Does It Matter if a Control is Preventive or Detective?

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.

 

The traditional answer is an emphatic "Yes!"

But times, they are a-changing.

Until now, detective controls have been based on a review of reports at the end of the day, week, month, etc. They are designed to detect errors that slipped past any controls earlier in the process. Detective controls are often, but not always, cheaper to operate; but the risk is higher that an error (deliberate or otherwise) may not be prevented and its detection may be too late to prevent a loss. Often, a combination of preventive and detective controls is desired, simply because preventive controls are rarely perfect and detective controls will stop any lasting damage.

But the latest technology can move detection to a point where it is almost immediate.

For example, there are real time agents that run within the application that test transactions against predefined rules, sending alerts to an operator for action.

There has also been an immense, startling increase in the speed of analytics. Thety can run (using in-memory platforms) as much as 300,000 times faster.

A report used for detection that used to take many hours to run can now take seconds. I saw one report from an analyst that said that potential errors of anomalies were being detected in milliseconds!

So what does this all mean?

The distinction between preventive and these 'immediate' detective confrols has been blurred.

Those responsible for the design or assessment of controls should think again. Is it time to replace expensive preventive controls with less expensive, immediate detective controls?

I welcome your views.

Posted on Nov 29, 2012 by Norman Marks

Share This Article:    

  1. Hi Norm,

    Certainly an interesting case to make for CCM software (eg. Virsa).  I would still be concerned as whether the aspects of identification/notification (eg. Detect controls) eliminates the action step of a Prevent control.  Simple example:  A Detect control in place says to identify any A/P check being issued in a value of over $10K (maybe the average value of invoice amounts for this company is $2K?).  Even if this control has a CCM system behind it that identifies such an invoice has been cut for payment, they need to notify someone of the anomoly.  This could be the same person attempting to perpetrate the fraud, if it is an "inside job".  As an alternative, you could also have this Detect control backed up by a Prevent control that states any check over the average $ amount of $2K requires a second signature from someone at the Director of VP level?

    The simplistic example I like to  use for explaining Detect, Prevent and Mitigating Controls is this:

    A burgler is planning to break into your house and rob  you blind:

    1.  Detect Control is security lights and alarm system

    2.  Prevent Control is the deadbolt lock on all doors and windows

    3.  Mitigating Control is Brutus the pitbull sleeping in the front foyer

    I agree there can be a blurring between Detect and Prevent controls, but there is also a distinction, IMO.

    Best regards,

    Paul Fine

  1. Both have their own uses. Preventive control will act on a single transaction, whereas detective control can be used to identify patterns.

  1.  Hi Norman,

    Hope you're well.

    I would agree that we are seeing a 'convergence' between detective and preventative controls. I think this does demand a rethink of which controls options are most suitable in some circumstances. Detective controls are not only cheaper in many cases but are often a lot more flexible. 

    Ultimately if a detective control is real time, allowing preventative action to be undertaken before any consequences occur then there is little difference in the strength of this control compared to a more traditional preventative control. What I would say though is that the strength of the real time detective control is usually still dependent on human intervention, i.e. someone needs to do something with the alert, exception report, etc... This for me is the key distinction that still remains. 

    Best Regards,

    Richard

  1. You need to compare the cost of implementing in memory and making sure that the system works correctly vs. detective controls. The current IT landscape would  play a pivotal role in this decision, as would the skills and experience of the audit team. 

  1. Norm:

    I agree with your idea and have for a long time. Prevention controls tend to frustrate people (just think about the traditional purchasing process with a purchase request, purchase order, invoice, receiving report etc. – prevention controls that are costly). When people get frustrated by strong controls, they work to figure out how to get around the control.

    Detection controls can allow for new and simplified processes that enable staff to get things done more timely (credit cards to make purchases, for example) and at a significantly lesser cost in many cases. But it also requires a different skill level – data analysis to identify improper credit card payments as opposed to clerical staff to process the paper in a traditional purchasing system.

    Too often, I see auditors making recommendations for strong controls – but they are the wrong controls. Auditors staying at the top of their game make recommendations for the right controls.

