A multinational manufacturer implements a policy requiring all incoming supply chain partners and distributors to formally sign and agree to the company's Supplier Code of Conduct before any purchasing orders are issued. In the context of internal compliance controls, this measure is classified as a:
Select an answer to reveal the explanation.
Short Explanation and Infographic
Check this out: in the compliance world, we categorize controls by when they do their job. A detective control finds a mistake after it happens—like an audit. A corrective control fixes the mess after it's found. But a preventive control is all about stopping the bad stuff before it starts. By forcing your vendors to sign that code of conduct before you do business, you're setting the rules of engagement upfront to prevent violations. It's like putting a lock on the front door instead of just checking the security cameras after a break-in. Got it? Sweet. Let's keep rolling.
Full explanation below image
Full Explanation
In internal control design, controls are broadly categorized based on their timing and objective relative to a risk event: preventive, detective, and corrective.
Let's analyze why the correct classification is a preventive control and why the other options do not apply. The correct option is B (preventive control). A preventive control is designed to deter or prevent undesirable events from occurring. Requiring third-party vendors to sign a code of conduct before onboarding establishes ethical standards, legal obligations, and operational boundaries from the outset. This upfront commitment helps deter vendors from engaging in non-compliant behavior, thereby reducing the likelihood of a risk event. Option A is incorrect because detective controls are designed to identify and expose errors, omissions, or unauthorized actions after they have already occurred. Examples include bank reconciliations, inventory counts, and whistleblowing hotlines. Option C is incorrect because a compliance audit is a structured review process designed to verify adherence to policies and regulations after activities have taken place; it is a type of detective mechanism, not a contract signature requirement. Option D is incorrect because corrective controls are implemented to rectify problems that have been detected, restore the system to its proper state, and prevent future recurrences (e.g., system backups, disciplinary actions, or process redesigns).
By integrating preventive controls like vendor codes of conduct into the procurement process, companies establish a strong compliance baseline that reduces the reliance on costly detective and corrective measures.