Control Objectives and Controls Related to IS (Such as Preventative and Detective)

The combination of organizational structure, policies and procedures, and best practices that are implemented to reduce risk is called internal controls. Internal controls are used by the organization to provide a reasonable assurance that the business objectives will be met and risk will be prevented, detected, or corrected. Preventative control objectives detect problems before they arise, monitor both operations and inputs, and prevent errors, omissions, or malicious acts from occurring. Using an access-control system (think user/password combination) is an example of a preventative control. Detective controls are used to detect and report the occurrence of an error, omission, or malicious act. Using audit trails is an example of a detective control. Corrective controls minimize the impact of threat, identify the cause of a problem, and modify the system to minimize future occurrences of the problem. Using a rollback facility in a database environment is an example of a corrective control. When evaluating the collective effect of preventative, detective, or corrective controls within a process, an IS auditor should be aware of the point at which controls are exercised as data flows through the system.

Internal controls operate at all levels of the organization and should be continuously monitored to ensure their effectiveness. The auditor should be primarily concerned with the overall strength of the control or combination of controls to ensure that it meets its stated objective. Control procedures can be manual or automated and generally fall into three categories: