- Get link
- X
- Other Apps
🔐 Internal Controls & Risk Management
Preventive · Detective · Repressive (Corrective)
🛡️ In the world of internal controls and risk management, the framework is typically divided into three chronological layers.
Think of them as a security system: one locks the door, one sounds the alarm, and one puts out the fire.
1. Preventive Controls
Goal: To stop an error or irregularity before it happens. These are proactive and represent the first line of defense.
Characteristics: Passive (they exist as a barrier), automated or manual, and usually the most cost-effective because they avoid the "cost of error."
📌 Examples:
- Segregation of Duties: Ensuring the person who authorizes a payment isn't the same person who signs the check.
- Physical Security: Using keycards, passwords, or biometrics to restrict access.
- Approval Levels: Requiring a manager’s signature for any purchase over $5,000.
- Data Validation: A system that prevents a user from entering a date in the future or a negative price.
2. Detective Controls
Goal: To identify an error or irregularity after it has occurred. No system is perfect; detective controls act as a safety net for when preventive controls fail.
Characteristics: Active (they require someone to look or a process to run) and retrospective.
📌 Examples:
- Reconciliations: Comparing bank statements to internal accounting records to find discrepancies.
- Internal Audits: Periodically reviewing department logs to ensure rules were followed.
- Inventory Counts: Physically counting stock to see if it matches the digital record (detecting theft or loss).
- Variance Analysis: Noticing that the electricity bill is 30% higher than expected and investigating why.
3. Repressive (Corrective) Controls
Goal: To minimize the impact of a detected error and restore the system to its normal state. In some frameworks, these are called Corrective Controls.
Characteristics: Reactive and focused on "fixing" and "learning."
📌 Examples:
- Backups & Disaster Recovery: Restoring data after a system crash.
- Disciplinary Action: Terminating an employee found committing fraud to prevent recurrence.
- Insurance: Filing a claim to recover financial losses after a fire or theft.
- System Patches: Updating software code after a vulnerability has been detected and exploited.
📊 Comparison Summary
| Control Type | Timing | Strategy | Example |
|---|---|---|---|
| Preventive | Before | Deterrence | Locking the safe |
| Detective | During/After | Discovery | Checking the security camera |
| Repressive (Corrective) |
After | Recovery | Calling the police / Insurance claim |
💡 Why it matters: A mature internal control environment layers all three types — prevent errors where possible, detect what slips through, and correct swiftly to reduce damage. Each layer reinforces the others.
graph TD
%% Define main nodes
Threat[("THREAT (e.g., Data Breach)")]
Asset[("PROTECTED ASSET (e.g., Company Data)")]
%% Define control blocks
subgraph Controls Framework
subgraph Layer1 [1. PREVENTIVE CONTROLS - Passive]
direction TB
P1[Segregation of Duties]
P2[System Passwords]
P3[Physical Locks]
end
subgraph Layer2 [2. DETECTIVE CONTROLS - Active]
direction TB
D1[Bank Reconciliation]
D2[Security Audits]
D3[Variance Alert]
end
subgraph Layer3 [3. REPRESSIVE CONTROLS - Reactive]
direction TB
C1[Disaster Recovery / Backups]
C2[Incident Response Team]
C3[System Patching]
end
end
%% Define paths
Threat -->|Attempts to Bypass| Layer1
Layer1 -.->|1a. Deterrence Successful| Threat
Layer1 -->|1b. Control Failed/Bypassed| Layer2
Layer2 -.->|2a. Alert Triggered| Layer3
Layer3 -->|3a. Restoration Successful| Asset
Layer2 ==>|2b. Undetected / Major Breach| Asset
%% Styling
classDef stop fill:#f8d7da,stroke:#842029,stroke-width:2px,color:#842029;
classDef alert fill:#fff3cd,stroke:#664d03,stroke-width:2px,color:#664d03;
classDef fix fill:#cfe2f3,stroke:#084298,stroke-width:2px,color:#084298;
classDef asset fill:#d1e7dd,stroke:#0f5132,stroke-width:2px,stroke-dasharray: 5 5;
classDef threat fill:#e2e3e5,stroke:#383d41,stroke-width:2px;
class Layer1,P1,P2,P3 stop;
class Layer2,D1,D2,D3 alert;
class Layer3,C1,C2,C3 fix;
class Asset asset;
class Threat threat;
Comments