Internal controls are essential for protecting financial assets, safeguarding data, and ensuring organizational integrity. Finance leaders—especially those who also guide IT functions—must carefully evaluate how prevention and detection work together. The right mix of internal controls helps organizations stay resilient in a constantly evolving risk environment.
Preventive vs. Detective Internal Controls
Preventive controls are designed to stop fraud, errors, and cyber threats before they occur. Common examples include multifactor authentication, digital banking tokens, firewalls, and strict ‑factor authentication, digital banking tokens, firewalls, and strict access‑management policies. These safeguards often require more upfront resources but drastically reduce the likelihood of damaging incidents.
Detective controls come into play after an issue has occurred. Tools like anomaly monitoring systems, bank reconciliation processes, and ‑monitoring systems, bank reconciliation processes, and network alerts help organizations identify problems quickly. While detective controls are typically easier to implement, they may require‑behavior alerts help organizations identify problems quickly. While detective controls are typically easier to implement, they may require more human involvement and lead to higher remediation costs.
Benchmarking Internal Controls
Benchmarking internal controls helps leaders understand how their organizations compare to peers. Data from nearly 500 organizations shows significant variation in control mix:
- On average, 38.2% of financial controls are detective.
- Organizations in the 75th percentile use detective controls for about 50% of activities.
- At the 25th percentile, detective controls make up 28.6% of the control environment.
These benchmarks should not be treated as performance targets but as context for making informed decisions. Every organization’s risk tolerance, industry, and operational complexity influence the appropriate mix.
Finding the Right Mix of Internal Controls
To determine the ideal blend of preventive and detective controls, leaders should consider:
- Risk tolerance
- Regulatory and compliance requirements
- Stakeholder expectations
- Operational complexity
- Past incidents of fraud or error
- Internal technology maturity
Internal controls should never remain static. As threats evolve and operations grow, regular reassessment ensures the control environment stays effective and aligned with organizational goals.
Download APQC’s Achieving the Right Mix of Preventive and Detective Controls to learn more.