During a compliance review of a company's procurement department, the auditor reviews the policy requiring separate employees to approve purchase orders and authorize payments. What is the primary purpose of embedding these types of internal controls into a compliance program?
Select an answer to reveal the explanation.
Short Explanation and Infographic
Check this out: why do we have a rule that the person who approves a purchase order can't be the same person who writes the check? That's segregation of duties, and it's a classic internal control. Why do we do it? To stop fraud and mistakes before they happen (prevent), catch them if someone tries to slip something past the rules (detect), and have a clear way to fix the error (correct). If you don't have these controls in place, you're basically leaving the keys in the ignition of your sports car and hoping nobody steals it. Don't do it! Got it? Let's keep rolling.
Full explanation below image
Full Explanation
Internal controls are the systematic measures (such as reviews, checks and balances, methods, and procedures) instituted by an organization to conduct its business in an orderly and efficient manner, safeguard its assets, and ensure compliance with laws and policies. Option A is correct because the foundational purpose of internal controls in a compliance program is to establish a proactive defense system that works to prevent compliance violations, detect deviations in real-time or post-transaction, and correct weaknesses before they lead to regulatory actions. This three-stage framework (prevent, detect, correct) is standard across COSO and compliance design guidelines. Option B is incorrect because internal controls do not shift ultimate legal responsibility away from corporate management; the board and executive leadership remain responsible for the compliance program. Option C is incorrect because internal controls are designed to integrate and support legal and compliance oversight, not isolate the legal department. Option D is incorrect because while controls can introduce necessary checkpoints, their purpose is risk mitigation and operational integrity, not to intentionally hinder business growth or artificially reduce transaction volumes.