What are the 3 Types of Internal Controls?

Published January 7, 2020 • 2 min read

There are three main types of internal controls: detective, preventative, and corrective. Controls are typically policies and procedures or technical safeguards that are implemented to prevent problems and protect the assets of an organization. 

All organizations are subject to threats occurring that unfavorably impact the organization and affect asset loss. From innocent but costly mistakes, to fraudulent manipulation, risks are present in every business. Regardless of why it transpires, controls need to be established to avoid or minimize loss to the organization. 

There are also limitations to these controls to consider, making it essential to have ongoing reviews and monitoring of your system. 

What are detective internal controls?

Detective internal controls are those controls that are used after the fact of a discretionary event. Think of Sherlock Holmes, walking onto the scene of an event, trying to piece together what happened. 

  • What caused the event to occur? 
  • What process failed that allowed the event to occur?
  • Is there a policy that can be implemented to keep the event from happening again in the future? 

Some examples of detective controls are internal audits, reviews, reconciliations, financial reporting, financial statements, and physical inventories. 

What are preventative internal controls?

Preventative internal controls are those controls put in place to avert a negative event from occurring. For example, most applications have checks and balances built-in to avoid or minimize entering incorrect information. There are also physical controls or administrative preventive controls, such as segregation of duties that are routinely performed by companies. 

Assigning one person to write checks, and another staff member to authorize the payments, are segregation of duties that fall under the umbrella of preventative controls from an administrative standpoint. Others, like video surveillance or posting security guards at entry points verifying ID credentials and restricting access, are illustrative of physical safeguards. 

Training programs, drug testing, firewalls, computer and server backups are all types of preventative internal controls that avoid asset loss and undesirable events from occurring.

What are corrective internal controls?

Corrective internal controls are typically those controls put in place after the detective internal controls discover a problem. These controls could include disciplinary action, reports filed, software patches or modifications, and new policies prohibiting practices such as employee tailgating. They are usually put into place after discovering the reasons why they occurred in the first place. 

Limitations of internal controls

Unfortunately, processes and control activities are not perfect, and mistakes and problems will be found. An ongoing review and analysis of the internal controls should be part of any organization’s regular processes. 

When a problem occurs, it should be documented and reviewed by those who can take the corrective actions discussed above and improve the system. There will always be limitations with humans involved. People make mistakes and will often find weaknesses in the control procedures, whether by accident or with intent. It’s important to keep this in mind when considering internal controls. 

Read more about internal control systems and the COSO Framework.  To learn more about cybersecurity and other technical controls, read the FAQ related to information security controls.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo