Internal controls help organizations generate reliable financial reports, safeguard assets, evaluate the effectiveness and efficiency of operations, and comply with laws and regulations. Given this wide-ranging impact, companies should reevaluate their system of internal controls on a regular basis to ensure they are operating properly and meeting their intended objectives. Each organization has a unique risk profile for which internal controls are meant to help mitigate, but following is an overview of the types of internal controls that you may want to consider as you evaluate your existing system of internal controls.
To start, there are two types of internal controls:
- Preventative internal controls. The goal of these controls is to prevent errors and fraud before they occur. These controls are proactive, reduce errors, and minimize the need for corrective action.
- Detective internal controls. The goal of these controls is to find errors or irregularities after they have occurred. These controls provide evidence that a loss has occurred but doesn’t prevent the loss from occurring in the first place.
It may be helpful to think of these types of controls another way. Preventative controls are an organization’s offensive strategy while detective internal controls are more aligned with its defensive strategy. Preventative controls represent the proactive plan against an opponent, whereas detective controls are reactive in nature if the plan goes awry.
Here are examples of some preventative controls:
- Segregation of duties. No single person should be responsible for all facets of a transaction; authorization, recording, and custody of the impacted assets should be handled by different people.
- Access and physical controls. These include restrictions based on job responsibility to certain systems, use of passwords, door locks, and use of encryption software.
- Preapproval of actions. Management authorizes employees to perform certain activities within limited parameters.
A team with a killer offense may be able to rely less on their defense, but there are practical matters that prevent an organization from only having preventative controls.
Preventative controls could be too expensive or impractical to implement. An organization with a small accounting department may conclude that it is not feasible to have complete segregation of duties. As a result, properly designed detective controls can help identify issues before they get out of hand. For example, an owner may review the monthly organizational performance by comparing actual results to budgeted results and investigate any unexpected results.
Preventative controls also don’t eliminate an incident from occurring. An organization may have its valuable inventory in a locked warehouse with access restricted to the proper employees. However, there is still a risk that an employee or third party may circumvent the preventative controls and steal inventory. In this case, having a detective control, like performing regular physical inventory counts, may be warranted.
Detective controls may also be used when the preventative controls in place are weak (or even non-existent) or not sufficient to address the risk. The detective controls act as a monitoring system which identifies occurrences where risks have been violated. However, an organization wouldn’t want to rely solely on detective controls when the risk is high. If controls surrounding cash are all detective in nature, the organization is gambling that it will be able to recoup money identified as misappropriated. It’s generally most efficient to try to prevent the theft in the first place, rather than try to eliminate its impact later.
What combination of preventative and detective controls does your organization need? The answer is driven by the risks present in your business processes. Consider the impact and likelihood of each risk in the process, costs, and efforts required to establish the controls and the availability of effective detective internal controls. Championship teams are those that have both a strong offense and defense. Getting the mix right is the difference between making it to the playoffs versus bringing home the trophy.
Vanessa A. Zang can be reached at Email or 215.441.4600.
You may also like: