Internal controls are the policies and procedures that a business puts into place in order to protect its assets, ensure its accounting data is correct, maximize the efficiency of its operation and promote an atmosphere of compliance among its employees. There are three main types of internal controls: detective, preventative and corrective.
Detective internal controls are designed to find errors after they have occurred. They serve as part of a checks-and-balances system and to determine how efficient policies are. Examples include surprise cash counts, taking inventory, review and approval of accounting work, internal audits, peer reviews, and enforcement of job descriptions and expectations. Detective internal controls also help protect assets. For instance, if a cashier does not know when her cash drawer will be counted, she may be more likely to be honest.
Preventative internal controls are put into place to keep errors and irregularities from happening. While detective controls usually occur irregularly, preventative controls usually occur on a regular basis. They range from locking the building before leaving to entering a password before completing a transaction. Other preventative controls include testing for clerical accuracy, backing up computer data, drug testing of employees, employee screening and training programs, segregation of duties, enforced vacations, obtaining approval before processing a transaction and having physical control over assets (locking money in a safe, for example).
As the name suggests, corrective internal controls are put into place to correct any errors that were found by the detective internal controls. When an error is made, employees should follow whatever procedures have been put into place to correct the error, such as reporting the problem to a supervisor. Training programs and progressive discipline for errors are other examples of corrective internal controls.
It is important to keep in mind that internal controls, while effective, are not a guarantee that a company's objectives will be met. Human errors and computer errors are not accounted for by internal controls. In addition, internal controls assume employees are honest and that they would not bypass guidelines or alter data to benefit themselves.