In the context of internal compliance controls, which of the following is classified as a corrective control?
Select an answer to reveal the explanation.
Short Explanation and Infographic
Check this out: in networking, we have firewall rules that block bad traffic (that's preventive), logs that tell us we just got scanned (that's detective), and scripts that isolate a compromised server after a breach (that's corrective). Compliance works the exact same way! You've got controls that prevent bad behavior, controls that detect it, and controls that fix things after a policy violation actually happens. Disciplinary action is a classic corrective control. The violation already occurred—the employee broke the rules—and now you're taking action to correct the behavior, enforce accountability, and send a message to the rest of the company that the rules actually matter. Got it? Sweet. Let's keep rolling.
Full explanation below image
Full Explanation
Internal compliance controls are categorized based on their timing and function relative to a violation. These categories are preventive controls, detective controls, and corrective controls. Corrective controls are designed to remediate problems, correct errors, and address violations after they have been detected. Their goal is to mitigate the impact of the violation, return operations to a compliant state, and prevent future recurrences. Disciplinary action—such as issuing a formal warning, suspension, or termination to an employee who has violated a policy—is a primary example of a corrective control. It addresses the non-compliant behavior directly and enforces the organization's standards after a breach has occurred.
Let's contrast this with the other options: - Option A is incorrect because training is a preventive control. It aims to educate employees on proper procedures and ethical decision-making to stop violations from happening in the first place. - Option B is incorrect because transaction monitoring systems that flag anomalies are detective controls. They identify and alert compliance personnel to potential issues that are occurring or have already occurred, but they do not automatically correct them. - Option D is incorrect because dual authorization is a preventive control. It establishes a structural barrier (segregation of duties) to prevent unauthorized transfers from occurring.
Understanding the distinction between these control types is essential for building a balanced compliance framework that not only prevents and detects issues but also has the teeth to correct them when they arise.