Certified Internal Auditor (CIA) Part 2: Practice of Internal Auditing — Question 267

An internal auditor is conducting an assessment of the organization's fraud controls. Which of the following would not be considered a preventive control?
1. Daily report that identifies unsuccessful system log-in attempts.
2. Weekly management communication with tips on identifying possible fraud.
3. E-mail alert sent to management for checks issued over $100,000.00.
4. New hire training to explain fraud and employee misconduct.

Answer options

• A. 1 and 2 only
• B. 1 and 3 only
• C. 2 and 4 only
• D. 3 and 4 only

Correct answer: B

Explanation

The correct answer is B because a daily report of unsuccessful log-in attempts and an email alert for large checks are reactive measures, not preventive controls. In contrast, management communication and new hire training are proactive strategies aimed at preventing fraud.