2010
  • Prof. Dr. Nejat Bozkurt, Accounting Audit, Alfa 1998
  • Prof.Dr.Nejat Bozkurt, TÜRMOB Independent Audit Training Lecture Notes, 2012
  • Dr.Özgür Çatıkkaş, KGK, Marmara University. Corporate Governance Lecture Notes, 2013
  • İSMMMO-Practical Information for Internal Audit in SMEs, 2013
  • Turkish Internal Audit Institute,
  • Alp Buluch, Article, Internal Control, Hurses, 19 March 2013
  • Turkish Commercial Code No. 6102
  • International Internal Auditing Standards,
  • Treadway Commission Supporting Institutions Committee, Internal Control-Integrated Framework, 2013
  • Public Financial Management and Control Law
  • Public Internal Control Standards
  • Public Internal Control Guide


Bu gönderi şu adreste de mevcuttur: Türkçe