The Control Design Attributes are the criteria for an internal control over financial reporting (ICFR) to be “effective” (as in SOX 404).
Common Attributes are:
The authority (approved by the Board) is properly delegated to the control owner (e.g., review manager, etc.). (Note that the authority should not delegated to a non-manager staff or a personnel who is not part of management.)
The control owner manager is adequately competent to operate his/her ICFR (so that s/he can fulfill their accountability delegated).
The ICFR mitigates relevant Inherent (misstatement) Risk defined at an Assertion (e.g., existence/occurrence, completeness, valuation/measurement, presentation/disclosure) level.
Segregation of Duties (SoD) is in place.
ITGC is effective (if an IT(/IT dependent manual) control).
Each Attribute is required by relevant COSO (2013) Principles and typically satisfied if related entity-level controls (ELCs) are “present” (as in COSO) and evidenced by applicable Policies and Procedures (and Roles and Responsibilities for the Competence Attribute) unless the Attribute is concerned with a specific process and the evidence needs to back up the process specifically: e.g., each risk remediation at an Assertion level, SoD.
Note that the above discussion is applicable to preventive ICFRs and NOT to detective ones, which are not designed at a critical data-path, or Likely Source of Potential Misstatement (LSPM as in Auditing Standard No. 5), but at a point in time whenever management sees fits.