Types of Internal Controls

Types of controls

Controls are a repeatable activity that, when designed and working effectively, maintain the level of risk at an acceptable level. However, when a control is not designed or operating effectively, the level of risk will increase. Accordingly, all the controls discussed in this course need to be reviewed and assessed on a regular basis to ensure that they (a) continue to address the relevant risks, and (b) are operating effectively. If necessary, existing controls may need to be modified or additional controls implemented to address new risks as they are identified.

Not all controls are equal. They have different strengths and operate on different parts of the identified risk. Some controls prevent the root causes from happening, whereas others reduce the consequence(s) once the event has occurred. Three types of controls are widely used — preventive, deterrent, and detective. All these controls have some automation capabilities and have detailed processes.

Control activities are applied at various points, both organizationally and operationally. Preventive and deterrent controls are usually more effective if applied at lower organizational levels and early in business processes. The timing for a preventive control occurs before the initial occurrence. For example, a fraudulent transaction is not approved or completed because of a preventive control activity. In the case of a fraudulent disbursement, organizations want to avoid the time, expense, and uncertainty of pursuing funds that have already “gone out the door.”

Ideally, preventive and deterrent controls will eliminate or minimize the opportunity for unauthorized transactions to be entered or processed by the accounting system before they can be reflected as a misstatement in the financial statements of the entity. In contrast, a detective control identifies a fraudulent event or transaction after its occurrence. A key element of this timing is that the detective control identifies the fraudulent event or transaction in a timely manner (that is, before the fraud or frauds become material, either individually or in the aggregate, to the point that they distort the financial statements). Therefore, there can be varying times throughout the business process at which controls can be established to address such events.

See the Internal Control Charts appendix (see attachments) for additional information.

Preventative controls

Preventative controls act to nullify the root cause and therefore prevent the opportunity of the event occurring. These are often the strongest controls. Common preventative controls include segregation of duties and IT passwords, mandatory reconciliations of critical accounts, existence of an organizational code of conduct, training and awareness programs, and a well-documented and openly communicated anonymous tip hotline or whistleblower program.

Entity-level preventative controls include how management communicates its values for behavior and ethical conduct, hiring, promoting and retaining appropriate and qualified employees, incident response programs, investigative processes, and enforcing disciplinary guidelines for violations of these policies.

A fraud preventive control is often (but not always) visible and generally known to employees or those with whom the organization interacts. Examples of such overt control activities include establishing procurement procedures and supervisory and managerial approval requirements. Preventive controls may be more successful if they remain unknown or are covert control activities. A covert control activity is a control activity that is not readily apparent to employees or those with whom the organization interacts (for example, data analytics designed to identify anomalous and potentially fraudulent transactions and prevent them from being processed).

Fraud prevention is the most proactive measure. It is the most visible of the three types of controls and is intended to raise the fraud awareness of the employees, customers, vendors, and other parties that interact with an organization and features controls that are designed to stop potential bad actors from violating organizational rules and requirements. The ongoing success of any fraud prevention program depends on its continuous communication and reinforcement. Stressing the existence of a fraud prevention program through a wide variety of media gets the message out that the organization is committed to preventing and deterring fraud.

Fraud preventive controls can be divided into the following two areas:

Transaction control activities — Control activities address transaction processing risks in an organization’s business processes. Such control activities include performing edit, completeness, and reasonableness checks; establishing procurement procedures; emphasizing documentation requirements; and establishing supervisory and managerial approval requirements. Transaction controls can be manual or automated and likely cover the information-processing objectives of completeness, accuracy, and validity. Logical access controls — Access controls are related to an organization’s use of technology and information systems environment(s). This means that an employee’s level of access to specific information system (for example, the ability to view, edit, delete, or create data records) or whether or not the employee is allowed access at all, is based on his/her position in the company, roles and responsibilities, and other approvals. In short, the “right of access” is predicated on the assumption that only those that have a “need to know” should have the access to know. Requiring more senior personnel to approve transactions above specified dollar thresholds can prevent unauthorized purchases from favored or related-party vendors. However, such controls also can lead motivated individuals to engage in purchase-splitting (that is, dividing an above-the-threshold-limit purchase into smaller amounts to avoid the higher-level approval controls). Recognizing this, the organization can implement data analytic controls, such as stratifying the contract amount to identify patterns of payment activities just below a certain dollar threshold, or analyzing total spend by vendor against historical amounts, contracts outstanding, or other relevant metrics.

