Is it correct to consider audits as exclusively "detective" in nature?

Question

I'm studying for the CISSP exam and one of the video lecture points didn't quite make sense to me. The instructor was discussing access control administration areas and began categorizing certain things as "preventative" and "detective". For example, data encryption: preventative... data integrity checks: detective... backup power systems: preventative... user training: preventative AND detective....

When the topic came to audits, he labelled them as "detective". To a certain extent, I understand why this would be this way -- since we're looking for vulnerabilities, if we find them... we're detecting them.

At the same time though, I can't help but wonder if audits can also be considered as preventative in nature -- because we're looking for vulnerabilities ahead of time in an effort to prevent them from being exploited later.

What are your thoughts? Perhaps I'm over-thinking this?

Scott Pack · Accepted Answer · 2011-05-05T19:21:44.523

Much like recursion, to properly understand audits we must first understand the scope and usage of audits. Audits are used to determine compliance against a benchmark. Without said benchmark, then the auditor has nothing to measure against. In some cases your benchmark may be a deeply technical document describing programming practices or operating system configurations. In other cases your benchmark may be as loose as "follow best practices as determined by $RANDOM_DEPT".

Thinking of them in this light, using your labels, audits should be classified strictly as 'detective'. So, this means that 'preventative' measures would be the benchmarks/standards/policies/whatever.

Consider the following:

In order to avoid unauthorized access by ex-employees all accounts are disabled upon separation.

In this scenario the policy to disable accounts is your preventative measure. During the course of an audit, your auditor would attempt to determine whether or not the policy is followed.

+1: Your controls or policies are preventative. The audit is detective. — Jeff Ferland, May 05 '11 at 03:47
Thanks Scott. I'll need to think about that some more but it makes more sense now. =) — Mike B, May 05 '11 at 05:35

score 5 · Answer 2 · answered May 05 '11 at 05:42

Audits are typically used for detection: detecting problems. Controls typically provide prevention: preventing intrusions.

However, you can use audits for more than just detecting intrusions. You can also use auditing to detect problems or shortcomings in your controls (e.g., compliance audits, network configuration audits), and/or to detect vulnerabilities (e.g., pen tests, source code review).

Consequently, audits can be useful for improving your controls and system defenses. Audits can be part of the feedback loop you use to improve the protections and controls you've deployed. Thus, audits can help improve your ability to prevent future intrusions, because they can help you determine whether your controls are implemented consistently and properly, and whether your controls are working effectively, and if not, indicate where the problems are so that you can devise ways to improve your controls. Put another way: audits can help you improve your controls, which improves your ability to prevent problems.

Is that what you're asking?

Thanks D.W - that finally clicked. I was just over-thinking things. =) — Mike B, May 05 '11 at 05:55

Is it correct to consider audits as exclusively "detective" in nature?

2 Answers2