Controls within a compliance program are typically classified as preventive, detective, or corrective. Which of the following activities represents an example of a corrective control?
Select an answer to reveal the explanation.
Short Explanation and Infographic
Let's break this down. In compliance, we have three lines of defense when it comes to controls: preventive (stopping the bad stuff before it happens), detective (catching the bad stuff while or after it happens), and corrective (fixing the mess after it's been caught). Think about it: a pre-approval process for gifts is preventive—it stops you from giving a bribe in the first place. A transaction monitoring system is detective—it’s like a security camera spotting a thief. But when an employee actually breaks the rules, gets caught, and you step in to hand down disciplinary action and fix the broken policy? That's corrective. You’re correcting the behavior and repairing the system so it doesn't happen again. Got it? Sweet. Let's keep rolling.
Full explanation below image
Full Explanation
Internal controls are categorized based on their timing relative to a compliance risk event: - Preventive controls are proactive measures implemented to prevent errors, fraud, or violations from occurring (e.g., segregation of duties, pre-approval workflows, training). - Detective controls are designed to identify and alert management to errors, fraud, or violations after they have occurred (e.g., reconciliations, audits, data monitoring). - Corrective controls are designed to rectify the problems identified by detective controls, repair damage, and prevent future recurrences (e.g., disciplinary action, policy updates, insurance claims, system restoration). Disciplinary action taken against an employee who has violated a policy is a corrective control because it addresses a specific infraction, serves as a deterrent to others, and aligns employee behavior back with organizational standards. Let's analyze the incorrect choices: - Option A is incorrect because automated transaction screening is a detective control designed to identify potential anomalies after or as they are recorded. - Option B is incorrect because training programs are preventive controls designed to educate staff and prevent violations from occurring. - Option C is incorrect because a pre-clearance requirement is a preventive control that blocks unauthorized transactions before they occur. A balanced compliance program requires a combination of all three control types to mitigate risks effectively.