Every organization should design a control structure to identify and address risks related to internal and external forces that impact an organization. This control structure includes four main types of Internal Controls:
- Manual Controls
- IT Dependent Manual Controls
- Application Controls
- IT General Controls
Preventive and Detective controls can be found within each of these four categories.
Detective vs Preventive Controls
What are preventive and detective controls and what is the difference between these controls?
- Preventive control is designed to identify and stop an issue from occurring.
- Detective control is designed to identify an issue upon occurrence.
In each case, management has defined the activity or trigger(s) of that activity that the control is reporting on. Preventive controls cannot be designed to identify and prevent every risk from occurring. Thus, detective controls are the other half of the control structure and attempt to identify those issues or risks not able to be managed through a preventive control that management has determined need to be addressed.
As an example of how both preventive and detective controls are found within the four main types of Internal Controls, a detective IT general control for security would be reporting to IS operations inappropriate attempts to access a system or application. The preventive IT general control for security would be locking out the user account after a predetermined number of failed attempts to access a system or application through that user’s account.
How Does This Relate to the AICPA Trust Services Criteria and SOC 2 Engagements?
If you think of the AICPA Trust Services criteria (and a SOC 2 engagement), preventive and detective controls are found within each criterion (Security, Availability, Processing Integrity, Confidentiality, Privacy).
The following are examples of potential preventive and detective controls for each AICPA Trust Services criteria. A specific criteria was selected to highlight the possible preventive and detective controls that could support that criteria.
- Security
- CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries
- Preventive: A firewall has been configured to only allow access through defined ports.
- Detective: The firewall is configured to alert appropriate parties of unauthorized attempts to access the environment through the firewall ports.
- CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
- Preventive: Regular patch updates are made to the system and operating tools.
- Detective: The system alerts appropriate parties of unauthorized modifications of critical configuration files.
- CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries
- Availability
- A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives
- Preventive: Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. Examples would be power surge protection or building designs protecting the structure from tornados.
- Detective: Detection measures are implemented to identify anomalies that could result from external events, such as power outages, and provide alerts of such anomalies to authorized personnel.
- A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives
- Processing Integrity
- PI1.3 The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives
- Preventive: Input parameters are designed to meet defined criteria in order for processing to begin.
- Detective: Processing errors outside of the allowed range of activity, as defined by the system, are identified, systematically logged, and alerted to management for investigation.
- PI1.3 The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives
- Confidentiality
- C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
- Preventive: Confidential information records are tagged with a specified deletion date. An automated job will run as scheduled, identify records meeting defined search criteria, and only delete such records.
- Detective: An error message is logged and sent to the system operators when a job fails whose purpose is to purge confidential information tagged for such action.
- C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
- Privacy
- P5.1 The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy.
- Preventive: The system is designed so that only users defined to the system are allowed to access the system and information stored within it.
- Detective: Attempts to access a system by an unauthorized individual or tool are written to an event log and made available in a report designed to provide details on such events.
- P5.1 The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy.
For SOC 1 engagements, entitled Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1), management is identifying the criteria (or control objectives) to test against. Often these criteria contain similar detective and preventive controls identified in a SOC 2 engagement.
What Works Best: Preventive Controls, Detective Controls, or a Combination of Both?
Preventive controls are more desirable than detective controls because the objective is to stop the error or issue before it even occurs. As stated at the beginning of this article, preventive controls cannot be designed to address every risk. Thus, the combination of preventive and detective controls provides for a stronger overall control structure for an organization. It must be noted that identifying, designing, and implementing a strong control structure is not complete without regular reviews of such control structure to analyze and adjust it to meet the ever-changing company risks, focus, goals, etc., from both an internal and external perspective. In addition, such a process does not guarantee identification of all potential risks that a company is facing or may face.
Summary
Preventive and detective controls are complimentary foundations in a company’s control structure with preventive controls working to stop an identified risk from occurring and detective controls working to report on or alert that the identified risk has occurred. SOC 1 and SOC 2 procedures present opportunities to evidence how both controls support a company’s overall control structure.
Linford & Co is an independent auditing firm. If you are interested in learning more about our services or would like assistance with an upcoming attestation, please contact us.
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1 and SOC 2 audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.