The 3 Types of Internal Control in Auditing for Better Governance

The three types of internal control in auditing are preventive, detective and corrective controls. Preventive controls stop errors and fraud before they occur, detective controls identify problems that have already happened, and corrective controls put them right and prevent recurrence. Together they give UK boards and auditors a layered, testable defence against risk.

Knowing how the types of internal control in auditing differ, and how to balance them, has become a board-level matter. Under the 2024 UK Corporate Governance Code, boards are expected to declare the effectiveness of their material controls for financial years beginning on or after 1 January 2026, which makes the design of each control type relevant to audit committees, CFOs, risk leaders and senior management.

What Are Internal Controls?

Internal controls are the policies, procedures and activities management uses to manage risk and provide reasonable assurance that the organisation will meet its objectives.

They range from authorisation limits and segregation of duties to reconciliations and access restrictions. For the wider definition and role of controls, see our pillar guide on what internal control is.

Why Internal Controls Matter

Internal controls matter because they protect assets, support reliable reporting and give the board evidence that the organisation is being run as intended.

When controls are weak, leaders make decisions on information they cannot trust, and the business is exposed to fraud, error and regulatory breach. The right mix of control types is what keeps that exposure within the board’s risk appetite.

Preventive Controls

• Definition. Preventive controls are designed to stop errors, irregularities or fraud before they occur. They are the first and most cost-effective line of defence.
• Purpose. To remove the opportunity for error or fraud by controlling how transactions are authorised and processed.
• Examples. Segregation of duties so no one person can initiate, approve and record a payment; authorisation limits requiring senior sign-off; mandatory purchase orders; and restricted access to the general ledger.
• Risks addressed. Unauthorised or fraudulent transactions, duplicate entries, and unauthorised changes to data or master records.
• Auditor perspective. Auditors confirm the control would prevent the risk if operated correctly, then re-perform approvals and look for transactions that bypassed it. In our reviews, the most common gap is an authorisation limit that exists in policy but is not enforced in the system.

Detective Controls

• Definition. Detective controls identify errors, irregularities or fraud that have already occurred, acting as a safety net behind prevention.
• Purpose. To surface issues quickly so they can be investigated and corrected before they cause material harm.
• Examples. Bank and balance-sheet reconciliations, exception and variance reports, periodic stock counts, management review against budget, and audit trails.
• Risks addressed. Errors and fraud that slip past prevention, control breakdowns over time, and undetected financial misstatement.
• Auditor perspective. Auditors inspect completed reconciliations and reviews, test whether exceptions were investigated, and assess the timeliness and independence of the person performing the control. A reconciliation signed off weeks late offers little real assurance.

Corrective Controls

• Definition. Corrective controls put right the problems detective controls identify and act to prevent them recurring.
• Purpose. To remediate the immediate issue and address its root cause, strengthening the control environment over time.
• Examples. Formal remediation plans after an audit finding, recovery of overpayments, process or disciplinary changes following a breach, and data backups and disaster-recovery procedures.
• Risks addressed. Recurrence of known failures, prolonged exposure after an issue is found, and gradual erosion of the control environment.
• Auditor perspective. Auditors track findings through to resolution and re-test remediated controls to confirm they now work. We frequently find findings that were logged but never closed, which is itself a control weakness.

Comparing the Main Types of Internal Control

Recognised frameworks such as the COSO Internal Control – Integrated Framework group these control types within their wider components, but the practical distinctions are best seen side by side.

A control environment weighted too heavily towards detection is reactive and expensive; one with no detection or correction has no safety net. The goal is balance, with an emphasis on prevention.

Common Internal Control Failures

The failures we see most often during UK audit engagements include:

• Over-reliance on detective controls instead of prevention.
• Poor segregation of duties, especially in small teams.
• Controls that exist on paper only and are not consistently performed.
• Management override of otherwise sound controls.
• Unaddressed findings, where corrective action is logged but never completed.
• Untested IT and access controls as processes automate.

Expert insight. The most common audit finding is not a missing control but a control that exists only on paper. When we assess the types of internal control in auditing, we test behaviour and evidence, not documentation, because a control that is not performed with intent provides no real assurance, however well it is designed.

Best Practices for Effective Controls

UK organisations build a stronger control environment by tying every control to a real risk and confirming independently that it works. The most effective steps are to weight controls towards prevention, enforce segregation of duties even in small teams, ensure detective controls are timely and actioned, and close the loop on every finding.

For a deeper treatment of how to embed and sustain strong controls, see our guide to internal control best practices.

Internal Control Checklist

• Controls are weighted towards prevention rather than detection.
• Every control is mapped to a principal risk.
• Segregation of duties is enforced, including in small teams.
• Detective controls are timely, independent and always actioned.
• Audit findings are tracked through to confirmed remediation.
• IT and access controls are tested, not assumed.
• Controls are documented so they survive staff turnover.
• Independent assurance is in place and reported to the audit committee.

Conclusion

Selecting the right controls is only half the task; maintaining them, and proving they still work, is what protects the organisation over time. A control environment that looked effective at launch can quietly erode as a business grows, staff change and processes automate.

This is where independent assurance earns its place. An objective review confirms not only that the right preventive, detective and corrective controls exist, but that they are operating as intended against the risks that matter.

Albion Audit helps UK boards and audit committees strengthen their controls, governance and risk management through specialist internal audit, risk and assurance services. If you want confidence that your control environment is fit for scrutiny, speak to our internal audit team for a no-obligation conversation.

What are the main types of internal control in auditing?

The main types are preventive, detective, and corrective controls. Each serves to prevent, identify, or correct issues within business operations.

Why are internal controls important in auditing?

Internal controls ensure accurate financial reporting, compliance with laws, and protection of assets, forming the foundation of good governance.

How does Albion Audit support internal control improvement?

Albion Audit designs and reviews internal control frameworks to enhance governance, reduce risk, and meet UK Corporate Governance Code requirements.