Preventive and Detective Control Activities

Approvals, Authorizations, and Verifications (Preventive). Management authorizes employees to perform certain activities and to execute certain transactions within limited parameters.  In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees.  A supervisor’s approval (manual or electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.

Reconciliations (Detective). An employee relates different sets of data to one another, identifies and investigates differences, and takes corrective action, when necessary.

Reviews of Performance (Detective). Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up.

Security of Assets (Preventive and Detective). Access to equipment, inventories, securities, cash and other assets is restricted; assets are periodically counted and compared to amounts shown on control records.

Segregation of Duties (Preventive). Duties are segregated among different people to reduce the risk of error or inappropriate action.  Normally, responsibilities for authorizing transactions, recording transactions (accounting), and handling the related asset (custody) are divided.

Controls over Information Systems (Preventive and Detective). Controls over information systems are grouped into two broad categories-general controls and application controls.  General controls commonly include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance.  Application controls such as computer matching and edit checks are programmed steps within application software; they are designed to help ensure the completeness and accuracy of transaction processing, authorization, and validity.  General controls are needed to support the functioning of application controls; both are needed to ensure complete and accurate information processing.