Detective controls are measures a company uses to identify irregularities so they can be corrected, ideally as promptly as possible. Laws like the Sarbanes-Oxley Act of 2002 mandate the use of internal controls to address common accounting and ethics problems, and companies also want to use controls to avoid waste, fraud, and other issues they may encounter in the course of doing business. The counter to detective controls are corrective controls, which are measures to prevent problems from occurring in the first place.
One example of a detective control is an audit. Most companies hold regular external and internal audits to review financial statements, scrutinize departments, and determine if there are any irregularities. These could include signs of embezzlement and fraud within a company, as well as activity suggestive of an attempt to conceal financial problems from investors, regulators, and the general public. Companies may use surprise audits as another form of detective control, so people never know when to expect an evaluation.
Other detective controls can include triggers for certain types of activity, such as warning alerts that will show up when people engage in financial transactions that appear irregular. If a department always issues a check to the same vendor for the same amount, a sudden change might be a cause for concern, and a detective control could be set up to notify the accounting department when variations like this occur so they can find out what happened and why.
Companies may use measures like mandatory reporting forms so they can catch irregular activity early, often in the form of financial statements that do not match what a person or department is actually doing. These detective controls can involve things like automatically sending data to accounting for review, providing continuous auditing so people can catch anything unusual almost as soon as it happens. Accountants and attorneys can work together to develop appropriate and effective controls.
Some detective controls are set out by law and companies must show that they are using them and complying with regulatory standards on how to use those controls. Others are considered part of generally accepted standards and practices, and while they are not explicitly required, they are a very good idea. Companies deviating from accepted practices can be targets for concern and suspicion, as people will want to know why they are not keeping pace with other companies in terms of accounting practices. Other controls may be optional, but recommended, for legal or ethical reasons.