Preventative and Detective Controls 461
JLC last edited by
I am looking at the General IT Controls and we are having discussions about whether there is a need in this area to identify whether the controls are preventative or detective. There is a view from the auditors that we have to but our General SOX people say that we do not need to and that if we do this may be used by the auditors to get us to identify more controls to balance the preventative/detective numbers. The identification of which one I do not see as a big deal but if then generates additional audit attention then it may well be worth fighting against. Has anyone had any comments/experiences about this?
holger last edited by
In order to accurately identify internal controls over financial reporting, management must understand the different types of internal controls that may exist within a company.
Broadly, internal controls are either system-based or people-based. Within these broad categories, internal controls over financial reporting can include any procedures used and relied on by management to:
-and-#61550; Prevent material misstatements, whether caused by error or fraud, from occurring during transaction processing, or;
-and-#61550; Detect and correct on a timely basis material financial misstatements that may occur in processing transactions.
As a consequence, controls can be categorized on the basis of the following dimensions:
-and-#61550; Preventive Controls Controls, both manual and automated, designed to prevent an error or fraud. An example preventive control could be up-front system edits that will not allow or permit a claim payment to be processed until the claim is associated with a policy number within the system. The types of controls which usually are categorized as preventive include Authorization, Segregation of Duties and System Access.
-and-#61550; Detective Controls Controls, both manual and automated, that are designed to detect and correct errors or fraud. An example of a detective control is monthly bank reconciliation. The types of controls which usually are categorized as detective include Exception reports, Key Performance Indicators, Management Review, and Reconciliation controls.
Preventive and detective controls can reside both inside and outside of the IT-system environment. Management must identify and evaluate both if determined that these particular controls are key in mitigating significant financial misstatement risk.