Solid internal controls are essential for a healthy business. Before a company can select any controls, management should know which ones best address its challenges. There are three primary types of internal control “medicine” that business owners and managers can use to increase their operational efficiencies.
Preventive and Detective Controls
A preventive control mitigates the occurrence of errors or irregularities (picture an apple a day keeping the doctor away). For example, if the objective is to ensure accurate time, attendance, and payroll records, then a good preventive control might be required supervisor approval of all employee attendance entries before their processing in the system.
On the other end, a detective control identifies existing errors and irregularities to prompt corrective action (imagine an X-ray identifying an already broken bone). Processes such as internal audits, physical inventory counts, and monthly bank account reconciliations are all examples of detective controls.
In the best cases, preventive and detective controls work hand in hand. For example, acceptable-use policies and access controls protect access to valuable customer data and accounting information. Simultaneously, the creation of computer usage logs and monitoring through regular audits might detect any unusual activity that has previously occurred.
Another type of internal control is a mitigating control, which includes procedures that can help reduce risk. For example, if an organization is too small to properly segregate duties, then it can establish mitigating controls such as detailed transaction reviews, after-the-fact approvals, and surprise checks to reduce the risk in the affected area.
Manual, Automated, and IT-Dependent Controls
Each of the above controls can be manual, automated, or IT-dependent. Manual controls require human action, such as two signatures on a check. Automated controls monitor routine processes without human action. For example, accounting software may be programmed to deny an accounts payable invoice if the original vendor invoice, purchase order, and record of receipt are not all provided. IT-dependent controls require a combination of automated processing and human interactions. For instance, the automated denial of an accounts payable invoice may be captured in an exception report that allows a human to correct data entry or other issues so that the erred invoice can be re-processed through the system.
The Right Types of Internal Controls Could Lead to a Bright Prognosis
Implementing the right types of internal controls increases the likelihood of a positive prognosis for your company’s health. Assess your organization’s current needs and goals to determine which controls will work best for you. Contact CRI if you would like us to assist you in diagnosing your business’ operational condition.