    Dave Hancox

  1. Just a thought Norm: Nice idea, in theory. With the speed of computing going on over-drive, how many milliseconds does it take for a transaction to take place and be re-routed many times...out of reach? This being said... strong, correct preventive controls are basically better than detective controls. Then my money is still in MY pocket, not someone else's. Lynn
  1. An interesting thought for sure, however there is no 1 right answer. I feel the choice should be based on the risk level based on the impact. If the risk is high and impact is high a preventive control supplemented by some additional mitigation would be sensible. But if the risk level and impact is not too high it doesnt make sense to have expensive preventive controls. So this will have to be decided on a case to case basis..... 

  1. Usually, detective controls can allow us to think of what preventive controls can be implemented.  I think detective controls are a great learning opportunity. 

  1. Both controls obviously have their benefits and as you note must also be considered relative to cost-benefit, since preventive controls or more often more costly.  We have also analyze the level at which management actually relies on a given control.  While often more applicable to detective controls, it can be more important than the value of the control itself.  For instance, if we identify a given process, report or edit control as being the key control in mitigating a risk but management ignores that control in general, is it really an effective control?  If these immediate detective controls as you call them are properly applied and key to how the given situation is managed and are less expensive, I think we could make a good argument to implement them in lieu of the preventive control.

  1.  

     For me the answer is simple (prevention is better than cure), yet we as an industry have some work to do before we are even close to this.

    We live in a society that is dependent on trust, especially in Business and the difficulty of assessing a potential customer, partner, transaction etc is more often than not left to judgement by the facts that have presented themselves at that point in time, by either a feeling can we trust them to a packet of bits and bytes being sent via a network. We are only as good as what we are aware of or what can be an assumption of something that may or maybe happening. What has to be remembered, information is currently at overload and we as humans and machines are having issues coming to terms with it. The question within your question being how can we decipher so much information to ascertain exactly what to trust and what not to?

    I personally experienced being in a position whereby I was so bombarded with information of incidents and the first problem was to identify which were actual positive and not false positive incidents and then to prioritise them etc.

    The information today is so continous that detection in my opinion is too late as the event has taken place, however we do need defense in depth and that means we need more than prevention and detection to fufil this requirement. However, this is beyond your question and I will conclude that after over 27 years of experience within security there is never one time I have said to myself detection was better than prevention, actually the complete opposite I have been very glad of those moments that prevention avoided the detection of a major incident. 

  1. It certainly matters if a control is detective or preventive.  Detective and preventive controls are spearate and complimentary, AND absolutlely necessary where appropriate.  Detective controls are generally passive, intended to alert the operator that a control or policy is being breached.  This can be in support of a preventive control, part of an alerting process, or as input into a reporting process.

    A preventive control is active, taking action to stop the detected action, defer/compensate for the action, or mitigate the potential impact that allowing the action would incurr.

    Preventive controls are viewed as more beneficial, but also carry additional risk.  They generally rely on baselines, and measure deviation from "normal" as an indicator of anomoly.  They can be subject to false-positives, and can interfere with operations.

    I don't setup an Intrusion Prevention Systems without first running it in passive Detection mode for some period, and then tweaking each detection rule that reports its indicators reliably over time.  How and when prevetive rules are enabled is a factor of potential impact, risk, and reliability.

    Just my 2¢, collect the whole dime!

    Mark

  1. I think that, if possible, preventing the error or fraud is typically the most effective since it potentially eliminates the loss before it can actually occur. Designing a system that focuses entirely on preventive controls may not be feasible all the time, though. A cost benefit analysis should be performed prior to the implementation of controls. Every organization is unique structurally and resource-wise. The approach should be mixed with emphasis placed on preventive controls for the high-risk items and detective controls for the lower risk items. I don't think the answer is as binary as the question (last sentence) implies and an integrated approach should be considered.
  1. Three ideas:

    1.- They are different parts of the adaptation cycle.  Detection feeds the prevention.

    2.- The Prevention is Detection of a known risk.

    3.- The Prevention does not exists. Only exists the Detection.

    Conclusion: All controls are about Detection. The Prevention only knows how to handle a known risk.

     

Leave a Reply