GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 33
CONTROL ACTIVITIES
The third internal control standard addresses control activities. Internal control activities are the
policies, procedures, techniques, and mechanisms that help ensure that management’s directives
to mitigate risks identified during the risk assessment process are carried out. Control activities
are an integral part of the agency’s planning, implementing, and reviewing. They are essential
for proper stewardship and accountability for government resources and for achieving effective
and efficient program results.
Control activities occur at all levels and functions of the agency. They include a wide range of
diverse activities, such as approvals, authorizations, verifications, reconciliations, performance
reviews, security activities, and the production of records and documentation. A manager or
evaluator should focus on control activities in the context of the agency’s management directives
to address risks associated with established objectives for each significant activity (program or
mission). Therefore, a manager or evaluator will consider whether control activities relate to the
risk-assessment process and whether they are appropriate to ensure that management's directives
are carried out. In assessing the adequacy of internal control activities, a reviewer should
consider whether the proper control activities have been established, whether they are sufficient
in number, and the degree to which those activities are operating effectively. This should be done
for each significant activity. This analysis and evaluation should also include controls over
computerized information systems. A manager or evaluator should consider not only whether
established control activities are relevant to the risk-assessment process, but also whether they
are being applied properly.
The control activities put into place in a given agency may vary considerably from those used in
a different agency. This difference may occur because of the (1) variations in missions, goals,
and objectives of the agencies; (2) differences in their environment and manner in which they
operate; (3) variations in degree of organizational complexity; (4) differences in agency histories
and culture; and (5) differences in the risks that the agencies face and are trying to mitigate. It is
probable that, even if two agencies did have the same missions, goals, objectives, and
organizational structures, they would employ different control activities. This is due to
individual judgment, implementation, and management. All of these factors affect an agency’s
internal control activities, which should be designed accordingly to contribute to the achievement
of the agency’s missions, goals, and objectives.
Given the wide variety of control activities that agencies may employ, it would be impossible for
this tool to address them all. However, there are some general, overall points to be considered by
managers and evaluators, as well as several major categories or types of control activity factors
that are applicable at various levels throughout practically all federal agencies. In addition, there
are some control activity factors specifically designed for information systems. These factors
and related points and subsidiary points are listed below as examples of issues to be considered.
They are meant to illustrate the range and variety of control activities that are typically used.
The list is a beginning point. It is not all-inclusive, and not every point or subsidiary point may
apply to every agency or activity within the agency. Even though some of the functions and