Control activities are actions, supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks. Control activities can be either preventive or detective.
Preventive controls attempt to prevent or deter undesirable acts from occurring. They are proactive controls, designed to prevent a loss, error, or omission. Examples of preventive controls are:
|Preventive control||Control description||Examples|
|Segregation of duties||In an ideal environment, major functions such as authorization, recording, verification, and custody of assets, should be performed by a different employee. If a person performs more than one of these major functions, without additional mitigating controls in place, there is the potential to carry out and conceal errors and/or irregularities in the course of performing day-to-day activities.||Incompatible duties may include:
|Adequate documentation||Each transaction must stand on its own and an independent reviewer should be able to easily interpret and understand the purpose of the transaction. This can be achieved by maintaining adequate supporting documentation.||Answering the following questions somewhere on the transaction:
|Proper authorizations||All transactions must be authorized by an individual with the authority to do so. Employees cannot authorize transactions for their own business reimbursement. Verbal authorization is acceptable, but not recommended. Physical signature stamps are not acceptable.||
|Physical security over cash and other assets||Access to equipment, inventories, securities, cash and other assets should be restricted based on need; and assets are periodically counted.||