Types of Internal Controls
There are two basic categories of internal controls – preventive and detective. An effective internal control system will have both types, as each serves a different purpose. As you perform routine processes, or when you are thinking of implementing a new procedure or process, it is important to ask the following questions to help determine the appropriate control:
- What could go wrong?
- What steps have been taken to ensure that something does not go wrong?
- How can you verify that nothing went wrong?
The answers to these questions will enable you to better target the type of control that is needed.
Preventive controls aim to decrease the chance of errors and fraud before they occur, and often revolve around the concept of separation of duties. From a quality standpoint, preventive controls are essential because they are proactive and focused on quality.
Examples of preventive controls include:
- Separation of duties
- Pre-approval of actions and transactions (such as a Travel Authorization)
- Access controls (such as passwords and Gatorlink authentication)
- Physical control over assets (i.e. locks on doors or a safe for cash/checks)
- Employee screening and training (such as the PRO3 Series to increase employee knowledge)
Detective controls are designed to find errors or problems after the transaction has occurred. Detective controls are essential because they provide evidence that preventive controls are operating as intended, as well as offer an after-the-fact chance to detect irregularities.
Examples of detective controls include:
- Monthly reconciliations of departmental transactions
- Review organizational performance (such as a budget-to-actual comparison to look for any unexpected differences)
- Physical inventories (such as a cash or inventory count)
01/31/2021: reviewed content
PRO303: Internal Controls at UF
University Controller’s Office: (352) 392-1321