Question

How would you define the differences between preventative, detective, and responsive controls? What are some examples of each? Can these different controls overlap or are they independent of each other working as security layers and risk control?

Answer 1

Detective controls are internal controls designed to identify problems that already exist. Audits are an example of a detective control. Monthly reconciliation of bank accounts, review and verification of refunds, reconciliation of petty cash accounts, audits of payroll disbursements or conducting physical inventory are all examples of detective controls. Preventive and detective controls are often required in combination to provide sufficient protection. Computer systems require preventive controls through acceptable use and access control. Computer usage logs must be kept. Logs are a form of detective control to be reviewed and audited at regular intervals.

Examples of this type are:

• Intrusion Detection Systems IDS.
• Alarms.
• Lights.
• Motion Detectors.
• Security Guards.
• Video Surveillance.
• Logs and Audit Trails.
• Enforcing Staff Vacations.

Many prevent controls are based on the concept of separating duties. Examples include prohibiting the same person from conducting related transactions such as initiating and recording transactions; making purchases and approving payments; ordering and accepting inventory; approving vendors and making payments; receiving bills and approving payments; and authorizing returns and issuing refunds. Payroll preparation and distribution duties and approving, writing and signing checks should also be done by different people. Examples of internal controls built around the concept of authorization, approval and verification include requiring supervisory review and approval of payroll information before disbursement, requiring interdepartmental dual authorization of payroll data by accounting and human resources departments and requiring prior approval of credit customers, vendors and purchases.

Examples for such type of controls are:

• Firewalls.
• Intrusion Prevention Systems IPS.
• Security Guards.
• Biometric Access Control.
• Using Encryption.
• Video Surveillance.
• Fences.
• Strong Authentication.
• Locks.
• Mantraps.
• Antivirus Software.