Exercitation ullamco laboris nis aliquip sed conseqrure dolorn repreh deris ptate velit ecepteur duis.
Controls are put in place in order to manage a risk. By putting a control in place, we can manage the impact of the risk, either by preventing it from taking place in the first place or to deal with the impact after it has taken place.
What are preventative and detective controls?
Simply put, preventative controls are those which are put in place in order to prevent the risk from taking place. If the risk does not materialise, naturally there will not be an impact.
Detective controls, on the other hand, are put in place to identify/detect occurrences where the risk has already materialised.
Shouldn’t you use preventative controls only and eliminate the need for detective controls? Ideally, preventative controls should always be in place. In practice, there are a few reasons why detective controls are also required:
As a simple example, let’s think of the process of opening the till in a supermarket. The risk is theft from the till. To manage this, we can put in place the following controls:
As preventative controls:
As a detective control: Cash reconciliation at the end of each day.
As you see in the simple example above, despite detective controls being put in place, the risk that theft happens is still present. We need to acknowledge that the preventative controls can be overridden through human action and therefore rendered ineffective. These are examples of situations of when detective controls would be needed.
Why not use only detective controls? If the theft has already occurred, the impact of the risk has taken place. You may not be able to recoup the money back. When a risk is worth managing, it is generally most efficient and effective to try to prevent it from happening in the first place, rather than try to eliminate its impact later on.
Taking this concept into the world of access management in SAP, we believe that access controls should entail a balance between detective and preventive measures.
An example of a preventive control measure is through restricting access to known SAP access risks. For example: One common access risk is the theft of cash during the vendor payment process. These are the steps that should be taken in order to manage this risk:
On the other hand, detective controls are meant to compensate for weaknesses (or even an absence) of preventative controls. They usually are more focused on areas which have been identified as having weak/insufficient preventative controls. The detective controls then act as a monitoring system which identifies occurrences (e.g. fraudulent payment transactions) where risks have been violated.
What combination of preventative and detective controls do you need? This depends on the risks present in your business processes. There are several factors to consider, including the impact and likelihood of each risk in the process, availability of effective detective controls, and any costs/efforts required to establish the controls. We recommend that you take a look at our blog article on how to identify risks and design controls in your business process.
If you would like more guidance, drop us a line and we would be happy to have a chat with you!