Understand how internal controls prevent, detect, and contain loss, and why preventive and detective controls are complementary rather than interchangeable.
Definition and objectives of internal controls appears in the official CIRO Chief Financial Officer Exam syllabus as part of Risk management and internal controls. Questions here usually test whether you can identify the controlling rule, control, calculation, workflow, or escalation path in a realistic fact pattern rather than simply restate a definition.
Risk management decides what level of risk is acceptable. Internal controls are part of how the dealer keeps actual activity inside that boundary. The exam usually tests whether you can explain what the control is meant to stop, detect, or escalate and whether the chosen control is strong enough for the actual risk.
| Control type | Main purpose | Example | Common limitation |
|---|---|---|---|
| Preventive | Stop the error, breach, or unauthorized action before it happens | approval gates, system blocks, limit checks, segregation of duties | Can be bypassed if design or access is weak |
| Detective | Identify that something has already gone wrong or drifted out of range | exception reports, reconciliations, surveillance, variance review | Detection after the fact may still leave losses or reporting errors |
flowchart LR
A["Risk event possibility"] --> B["Preventive control"]
B --> C{"Failure still occurs?"}
C -- "No" --> D["Loss avoided"]
C -- "Yes" --> E["Detective control identifies issue"]
E --> F["Escalation, correction, and remediation"]
The stronger answer usually explains why both types matter. A detector without prevention can identify a loss too late. A preventive control without review can fail silently.
The stronger answer says what the control is trying to achieve and where it might still fail. It does not only label a control as preventive or detective.
A dealer relies on a month-end exception report to identify unauthorized trading-limit breaches. Why is that incomplete as the primary control?
Because the report is detective only. It may identify the problem, but only after the dealer has already taken the unwanted exposure. A stronger framework would combine real-time preventive limit checks with follow-up monitoring.