Compliance controls generally fall into three categories: preventive, detective, and corrective. If your goal is to address a compliance failure after it has already occurred, restore order, and prevent it from happening again, which of the following is the best example of a corrective control?
Select an answer to reveal the explanation.
Short Explanation and Infographic
Here's the deal: controls are like the security system on your house. A lock on the front door is preventive—it stops the bad guy from getting in. A motion sensor that sets off an alarm is detective—it tells you a bad guy is inside. But what happens after the alarm goes off? You have to fix the broken window and call the police. That's corrective. In the compliance world, when someone breaks the rules, taking disciplinary action is a corrective control. It fixes the immediate problem, enforces the policy, and sends a clear message to everyone else. Trust me, without corrective controls, your policies are just polite suggestions. Let's keep rolling.
Full explanation below image
Full Explanation
In compliance and internal audit frameworks, controls are classified based on when they operate relative to a risk event: 1. Preventive controls are designed to deter or prevent undesirable events from occurring (e.g., segregation of duties, pre-approvals). 2. Detective controls are designed to identify and flag undesirable events after they have occurred but before significant damage is done (e.g., audits, reconciliations, transaction monitoring). 3. Corrective controls are designed to remedy the impact of an event, correct the underlying root cause, and prevent future recurrences (e.g., disciplinary actions, business process redesign, insurance claims).
Let's analyze the choices: - Option C is correct because disciplinary action is taken after a violation has been detected. It corrects the behavior, reinforces compliance expectations, and mitigates the risk of future violations by establishing a clear deterrent. - Option A is incorrect because a pre-approval process is a classic preventive control designed to block unauthorized actions before they happen. - Option B is incorrect because transaction monitoring is a detective control designed to discover anomalies or violations that are occurring or have occurred. - Option D is incorrect because training programs are preventive controls designed to educate employees and prevent violations before they occur.