Internal Controls: To Prevent or Detect?

6/27/2017

An effective internal control system is essential to an organization to achieve its strategic, operational, compliance, and reporting goals. Most important, an effective internal control system is necessary to mitigate the risk of fraud. Evaluating your current internal control structure and considering the effectiveness of its preventive and detective controls on an ongoing basis can help to ensure that your organization’s processes are functioning properly; thus saving costs in the long-term.


There are several components to establishing an effective internal control environment, one of the most significant being the control activities component. Control activities are actions established through policies and procedures to help ensure that management directives to mitigate risks and achieve organizational objectives are carried out. Implementing two types of control activities, preventive and detective controls, can assist with avoiding and detecting errors and fraud in transactions, resulting is more accurate financial reports and the achievement of management’s objectives.


Preventive Controls: are designed to avoid errors or fraud in transactions before they occur. In other words, preventive controls attempt to prevent invalid transactions from being processed and assets from being misappropriated. Although controls should be tailored to an organization’s specific environment, a common example of an effective preventive control is the segregation of duties. The responsibilities of authorizing transactions, recording transactions, reviewing transactions, and maintaining custody of the asset should all be performed by different individuals. Below are examples of preventive controls:


  • Segregation of duties.
  • Pre-approval of actions and transactions.
  • Physical control over assets (i.e. locks).
  • Computer passwords and access controls.
  • Employee screening and training.


Detective Controls: are designed to find errors or fraud in transactions after they have occurred (already been processed) and identify missing assets or invalid transactions. Although at first glance preventive controls appear more beneficial, it is necessary to install both types of control activities. Detective controls have the objective of detecting errors or fraud that could result in a misstatement of the financial statements.  Detective controls are vital in determining if the preventive controls in place are functioning properly. Below are examples of detective controls:


  • Surprise cash counts.
  • Physical inventory counts.
  • Reconciliations.
  • Review organizational performance (i.e. budget to actual and current year to prior year).
  • Internal audit.


Designing appropriate and effective preventive and detective controls to confront your organization’s risks is crucial to a strong internal control system. If you’d like assistance in identifying your organization’s risks, evaluating your current internal control system, or implementing new control activities, please feel free to contact Kristi Yanover, Audit Partner, at (858) 558-9200.