Contributed by: Nancy A. Nasca, Senior Internal Auditor
What exactly is a control? The definition of “control” according to the Webster’s New World Dictionary is “to check or verify (payments, accounts, etc.) by comparison with a duplicate register.” It further defines control as the “ability to use effectively.” Both of these definitions are consistent with the meaning of an internal control in the context of internal auditing.
During an audit, the auditor reviews each process to determine what can go wrong such as errors (inaccurate, incomplete, or untimely transactions) or the ability to commit fraud (i.e. misappropriation, theft). The auditor then evaluates whether there are adequate internal controls in place to reduce these risks. Once an auditor determines that adequate internal controls exist in a process, these controls are tested to evaluate their effectiveness and efficiency.
There are primarily two types of internal controls, preventive controls and detective controls. Preventive controls exist at the beginning of and/or occur during a transaction. These controls are designed to prevent an adverse situation (i.e. errors or fraud) from occurring. An example of a preventive control that occurs at the beginning of a process is an authorization for a transaction to take place, such as an authorized signature on an invoice payment form. The purpose of this control is to prevent unauthorized payments from occurring. An example of a preventive control that occurs during a process is the placement of restricted fields in a software program that only accept certain characters, such as numbers in a specific range. The purpose of this control is to prevent inaccurate transactions from occurring. Documented departmental policies and procedures and employee training are other good examples of preventive controls since these procedures help to ensure that employees understand department operations which results in fewer errors.
Detective controls occur subsequent to the completion of a transaction or process. The purpose of a detective control is to identify when an adverse situation has occurred after the fact. Monthly account reconciliations are an example of a detective control. The purpose of this control is to detect any unauthorized, inaccurate, incomplete or untimely transactions that occurred in the account during the month. Another example of a detective control is the monthly review of procurement card statements to detect unauthorized or inappropriate (non-compliance with RIT or department purchasing policies) purchases. Once identified, any errors or problems can be rectified or addressed, but to be effective, these controls need to be performed on a consistent and periodic basis.
You may think that preventive controls are more effective than detective controls since they prevent an error from occurring in the first place. In reality, no matter how well a process is controlled, and the risks mitigated, there is always a chance that a control can breakdown and a mistake can be made. Therefore, detective controls are just as important as preventive controls, and in the end, a combination of strategically placed controls both throughout and subsequent to a transaction is the winning combination.