H
In order to accurately identify internal controls over financial reporting, management must understand the different types of internal controls that may exist within a company.
Broadly, internal controls are either system-based or people-based. Within these broad categories, internal controls over financial reporting can include any procedures used and relied on by management to:
-and-#61550; Prevent material misstatements, whether caused by error or fraud, from occurring during transaction processing, or;
-and-#61550; Detect and correct on a timely basis material financial misstatements that may occur in processing transactions.
As a consequence, controls can be categorized on the basis of the following dimensions:
-and-#61550; Preventive Controls Controls, both manual and automated, designed to prevent an error or fraud. An example preventive control could be up-front system edits that will not allow or permit a claim payment to be processed until the claim is associated with a policy number within the system. The types of controls which usually are categorized as preventive include Authorization, Segregation of Duties and System Access.
-and-#61550; Detective Controls Controls, both manual and automated, that are designed to detect and correct errors or fraud. An example of a detective control is monthly bank reconciliation. The types of controls which usually are categorized as detective include Exception reports, Key Performance Indicators, Management Review, and Reconciliation controls.
Preventive and detective controls can reside both inside and outside of the IT-system environment. Management must identify and evaluate both if determined that these particular controls are key in mitigating significant financial misstatement risk.