Control Activities

Control activities are a core component of the COSO Internal Control – Integrated Framework (2013). They are defined as the actions established through policies and procedures that help ensure management's directives to mitigate risks to the achievement of objectives are carried out. These activities are the practical execution of risk responses. They can be preventive (e.g., segregation of duties) or detective (e.g., reconciliations), and can be manual or automated. In the risk management process, control activities follow risk assessment and are distinct from monitoring activities, which assess the effectiveness of controls over time. They are fundamental to ensuring operational efficiency, reliable financial reporting, and compliance with laws and regulations.

Practical application involves a systematic approach. Step 1: Control Design, where specific controls are developed based on risk assessment findings. For instance, to mitigate fraud risk, a company might implement a three-way match control (purchase order, invoice, receiving report) before approving payment. Step 2: Documentation and Communication, formalizing the control in a Standard Operating Procedure (SOP) and training relevant staff. Step 3: Execution and Monitoring, where employees perform the control and internal audit periodically tests its effectiveness. A global technology firm, for example, implemented automated access controls within its cloud environment, reducing the risk of unauthorized data access and achieving a 99% pass rate in subsequent security audits.

Taiwan enterprises often face three key challenges. First, resource constraints in small and medium-sized enterprises (SMEs) limit their ability to hire dedicated risk and audit professionals. The solution is to adopt a risk-based approach, focusing on high-priority areas and leveraging technology like ERP systems for automated controls. Second, the prevalence of family-owned businesses can lead to a culture where centralized authority undermines the segregation of duties. Strengthening corporate governance with independent directors and audit committees is a key mitigation strategy. Third, keeping up with rapid regulatory changes, such as data privacy laws, is a constant struggle. Establishing a formal regulatory tracking process, often supported by external consultants, is crucial for maintaining compliance. The priority should be to address high-risk process controls within 3-6 months.

Winners Consulting specializes in control activities for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact