Preventive or Detective Controls

By Ms.Becky Terry, Strategic Risk Management Executive
Founder of RTE and Company, USA

Before we talk about which type of control is better, preventive or detective, we should ground ourselves on definitions.  The Committee of Sponsoring Organizations (COSO) defines

Preventive controls as “designed to avoid an unintended event or result at the time of initial occurrence (e.g., upon initially recording a financial transaction or upon initiating a patient billing process).”

They define detective controls as “designed to discover an unintended event or result after the initial processing has occurred but before the ultimate objective has concluded (e.g., issuing financial reports or completing a patient billing process).” 

Preventive or Prevention controls are designed to avoid, whicle Detective or Detection controls are designed to discover.

Most people say that preventive controls are more substantial than detective controls. 

Logically, that makes sense.  When you are driving a car, there are many preventive controls.  A seatbelt and an airbag prevent you from being injured in an accident.  A speed limit warning on your vehicle may prevent you from speeding.  In states where radar detectors are legal, a radar detector might prevent you from getting a speeding ticket.  Someone could argue that it is detecting that you are about to be pulled over for speeding.

Having your automobile inspected each year (in states that require inspections) is both a detective and preventive control.  The assessment will determine if your brakes are wearing thin or if other safety features are not working correctly.  I would rather have brakes working right the first time than finding out the hard way that they have failed.  Sometimes the state inspection works as a preventive maintenance control.  A car’s warning system lights is also a detective control.  Hopefully, it comes on soon enough that we can act upon and prevent an accident.  Again, preventive maintenance is just as essential in automobiles as it is in enterprise risk management.

 

Why do we care about the designation preventive vs. detective? 

The first reason we would want the designation is to review those controls during a change management scenario.  Have we added new products to the process?  Is the current preventive control capturing that new product in its population?  The same might be true of a detective control, such as reconciliation controls.  Are we reconciling the correct population?  Are we reconciling the same system to itself?

The second reason for the designation is to assist in automation.  The preventive or detective nature of the control can be beneficial in determining what systems are in play and how easy or difficult the automation might become.  Preventive controls may be established that report anomalies or stop the process altogether.  Detective controls could be as simple as automated reconciliations.

 

Can we put preventive controls in place to mitigate ALL risks? 

Of course, we can’t because humans make mistakes.  Take reconciliation controls as an example.  Can we prevent the bank from posting something in error (although it happens less and less frequently)?  Can we prevent someone from posting to the wrong account?  Of course not, so we do account reconciliations to detect those mistakes. It also makes sense that if you can prevent an error, rather than detecting it, you save time going back to correct the mistake.

 

Do we need both preventive controls and detective controls to mitigate the same risk? 

That is a much harder question to answer.  In the case of cybersecurity, one could argue that we need preventive controls to stop someone from penetrating our system.  We also need detective controls just in case they do get in.  We all know that a hacker only needs to be right once, while our information technology security team needs to be right all the time.

Sometimes the strongest preventive controls are automated.  The easiest way to go from detective to preventive is to change our mitigation strategy from a manual control to an automated control.  Once you have determined that the preventive controls are working as intended, you can stop relying on detective control.  Unfortunately, changing from manual to automated is also the most expensive change to implement.  Before changing all the detective controls to preventive controls, a cost-benefit analysis is wise.  It is often cost-prohibitive to put systems in place to prevent all risks from occurring.  Take the reconciliation control as an example.  To put a system in place that would prevent all journal entry errors would be cost-prohibitive.  Automating bank reconciliations have made that detective control cost and virtually hassle-free.

When deciding upon the need for a preventive versus a detective control, the bottom line is to remain practical.  You add value to the company when you make sure you are only mitigating risks to achieving the company’s strategic directive.  You add more value when you are practical in your advice on the types of controls necessary to mitigate risks to an acceptable level.  Stay agile and stay practical, that is my motto.