Deterrent controls

Deterrent controls send a message that activities and transactions are monitored and that the company is committed to identify and discipline any employee, customer, or vendor who attempts to commit fraud or otherwise obtain an unfair advantage over the company to their benefit. A deterrent control discourages violation of policies that would otherwise enable a bad actor to misappropriate assets, misstate financial records, or similarly take unfair advantage of the organization. Deterrent and preventive controls are similar. However, deterrent controls are intended to direct individuals not to take an unwanted action. Preventive controls, on the other hand, actually blocks the action. Examples of deterrent controls include the existence of a robust internal audit department, anti-fraud policies, fraud awareness training, locks, fences, security badges, guards, mantraps, and security cameras.

There is a bit of folklore that says:

“Locks don’t keep robbers from stealing. Locks keep honest people from making mistakes.”

The logic behind this statement is that if a potential bad actor is tempted to defraud a company, the existence of overt controls (such as transaction monitoring software, surveillance cameras, key card access controls, and other warning type controls) will suggest a high probability of being detected and apprehended. These controls, coupled with the company’s communicated commitment to investigating all breaches of the code of conduct, implementing disciplinary measures, and making referrals to law enforcement, are intended to dissuade the fraudster from committing the act in the first place.

Entity-level deterrent controls in Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit, include the following:

Active oversight by the board of directors and/or audit committee relating to management’s involvement in the financial reporting process and any possibilities of overrides of internal controls, having a documented policy of how fraud allegations will be investigated resolved, a well-publicized “zero tolerance” policy for incidents of fraud or other violations of the code of conduct, fraud risk assessment, code of conduct confirmation or affirmation process, and processes to receive, retain, and treat complaints of fraud or unethical conduct Internal and external audit functions Evaluation of adequacy / effectiveness of internal controls Disciplinary examples of violations of the code of conduct, including referrals to law enforcement and mandatory restitution.

Detective controls

A fraud detective control is a control activity designed to identify a fraudulent event or transaction after the transaction has occurred. Such control activities are specific processes and procedures designed to identify attempted or existing frauds in a timely manner, thereby limiting the effects of any fraud that circumvents the organization’s preventive controls. Although some detective controls are visible to selected employees who are responsible for them, these controls are usually most successful if they remain unknown or are covert control activities. They will often lead to corrective action being taken.

Entity-level detective controls in SAS No. 99 include the following.

Fraud risk assessments to identify and measure fraud risk Processes and procedures to mitigate identified fraud risks resulting from the risk assessments Effective internal controls at entity and process levels that can identify misstatements resulting from fraudulent transactions Ongoing monitoring activities, including error and exception reports Computer-assisted audit techniques that facilitate identifying trends and anomalies in accounting data and ongoing data analytics Highly-visible monitoring processes Investigation of the following: Internal control weaknesses or breaches of accounting policies and procedures Nonresponse to employee, customer, or vendor confirmation or affirmation of the relevant code of conduct or ethics or performance agreements Reported issues received through the whistleblower hotline Having fraud detective control activities in place and visible is also one of the most effective deterrents to fraudulent behavior. As with preventive controls, it is important that the organization assess and continuously monitor its detective controls to determine that fraud detection techniques are present and functioning. Also, through detective controls, management gains a better understanding of the organization’s fraud risks, which will assist in strengthening preventive controls.

Although preventive controls are often apparent and readily identifiable by employees, third parties, and others, specific detective controls are often covert in nature. The general knowledge within the organization that detective controls are present and functioning can serve as a strong fraud deterrent. Access to knowledge regarding the exact nature and specific design of detective controls is carefully controlled. Detective controls operate in the background. They are not evident in the everyday business environment and usually would occur in the ordinary course of business.