"Control activities usually involve two elements: a policy establishing what should be done and procedures to effect the policy.
For example, a policy might call for review of customer trading activities by a securities dealer’s retail branch manager.
The procedure is the review itself, performed in a timely manner and with attention given to factors set forth in the policy,
such as the nature and volume of securities traded and their relation to customer net worth and age."
COSO