Do your process owners, management teams and key staffs who are candidates for financial statement and information system audits know what types of controls will be most effective in their environments? They should first understand differences among control types, which will position them to install the most advantageous controls, resulting in audit readiness. The controls that are decided upon are not mutually exclusive, sometimes paired, resulting in strengthening their audit posture. They need to understand, establish and then execute controls selected to determine not only if audit exposures will be reduced improving the likelihood of successful audits, but to also improve business performance. Control types are:
Preventive controls - Companies should implement internal controls that provide reasonable assurance that fraudulent or erroneous reporting can be prevented. Preventive controls mitigate or stop an event from occurring. They are designed at the point of entry. Example would be passwords that stop unauthorized access to systems or door locks.
Deterrent controls - Deterrent controls discourage or restrain one from acting or proceeding through fear or doubt. They can also restrain or hinder an event. Examples would be the knowledge that systems are password protected or security guards sitting at entrances to buildings.
Detective controls - Detective controls reveal or discover unwanted events and offer evidence of trespass. They often necessitate rework or investigation after the error has been identified. Examples are overdrafts, various types of alarms and out of balance accounts.
Reporting controls - Reporting controls document an event, a situation or a tress pass. Upon detection of an unwanted event, it essential that some sort of report be generated. An example would be a list of unauthorized access to the payroll system.
Corrective controls - Corrective controls remedy or set right an unwanted event. These controls detect errors and attempt to correct them immediately. Examples would be the submission of omitted records and the enforcement of disciplinary action against personnel engaged in fraudulent activities.