Internal controls from a business perspective have historically held their roots in auditing and accounting. As organizational security has evolved over the years, and data creation and consumption has exploded, internal controls began to mean different things to different people. Organizations want to better understand the reliability of financial reporting as well as the system of internal controls. Organization commonly categorize internal controls for an internal audit into three types:
- Preventive controls
- Detective controls
- Corrective controls
Preventive controls are implemented to help prevent incidents from happening in the first place. Most preventive controls are best practices that came from remediating detected activity or incidents
Examples of preventive controls:
- Multi-factor authentication
- Separation of duty also known as segregation of duties
- Perimeter defense and email security
- Physical controls
Detective controls are intended to help an organization find problems. Many detective controls are focused on users, entities, information systems, and data.
Examples of detective controls:
- Entity and behavior analytics
- Risk management
Corrective controls are implemented after an incident has been detected. Many organizations are reactive when it comes to incidences and excel at corrective action and corrective controls:
Examples of corrective controls:
- Business continuity and disaster recovery plan
- Server and workstation hardening
- Control procedures
- Implementing a control environment
In summary, preventive controls are intended to prevent an incident from occurring by triggering capabilities such as locking out unauthorized intruders. Detective controls are intended to identify and characterize an incident in progress by sounding the intruder alarm and alerting the proper authorities. Corrective controls are intended to limit the extent of any damage caused by the incident by recovering the organization to normal working status as efficiently as possible.
Internal controls have become one of the best defenses against cyber incidents. The goal of businesses should be to shift from a reactive organization to a proactive organization with a heavy focus on preventive controls. Risk assessments are a great way to better understand how your core internal controls are working. By moving from reactive to proactive controls, organizations will save time, reputation, and resources.