Travel & Expense

Preventive and Detective Controls

on May 22, 2014

I recently read a great blog on GTI Travel about how strict travel policies are absolutely necessary in order to save money and prevent waste and abuse. While I agree that travel policies are important, just using a strict travel policy to stay on top of program spending is not the best thing for the overall business.

All travel policies are a form of a control. Controls are meant to “control” behavior to ensure things go smoothly and to reduce the likelihood of fraud. There are two types of controls: preventive and detective. Preventive controls happen before the spending, while detective controls happen “after the fact.” A few examples of preventive controls:

  1. Blocking certain types of MCC codes from your corporate card.
  2. Having certain “rules” in place, for instance: the person approving the purchase order cannot be the same person who created the P.O.

You can set up all the preventive controls you want in order to prevent “bad” things from happening, but often with this approach the controls become too restrictive and get in the way of business.

Example: When the Internet first became widely used and accepted, everyone needed a firewall to protect their computers from hackers. If the firewall was configured for maximum security you couldn’t use half the websites on the Internet, so you’d have to create enough permissions (often referred to as holes in the firewall) to allow you to leverage valuable websites. To cover the risk from these holes, companies deployed intrusion detection software to identify any hacker activity.  This blend of preventive controls (firewalls) and detective controls (intrusion detection) struck the balance between risk and getting business done.

In my opinion, the best approach to managing travel spend is to find a way to balance preventive and detective controls. To truly support the business, you don’t want so many rules that hinder business performance, but having a few rules is necessary. Detective controls, or monitoring after the fact, can take some of the burden off of the preventative controls, and allows businesses to catch some of the non-compliant spending that can fall through the cracks.

Patrick Taylor

Patrick Taylor is an authority in the convergence of business analytics, information security, and the implementation of technology to boost organizational performance. An innovator in his field, Patrick founded Oversight Systems in 2003 and served as President and CEO for 15 years. In this role, he helped hundreds of Fortune 1000 companies improve financial, accounting, and auditing processes. Previously, Patrick held leadership positions with Oracle, Symantec, and Internet Security Systems (ISS). Patrick has a bachelor’s degree Mechanical Engineering from Georgia Tech and an MBA from the Harvard Business School.

spend-analysis-vol3