The most effective approach to ensuring compliance involves a combination of preventive and detective/corrective controls.

1. Modifying the application to automatically add the date and time is a preventive control. It directly addresses the root cause of the problem—human error or omission—by automating the required action. This is highly effective as it removes the possibility of the field being left blank.

4. Creating a report of non-compliant records and taking action is a detective and corrective control. It identifies instances where the control has failed (or for historical data) and ensures that these deviations are addressed, thereby maintaining compliance. This combination provides a robust solution.

2. Establish a communication plan...: This is a weak administrative control that relies on user memory and diligence, which the audit has already shown to be unreliable.

3. Develop a goals cascade...: This is a high-level governance activity. While important for overall alignment, it is too indirect to solve a specific, operational data entry problem.

1. Axelos. ITIL® 4: Direct

Plan and Improve. TSO (The Stationery Office)

2020.

Section 4.4.3

"Defining effective policies

controls

and guidelines

" explains that controls are the means of managing a risk. The combination of an automated

preventive control (Option 1) and a detective/corrective control (Option 4) represents a comprehensive risk mitigation strategy. The text emphasizes that controls can be automated to improve reliability.

Section 3.2.2

"The role of risk and risk management in DPI

" discusses treating risks. The risk of non-compliance is best treated by implementing effective controls. Automation (1) and reporting (4) are standard methods for mitigating operational risks.