Controls can be either preventive or detective. The intent of these controls is different. Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss. Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets. Few Example of detective controls are given below:
- Obtaining pre-approval on actions or transactions before they can be processed
- Using document control numbers to make sure all transactions are accounted for
- Matching and comparing documents from different sources to ensure integrity
- Testing clerical accuracy
- Locks on doors and gates
- Physical controls over cash, checks, signature plates, and inventory
- Computer passwords, access controls, and file locks, to prevent unauthorized electronic access
- Computer backups for both audit trails and disaster planning
- Batch totals on data entry work
- Validating input data against established parameters to ensure accurate keypunching.
- Segregation of duties, well defined job descriptions and standards
- Job rotation, enforced vacations, etc., to reduce chances of long-term embezzlement schemes
- Employee screening and training programs
- Drug testing of employees and applicants
Preventive controls are subject to breakdown, with the biggest cause being individual circumvention. Sometimes it is malicious and sometimes it is well intentioned (we can get from one department to another easier if we prop the locked doors open, for example, or I can cut my data entry time by a third if I dummy my batch totals). In some companies physical controls are widely ignored – most major thefts of inventory happen in front of other employees who either assume that the thief is acting properly, or do not want to get involved.
Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring. Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits. Some Examples are:
- Enforcement of job descriptions and standards to keep employees acting as expected
- Supervisory review and sign-off of accounting work, expense reports, commission statements, payroll data, etc.
- Cycle counts of inventory
- Surprise cash counts
- Management review and approval of account write-offs
- Review of monitoring information and reports to ensure that controls are functioning as planned
- Exception reporting and resolution to highlight out-of-the-norm items
- internal audit
- Supervisory peer review
Comparison of actual results to budgeted or forecasted results
Detective controls tend to be less expensive and more reliable than the preventive controls discussed earlier, because they can often be applied over a large number of transactions in a short time.
If detective controls review less than 100 percent of a certain activity, their review has to be somewhat random. If cash drawers are “surprise” counted by management Mondays, Wednesdays, and Fridays (60 percent of all work days), the counts are predictable and cash skimming will most likely occur during the other days of the week. Random counts would tend to deter skimming because they are unpredictable.
Since fraud perpetrators either ignore or compromise the preventive controls in place, it is imperative that management perform its supervisory and monitoring functions. Do not be afraid to manage – people generally want and need both direction and feedback in order to feel satisfied with their work.
Like preventive controls, detective controls are also subject to breakdown. To minimize the chance of both types of control breaking down, it is important to design the controls so that they do not get subverted – control the right thing and make the control easy to follow, implement, monitor, and reinforce. Implement the control properly, monitor and evaluate any feedback related to the control, and whenever possible, tie controls to incentive systems.
Both types of controls are essential to an effective internal control system. From a quality
Point, preventive controls are essential because they are proactive and emphasize quality.
However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses.
Control activities include approvals, authorizations, verifications, reconciliations, reviews of performance, security of assets, segregation of duties, and controls over information systems.