Question 36
Domain 2 — Risk Identification, Assessment, and AnalysisWhat is the difference between preventive and detective controls?
Correct answer: B
Explanation
Preventive controls are designed to stop an event before it happens, while detective controls are designed to identify events after they have occurred. This matches the distinction between blocking a risk in advance and finding it through monitoring or review.
Why each option is right or wrong
A. There is no difference
B. Preventive controls stop events; detective controls identify events that have occurred
Preventive controls operate before a loss or error can occur, so they are intended to block an unwanted transaction, access, or process failure in advance. Detective controls are applied after the fact to reveal that an event has already happened, such as through reconciliations, exception reports, or audits; the distinction is therefore timing-based, not merely a difference in strength or importance.
C. Preventive controls are always better
D. Detective controls are always more expensive