Which of the following is NOT an example of a corrective control?

Corrective controls are put in place to address and mitigate issues after they occur, effectively "correcting" any problems that have arisen. Disciplinary actions are taken as a response to non-compliance or misconduct, software patches fix vulnerabilities or bugs after they have been discovered, and new policies might be implemented following an incident to prevent similar occurrences in the future.

Internal audits, however, are primarily considered a detective control rather than a corrective control. Their purpose is to evaluate and analyze existing processes and systems to identify weaknesses or compliance issues before they result in a security incident. Since their function is more about detection and assessment rather than rectification, they do not fit within the definition of corrective controls.