How Many of Your Primary Controls Are Preventive?

When I started my auditing career during the rollout of Sarbanes-Oxley, there was sustained debate within the industry as to which type of internal control was better: preventive or detective. While preventive controls are intended to prevent unauthorized or unwanted activities and variances from the established process, some argue that such events are bound to occur. Organizations should therefore focus intently on detective controls to find and correct errors.

Nearly 20 years later and in the wake of numerous high-profile cyberattacks, it would be hard to deny that the most effective controls are the ones that prevent material risks to the organization’s operational, financial, and information systems. As a basic example, think of the need to protect a home from unwanted theft and property damage. A functional door, gate locks, and ample light are all measures that protect the homeowner by preventing an unwanted outcome. Security cameras are like a detective control — they record what happened but are not designed to actively prevent a thief from breaking into your house.

Given the rising number of cyberattacks, it’s not surprising to see organizations implementing controls around asset management, requiring multi-factor authentication, conducting internal white-hat hacking exercises, implementing user access controls, and providing employee information security training, among many other preventive controls. These activities are valuable because, given the severity of many cyberattacks, the damage will likely be deep and costly before the point at which detective controls alert the organization to the event.

Measuring the percentage of primary controls that are preventive can help a CFO think more deeply about the kind of controls the organization has in place. Based on benchmarking data from more than 500 companies, APQC finds that seven out of every 10 controls are preventive for companies that fall in the 75th percentile. By contrast, fewer than half of controls (45%) are preventive for organizations in the 25th percentile. As a result, these organizations may see that instances of fraud or cyberattacks are taking place but will have fewer ways to prevent them in the first place. They may also be missing opportunities for easy wins that help make their organizations much more secure.

Easy Wins

Many of the most effective preventive controls are also the most straightforward and do not require significant resources investments. For example, leaders’ tone from the top around integrity, business ethics, and compliance with policy helps drive a business culture that takes those issues seriously. Implementing multi-factor authentication (a standard feature in many cloud-based solutions) and providing information security training to employees are also both easy wins that make it much more difficult for cybercriminals to get a foothold in systems.

Automation and artificial intelligence make it easier than ever to embed preventive controls into business processes. For example, leading travel and entertainment expense management solutions use AI to flag transactions that fall outside of policy. Rather than having to chase down employees for repayment, these solutions proactively stop the payment from happening in the first place. In addition, many enterprise resource planning systems like SAP and Oracle will automatically flag conflicts in systems access to maintain segregation of duties so that no single employee can make fraudulent payments and cover his or her tracks.

Structure and Governance 

Whether preventive or detective, controls must sit within the right governance structure and be more than just an afterthought. Chris Doxey, a subject matter expert who collaborated with APQC to research internal controls, recommends that functional areas like accounts payable and accounts receivable should own the controls in their respective areas with oversight from a centralized internal controls group. That helps ensure controls are directly embedded into business processes. Process owners are accountable for regularly (i.e., at least quarterly) testing for weaknesses, looking for improvement opportunities, and updating their controls. Detective controls play a big role in this regard by helping accountable parties self-assess controls’ effectiveness.

Detective controls certainly have their place and should not be trivialized within the internal control framework. Can you imagine being hacked in January and not knowing about it until April? However, if the organization has a choice as to how it will allocate resources like time and people to controls, the greatest allocation should be put toward designing, implementing, and executing preventive controls. Giving ownership of these controls to functional areas and implementing a regular cadence of review help ensure that controls are responsive to the realities of the processes they protect.

(Source:  AICPA-CIMA – CPA Letter Daily – September 3, 2021)