Does It Matter if a Control is Preventive or Detective?
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
The traditional answer is an emphatic "Yes!"
But times, they are a-changing.
Until now, detective controls have been based on a review of reports at the end of the day, week, month, etc. They are designed to detect errors that slipped past any controls earlier in the process. Detective controls are often, but not always, cheaper to operate; but the risk is higher that an error (deliberate or otherwise) may not be prevented and its detection may be too late to prevent a loss. Often, a combination of preventive and detective controls is desired, simply because preventive controls are rarely perfect and detective controls will stop any lasting damage.
But the latest technology can move detection to a point where it is almost immediate.
For example, there are real time agents that run within the application that test transactions against predefined rules, sending alerts to an operator for action.
There has also been an immense, startling increase in the speed of analytics. Thety can run (using in-memory platforms) as much as 300,000 times faster.
A report used for detection that used to take many hours to run can now take seconds. I saw one report from an analyst that said that potential errors of anomalies were being detected in milliseconds!
So what does this all mean?
The distinction between preventive and these 'immediate' detective confrols has been blurred.
Those responsible for the design or assessment of controls should think again. Is it time to replace expensive preventive controls with less expensive, immediate detective controls?
I welcome your views.
Posted on Nov 29, 2012 by Norman Marks
Share This Article: