What is a Preventive Control?

A preventive control is used to keep a loss or an error from occurring. These controls are typically integrated into a process, so that they are applied on a continual basis. They are especially common when the severity of a loss is considered to be quite high, so that their imposition will lower the probability of any loss ever occurring. Preventive controls are considered to be proactive, since they keep problems from arising in the first place.

Examples of Preventive Controls

Here are multiple examples of preventive controls:

Access controls. These controls require unique IDs, passwords, or biometric scans to access systems.
Segregation of duties. By splitting tasks among several people, you can ensure that critical functions (e.g., authorization, custody, and record-keeping) are divided among different employees to reduce fraud risk.
Physical security controls. These controls restrict access to sensitive physical areas, such as server rooms or file storage areas. A variation on the concept is surveillance cameras, which can be used to deter theft and monitor high-risk areas to prevent unauthorized physical access.
Data encryption. This controls involves encrypting data to prevent unauthorized access in case of data interception or theft.
Firewalls. This involves configuring firewalls to prevent unauthorized access to the organization’s network.
Supplier due diligence. This involves conducting background checks and assessing third-party security controls before signing contracts.
Pre-employment screening. This involves screening candidates for criminal records, qualifications, and employment history to reduce hiring risks.
Approval requirements. This involves requiring purchase orders to be reviewed and approved before goods or services are procured, as well as ensuring that expenses are reviewed before they are reimbursed.
Automated system controls. Automated data input controls ensure that any data entered is complete and accurate (e.g., requiring numeric input for fields that should only have numbers). These controls should also automatically log out users after a period of inactivity to prevent unauthorized access.

These preventive controls help mitigate risks by stopping errors, fraud, or security breaches before they happen. In combination with detective and corrective controls, they contribute to a comprehensive internal control environment.