Risk control techniques. Internal control may be defined as the process designed, put in place, and maintained to assure a reasonable level regarding the achievement of an entity’s objectives. These objectives relate to the financial reports’ reliability, the operations’ efficiency, effectiveness, and adherence to relevant and applicable laws and regulations.
Risk Control Techniques: Preventive, Corrective, Directive, And Detective (PCDD)
The following points should be noted from this definition:
- Management’s responsibility to design and put in place a suitable system of internal controls.
- Internal controls are designed to deal with financial, operational, and compliance risks.
Organizations prepare the risks and control matrix, where risks and related controls are documented. Such a matrix enables the management to review the risks and related controls according to the risk classification, inherent and residual risk assessments, and any apparent weaknesses in the controls.
Further, the controls are marked into different control categories according to the nature of the controls, as follows:
Prevention of errors and irregularities should be the aim of the organizations. However, in practical scenarios, some errors and risks occur despite implementing of preventive controls.
Preventive controls are designed to stop errors or anomalies from occurring. Examples of preventive controls are:
- Adequate segregation of duties
- Proper authorization of transactions
- Adequate documentation and control of assets
Preventive control aims to prevent the occurrence of an error in a process and includes the maker checker concept and authorizations. For example, to prevent the purchase of unauthorized fixed assets, the management has built preventive controls in the form of authorization and approval of fixed asset purchases by the senior management or the asset purchase committee. Such controls ensure that unauthorized asset purchases are discouraged and only those assets shall be purchased and reflected in the financial statements, which the senior management or appropriate committee approves.
Corrective controls are designed to correct the errors and irregularities and ensure that similar errors are not repeated once they are discovered. Corrective controls are built in the form of procedures and manuals for the reference of the employees. Some controls are built into the system, which automatically corrects the errors or prevents the occurrence of errors.
Examples of corrective controls are:
- Policies and procedures for reporting errors and irregularities so they can be corrected
- Training employees on new policies and procedures developed as part of the corrective actions
- Positive discipline to prevent employees from making future errors
- Continuous improvement processes to adopt the latest operational techniques
Directive controls aim to ensure that identified risks are managed through formal directions provided in various forms to the management and employees of the organization. Directive control requires cross-departmental process understanding, including the embedded regulatory requirements, which are converted into policies and procedures.
These policies and procedures also lead to the development of standard operating procedures and formal directions in specific areas. For example, management prepares the Compliance policy to ensure that broader regulatory requirements are complied. However, management also develops specific operating procedures for the employees, such as procedures or directives to deal with customers before onboarding them. These directions shall refer to the compliance policy and the regulatory requirements which deal with the customer onboarding process.
Similarly, management identifies broader risks and their integration to ensure that relevant directives are prepared and approved for compliance purposes.
Errors in a process need to be detected to ensure corrective measures are taken to minimize the impact on the whole process or activity. Detective controls should aim to detect errors on a timely basis. If the errors are not detected on a timely basis, the effectiveness of detective controls would be marked as ineffective. A strong internal control system always considers the implementation of effective detective controls.
These controls are designed to find errors or irregularities after they have occurred. Examples of detective controls are:
- Exception reports: Identifying unexpected results or unusual conditions that require follow-up.
- Reconciliations: An employee relates different data sets to one another, identifies and investigates differences, and takes corrective action when necessary.
- Periodic audits: Internal and independent external audits detect errors, irregularities, and non-compliance with laws and regulations.
Every company operates in an environment that contains a variety of risks. Some of these risks can be avoided, while others must be accepted and managed to reduce their business impact. An organization’s ability to sustain in the event of a risk and indirectly add to its market value can be aided by timely analysis of potential risks and implementation of adequate measures to mitigate such risks. As a result, most large and reputable organizations worldwide have a team dedicated to analyzing and controlling such business risks.