We discussed earlier why there is need for risk management in an organization. The risks identified minus the residual risks need to be controlled, minimized, mitigated or prevented. And this is where the role of internal controls comes.
What are internal controls
Internal controls are different policies, procedures, automated tools, practices and organizational structures which an entity devises to manage risks. These are developed with the idea that the management has tried to ensure reasonably that the risks that may jeopardize the achievement of the business objectives have been properly addressed.
Devising an effective internal control structure is the responsibility of the board of directors and the senior management. But when it comes to implementation of internal controls, everyone in the organization has a role to play.
Internal controls can be either manual or automated. In case of automated internal controls, these are built into the software e.g access authorizations like usernames and passwords. The main purpose of internal controls is to ensure the achievement of objectives and decreasing the chances of any risks that might affect these objectives. Every control comes with a control objective which states the purpose of having that control.
Types of Internal Controls
There are mainly three types of internal controls:
Preventive Controls: are those internal controls which are deployed to prevent happening of an event that might affect achievement of organizational objectives. For example, access control in software which ensures that only authorized persons have access to the data. Similarly, a very effective preventive control is segregation of duties. For example, there should be clear distinction in roles of application developers and system administrators.
Detective Controls: These are the controls which are used to detect if something wrong has happened. For example, regular review of power users logs is one way of deploying a detective controls. Hash totals is another form of detective control. Exception reporting is also a detective control where the application system highlights exceptional transactions which are significantly different from the normal trend of transactions.
Corrective Controls: This type of internal control is related to correction of something undesired that has already happened. For example, restoring backups in case of a database failure is one type of corrective control. Contingency and disaster recovery planning are also types of corrective controls.
An auditor’s main job is to compare the controls against high risk assets and evaluate if the controls are sufficient and working. In the next article, we will discuss more about IS controls.