Compliance regulations and internal auditors tend to focus on a core set of typical control objectives and control activities. Control objectives specify the actions that must be performed to be in compliance with the standard or requirement. Objectives state what needs to be done, but not how to do it. For example, an objective might state, "All administrator actions on the financial production application will be reviewed on a daily basis and correlated with approved change requests."

Control activities are the set of actions that you implement in order to meet the control objective. Activities state how to accomplish objectives and describe exactly how actions are done on a periodic basis to meet the intent of the control objectives. For example, a control activity might be defined with the statement, "Log all administrative activity on the production financial application and review the log daily. All actions in the log are matched with...