An internal control is a process that is used to safeguard the assets of an organization. Assets can include systems, data, people, hardware, or the reputation of the organization. Internal controls help in achieving the objectives of the organization by mitigating various risks.
Internal controls are implemented through policies, procedures, practices, and organizational structures to address risks. Internal controls provide reasonable assurance to management about the achievement of business objectives. Through internal controls, risk events are prevented or detected, and corrected.
Top management is responsible for implementing a culture that supports efficient and effective internal control processes.
Effective controls in an organization can be categorized into the following types:
Let’s discuss the control types in detail.
Preventive controls
Preventive controls are designed to be implemented in such a way that prevents a threat event and thus avoids any potential impact of that threat event.
Examples of preventive controls include the following:
- The use of qualified personnel
- The segregation of duties
- The use of SOPs to prevent errors
- Transaction authorization procedures
- Edit checks
- Access control procedures
- Firewalls
- Physical barriers
Detective controls
Detective controls are designed to detect a threat event once that event has occurred. Detective controls aim to reduce the impact of such events.
Examples of detective controls include the following:
- Internal audits and other reviews
- Log monitoring
- Checkpoints in production jobs
- Echo controls in telecommunications
- Error messages over tape labels
- Variance analysis
- Quality assurance
Corrective controls
Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to normal operations.
Examples of corrective controls include the following:
- Business continuity planning
- Disaster recovery planning
- Incident response planning
- Backup procedures
Deterrent controls
The purpose of a deterrent control is to give a warning signal to deter a threat event.
Examples of deterrent controls include the following:
- CCTV cameras or “under surveillance” signs
- Warning signs
The difference between preventive and deterrent controls
For the CISA exam, it is important to understand the difference between preventive and deterrent controls. When a preventive control is implemented, an intruder is prevented from performing an act. They do not have a choice in whether or not to perform the act.
When a deterrent control is implemented, the intruder is being given a warning. Here, the intruder has a choice: either to act as per the warning or ignore the warning.
A locked door to a room is a preventive control. Intruders cannot go through the door. On the other hand, just a warning sign that says “No Entry” is a deterrent control. Intruders can ignore the warning and enter the room.
Apart from the controls we have covered thus far, CISA candidates should also understand compensating controls. It should be noted that the absence of one control can be compensated for by having another strong control.
Compensating controls
Compensating controls are alternate measures that are employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area.
For example, in small organizations, the segregation of duties may not always be feasible. In such cases, compensatory controls such as reviews of logs should be implemented.
Similarly, some organizations may prefer to have alternate security measures in place of encryption.
Control objectives
A control objective is a reason why a control is implemented. Control objectives are linked to business objectives.
A control objective generally addresses the following:
- The effectiveness and efficiency of operational processes. For example, preventive controls attempt to prevent invalid transactions from being processed and assets from being misappropriated. However, detective controls have the objective of detecting errors or fraud that could result in the misstatement of financial statements.
- Adherence to regulatory requirements.
- The protection of assets.
It is advisable to document objectives for each and every control. Periodic reviews and monitoring of controls are required to validate results against these objectives.
Control measures
Control measures are implemented to achieve control objectives. Control measures are activities that are taken to prevent, eliminate, or minimize the risk of threat occurrence.
Key aspects from CISA exam perspective
The following table covers the important aspects from a CISA exam perspective:
CISA questions | Possible answer |
Segregation of duties is an example of which type of control? | Preventive control |
Controls that enable a risk or deficiency to be corrected before a loss occurs are known as what? | Corrective control |
Controls that directly mitigate a risk or lack of controls directly acting upon a risk are know as what? | Compensating control |
Self-evaluation questions
- Controls that are designed to prevent omissions, errors, or negative acts from occurring are which kind of controls?
- Preventive controls
- Detective controls
- Corrective controls
- Compensating controls
- What are controls that are put in place to indicate or detect an error?
- Preventive controls
- Detective controls
- Corrective controls
- Deterrent controls
- Which of the following is the segregation of duties an example of?
- Preventive control
- Detective control
- Corrective control
- Deterrent control
- What is the process of using well-designed documentation to prevent errors an example of?
- Preventive control
- Detective control
- Corrective control
- Deterrent control
- What kind of control is a control that enables a deficiency or another irregularity to be corrected before a loss occurs?
- Preventive control
- Detective control
- Corrective control
- Deterrent control
- Utilizing a service of only qualified resource is an example of:
- Preventive control
- Detective control
- Corrective control
- Internal control
- A check subroutine that identifies an error and makes a correction before enabling the process to continue is an example of what kind of control?
- Preventive control
- Detective control
- Corrective control
- Deterrent control
- Barriers or warning signs are examples of what kind of control?
- Preventive control
- Detective control
- Corrective control
- Deterrent control
- An “echo” message in a telecommunications protocol is an example of what kind of control?
- Preventive control
- Detective control
- Corrective control
- Compensating control
- Checkpoints in a production job are examples of what kind of control?
- Preventive control
- Detective control
- Corrective control
- Compensating control
- Controls that minimize the impact of a threat are what kind of controls?
- Preventive controls
- Detective controls
- Corrective controls
- Compensating controls
- Controls that remedy problems observed by means of detective controls are what kind of controls?
- Preventive controls
- Detective controls
- Corrective controls
- Compensating controls
- Controls that indirectly address a risk or address the absence of controls that would otherwise directly act upon that risk are what kind of controls?
- Preventive controls
- Detective controls
- Corrective controls
- Compensating controls
- Controls that predict potential problems before their occurrence are what kind of controls?
- Preventive controls
- Detective controls
- Corrective controls
- Compensating controls
- The requirement of biometric access for physical facilities is an example of what kind of control?
- Preventive control
- Detective control
- Corrective control
- Deterrent control
- Which of the following risks represents a process failure to detect a serious error?
- Detective risk
- Inherent risk
- Sampling risk
- Control risk
- Which of the following statements best describes detective controls and corrective controls?
- Both controls can prevent the occurrence of errors
- Detective controls are used to avoid financial loss and corrective controls are used to avoid operational risks
- Detective controls are used as a deterrent check and corrective controls are used to make management aware that an error has occurred
- Detective controls are used to identify that an error has occurred and corrective controls fix a problem before a loss occurs
- Why are control objectives defined in an audit program?
- To give the auditor an overview for control testing
- To restrict the auditor to testing only documented controls
- To prevent management from altering the scope of the audit
- To help the auditor to plan for the resource requirements