There are steps you can take to manage or minimize risk. It's important that these actions follow policy and procedure, and that they be done properly and in a timely manner. These steps include approvals/authorizations, reconciliations, reviews, asset security, segregation of duties and controls over information systems. See Related Information for details.
These controls must be implemented thoughtfully, conscientiously and consistently, keeping a focus on the concern or potential problem. It's also essential that unusual conditions identified as a result of performing control activities be investigated and appropriate corrective action be taken.
Who is Responsible?
Just as managers are primarily responsible for identifying financial and compliance risks for their operations, they also have line responsibility for designing, implementing and monitoring their internal control system.
General Types of Actions
Actions can be either preventive or detective. Both types of responses are essential to an effective internal control system. Preventive actions are proactive and improve quality. Detective actions indicate whether preventive actions are working and help prevent losses.
Preventive actions attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss. Examples of preventive controls are separation of duties, proper authorization, adequate documentation and physical control over assets.
- Detective actions attempt to uncover undesirable acts. They provide evidence that a loss has occurred so that the problem can be identified and addressed. Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories and audits.