The business environment's increasing complexity and global nature provide many opportunities and potential risks. As a business owner, you need to be aware of these risks to your company and the means available to prevent or combat them. For example, financial reporting is a known problem area, so setting up controls for accounting procedures is a common practice.
Fortunately, there are many internal control frameworks available. For example, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a framework for designing, implementing, and evaluating internal controls. While the framework is not a legal requirement, it’s considered best practice and implemented by most companies in the US. Control activities are one of the five core components of the framework.
In this guide, you will learn about the three types of internal controls and see examples of each. You will also learn about the main benefits of using internal controls, as well as their limitations.
What are the 3 Types of Internal Controls?
Internal controls can be defined as a collection of safeguards, policies, and procedures designed to protect a business and its assets from potential problems and threats. There are three main types of internal controls, classified according to their purpose: preventative, detective, and corrective.
Ideally, your business should implement internal controls from each of these categories. Preventive controls are helpful in preventing threats and known problems, but they are not perfect. New threats constantly arise, especially in digital form, so detective and corrective measures are equally important.
In order for internal controls to be effective, each business needs to carry out an internal audit to assess risks. The types of threats companies need to consider vary according to many factors, including industry, business model, and company size. In the next section, you have definitions and common examples of each type of internal control.
Preventative Controls
Preventative controls are those measures that aim to prevent or avoid the problem altogether. Of course, it’s impossible to do this for all threats or potential problems. However, it’s certainly worth investing in available preventative controls. As mentioned above, your business will have specific needs, but there are some controls that are common to many types of businesses. For example, most companies have a variety of access controls that apply to different areas.
Access can be limited both physically and digitally. Password policies are a familiar form of access control that determine how complex the password should be and how often it should be changed. Access to valuable physical assets may require multiple forms of ID verification, special keys, and specific permissions within the system.
Another common preventative measure is the separation of duties. There are some duties that cannot be held by the same individual. For example, no individual employee should be able to authorize, execute, and record transactions.
Verifying expenses, authorizing invoices, and having custody of assets are duties that should be performed by different people to prevent or minimize threats. Employee screening is also commonly used as a preventative control in the recruitment process.
Examples of Preventative Controls
Examples of common preventative controls include security guards, firewalls, verification of IDs, data backups, training, and drug testing.
Detective Controls
Detective controls are those used to find existing problems.
Audits are a great example of detective controls, as they aim to detect irregularities or errors, whether intentional or not. While these should also be carried out if there is any reason to suspect problems, they should not be used only in response to threats. Audits need to be performed regularly since some problems are not likely to be discovered without them.
As mentioned above, audits are not limited to financial aspects, but it’s certainly an important area. Financial reporting and the preparation of financial statements are risk-prone areas, so most companies have multiple detective financial controls. Financial reports and statements need to be checked and verified, including the methods used to obtain the results.
Another important aspect of detective controls is reconciliations. These can be financial-account reconciliations - but can also apply to other areas where data sets need to be compared and reconciled. Physical inspections of inventory are also common to ensure that nothing is missing.
Examples of Detective Controls
Examples of common detective controls include internal audits and inspections, financial statements and reporting, physical inventories, and account reconciliations.
Corrective Controls
Corrective controls come into play when a problem or threat has been detected. These controls aim to correct the problem or discipline those responsible for it. Disciplinary actions vary greatly depending on the nature of the offense and the company’s policies but can include anything from fines to dismissal.
Other corrective controls include mechanisms that respond to specific circ*mstances. For instance, software patches designed to fix known issues, sprinkler systems that are activated when fire is detected, or systems that block access or transactions if irregular or suspicious activity is detected.
Examples of Corrective Controls
Examples of common corrective controls include disciplinary actions, blocking access or transactions when fraud is detected, fire-activated sprinkler systems, and software patches.
Benefits of Internal Controls
While no system is perfect, implementing internal controls provides many benefits. Below, you have a summary of some of the main benefits associated with internal controls.
- Early warning: preventative controls provide you with an early warning system to prevent errors or fraud, which can trigger detective or corrective measures.
- Avoid fines: internal audits and other detective controls can help you ensure compliance and avoid problems in external audits or inspections.
- Deterrent value: designing, implementing, and communicating a comprehensive set of internal controls can serve as a deterrent, particularly if disciplinary consequences are clear to all.
Limitations of Internal Controls
In addition to the benefits, it’s important to note the limitations of internal controls. Below, you have a summary of the main weaknesses or limitations associated with internal controls.
- Human error: even with excellent planning and the best intentions, there’s always the possibility of human error. If your internal controls rely on manual processes or the judgment of individuals, the chances of human error increase.
- Collusion: separation of duties ensures that no individual can easily perpetrate fraud. However, employees can collude in an attempt to defraud.
- The unknown: no matter how well you audit potential risks to your company, you can’t predict the future. In other words, you can’t anticipate every problem and every threat.
Conclusion
As you have seen, every company should implement some internal controls. While an internal control framework is not a legal requirement in itself, it can certainly help you with the external audits and inspections that are. Given the current nature of the business environment, you can’t be too careful when protecting your company. Ideally, you should implement some controls from each of the three types: preventative, detective, and corrective internal controls. Designing, implementing, and monitoring internal controls requires investing time and resources, but not having enough internal controls can turn out to be much more expensive.
You now know what internal controls are and the role they play in keeping your business safe. You know about the three types of internal controls, their purposes, and the benefits and limitations of implementing them.
