Preventative vs. detective controls

Controls are put in place in order to manage a risk. By putting a control in place, we can manage the impact of the risk, either by preventing it from taking place in the first place or to deal with the impact after it has taken place.

What are preventative and detective controls?

Simply put, preventative controls are those which are put in place in order to prevent the risk from taking place. If the risk does not materialise, naturally there will not be an impact.

Detective controls, on the other hand, are put in place to identify/detect occurrences where the risk has already materialised.

Shouldn’t you use preventative controls only and eliminate the need for detective controls? Ideally, preventative controls should always be in place. In practice, there are a few reasons why detective controls are also required:

• Preventative controls can be too expensive, complicated or otherwise impractical (too rigid) to implement
• Preventative controls do not completely prevent the risk from materialising
• The risk is high-impact and additional controls are desirable

As a simple example, let’s think of the process of opening the till in a supermarket. The risk is theft from the till. To manage this, we can put in place the following controls:

As preventative controls:

• Assign individual login credentials to anyone who needs to access the till
• Setup the till such that it can only be opened when there is a cash transaction happening

As a detective control: Cash reconciliation at the end of each day.

As you see in the simple example above, despite detective controls being put in place, the risk that theft happens is still present. We need to acknowledge that the preventative controls can be overridden through human action and therefore rendered ineffective. These are examples of situations of when detective controls would be needed.

Why not use only detective controls? If the theft has already occurred, the impact of the risk has taken place. You may not be able to recoup the money back. When a risk is worth managing, it is generally most efficient and effective to try to prevent it from happening in the first place, rather than try to eliminate its impact later on.

Taking this concept into the world of access management in SAP, we believe that access controls should entail a balance between detective and preventive measures.

An example of a preventive control measure is through restricting access to known SAP access risks. For example: One common access risk is the theft of cash during the vendor payment process. These are the steps that should be taken in order to manage this risk:

• First of all, this risk should be added into the rulebook in order to ensure that it is included in the formal access management process and is actively monitored.
• Secondly, restricting access fundamentally requires the right access rights to be given to the correct users. Having a task-based role design can help ensure that users only have access to SAP functionality required for their jobs. This requires roles to be well-built and only contain access to perform particular tasks. For example: The role for ‘vendor payment’ should only give access to make payments to vendors and nothing else. Likewise, other roles (such as the role to ‘post vendor invoices’) should not inadvertently give access to make payments to vendors.
• Thirdly, roles should then only be assigned to users who perform this task. This requires a strong internal access provisioning process in place.

On the other hand, detective controls are meant to compensate for weaknesses (or even an absence) of preventative controls. They usually are more focused on areas which have been identified as having weak/insufficient preventative controls. The detective controls then act as a monitoring system which identifies occurrences (e.g. fraudulent payment transactions) where risks have been violated.

What combination of preventative and detective controls do you need? This depends on the risks present in your business processes. There are several factors to consider, including the impact and likelihood of each risk in the process, availability of effective detective controls, and any costs/efforts required to establish the controls. We recommend that you take a look at our blog article on how to identify risks and design controls in your business process.

If you would like more guidance, drop us a line and we would be happy to have a chat with you!