ACLs operate in one direction only, based on the command you use to apply it to an interface (ip access-group ACLName/Number in/out), where in refers to requests coming to that interface from devices on the same subnet that the interface is on, and out refers to packets that interface sends out to it's subnet.
If you only setup an ACL in only one direction, then all traffic is automatically allowed in the other direction. If you setup an ACL in both direction, then you have to take into account the traffic in both directions (this is very different from a firewall). ACLs don't have any inherent way to track the state of connections, which is what firewalls do (although there are some ways of setting up dynamic ACLs, although I have never done them).
The easiest to to do this for TCP connections is the established keyboard on the ACL for the return direction, which checks part of the TCP header to see if the packets is set as being an established connection, and processes the packets based on that (although there it can be spoofed, but it dramatically simplifies the ACL for the return direction).
Note that UDP and I believe most other protocols do not have the established concept, so they have to be managed manually.
Applied ACLs normally examine traffic flowing in one single direction, but they can look at bidirectional attributes, e.g. source and destination. An extended ACL, such as:
access-list 105 permit tcp any any ack
would permit TCP packets containing the ACK flag.
I suspect, however, you might have in mind how you allow TCP traffic that's in response to outbound traffic. If so, one common method is an ACL that examines return traffic and permits TCP packets with the established flag, e.g.
access-list 105 permit tcp any any established
It sounds like you're looking at an ACL config on a router that is only filtering traffic in one direction and leaving you to wonder how the return traffic is allowed in.
Besides what has been pointed out so far, there is such a thing as a stateful access list, like the access lists you configure on a router running a firewall feature set, or perhaps a firewall.
In those cases, TCP traffic generated on the inside of the network -- the trusted side -- and heading out to the untrusted side, has its return traffic automatically allowed back in. This is called being stateful. A temporary/virtual ACL is created for the return traffic by the IOS to allow the traffic back in.
Just a little extra something to think about.