This control is preventive because it is implemented before access rights are granted. Requiring approval and validation from a direct supervisor ensures that access is granted based on the principle of least privilege and legitimate business need. This process acts as a primary gatekeeper to stop the provisioning of unauthorized access from occurring in the first place. The other options are detective controls, which identify potential issues only after an event has already happened.

A: This is a detective and corrective control. The procedure identifies redundant rights that already exist, rather than preventing them from being granted initially.

B: This is a detective control. It analyzes logs of access events that have already occurred to identify potential security incidents, but it does not prevent the access itself.

D: This is a detective control. The notification is triggered after an employee has already gained entry, alerting security to a potential policy violation for investigation.

1. The Institute of Internal Auditors (IIA)

Global Technology Audit Guide (GTAG) 1: Information Technology Controls

2nd Edition. Page 6

under the section "Types of IT Controls

" defines preventive controls as those "designed to prevent an error

omission

or malicious act from occurring." It lists "Authorization (e.g.

of a transaction)" as a key example of a preventive control. Option C is a direct application of authorization.

2. Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Internal Control — Integrated Framework (2013) Executive Summary. Page 6

under "Control Activities

" states that control activities are the actions established to help ensure management directives are carried out. Principle 11

"Selects and Develops Control Activities

" includes authorizations and approvals as a common type of control activity. This pre-emptive approval process is inherently preventive.

3. Sawyer

L. B.

Dittenhofer

M. A.

& Scheiner

J. H. (2019). Sawyer's Internal Auditing: The Practice of Modern Internal Auditing (7th ed.). The IIA Research Foundation. Chapter 10

"Control

" classifies controls by function. Preventive controls are described as those that deter the occurrence of unwanted events. The pre-approval of access rights (Option C) fits this definition

whereas log reviews (Option B) and notifications (Option D) are classified as detective controls.