Organisations that rely primarily on detection controls operate reactively while those that embed both detection and prevention controls operate strategically and proactively. The difference is not procedural but strategic; adopting both prevention and detection controls early provides benefits that far outweigh the financial, operational and reputational rewards.
Prevention controls are designed to stop irregularities before they occur. These controls are embedded within procurement planning, evaluation design, approval workflows, and system permissions. Segregation of duties, conflict-of-interest declarations, independent verification of compliance documentation, clear evaluation criteria, and structured pre-award due diligence are all examples of controls intended to mitigate or reduce risk in advance.
Detection controls, by contrast, identify issues after they occur. These include post-award audits, forensic investigations, data analytics exception reports, and regulatory or parliamentary inquiries.
From a forensic standpoint, detection controls answer the question of what happened and who was responsible. From a probity standpoint, prevention focuses on how to reduce the likelihood of the issue arising at all. Therefore, the combination of both serves a greater purpose.
As reported by TimesLIVE in November 2025, parliamentary testimony regarding a high-value public-sector health services contract illustrates the tension between procedural compliance and effective prevention. Multiple layers of evaluation, quality assurance and adjudication were reportedly followed before the award was approved and the process appeared structured and documented.
However, it later emerged that serious concerns, including issues relating to tax compliance and potential risk indicators, were raised before the final award, but were reportedly not known to the adjudication committee at the time of approval. This distinction is critical because a process may follow prescribed steps and still fail, if material risk information does not reach decision-makers before commitment occurs.
Therefore, layered approvals alone do not constitute effective prevention. Prevention also depends on whether decision-makers have timely access to relevant intelligence. Such intelligence must be validated, documented and considered as part of the process before any decision or action is taken.
Early and independent probity involvement in such processes can assist in testing whether all relevant risk information has been appropriately verified and communicated before final approval is granted.
While public procurement cases often receive national attention, the governance lessons are not sector specific. The distinction between government and corporate environments does not eliminate these risks; it merely changes the regulatory context as the underlying governance principles remain universal.
A balanced approach that integrates both prevention and detection controls is relevant wherever fiduciary responsibility exists. However, the greatest value arises when prevention mechanisms operate early enough to influence outcomes, rather than relying primarily on detection after loss has occurred. Whether funds involve public money or shareholder capital, weaknesses such as unmanaged conflicts, incomplete verification of mandatory documentation, information silos, weak specifications and untested assumptions can produce the same outcome: avoidable loss and institutional damage.
Reactive investigations frequently reveal warning signs were visible long before losses materialised.
Common patterns include:
- Incomplete compliance verification.
- Risk information has not escalated across committees.
- Overreliance on documentation without substantive validation.
- Approval layers that assume earlier checks were sufficient.
By the time detection mechanisms activate, contracts are awarded, funds committed, and reputational exposure is underway. Forensic work may establish accountability and recover partial losses. However, it cannot fully reverse operational disruption or reputational harm. A combination of prevention and detection controls therefore strengthens the control environment and significantly reduces the risk of loss.
Probity oversight adds the greatest value when engaged early in the public procurement lifecycle.
A proactive probity approach usually includes:
- The review of tender strategies before publication
- Test evaluation criteria for clarity and fairness
- Validate compliance verification processes
- Monitor bid committee conduct
- Confirm that adverse intelligence is escalated appropriately.
In this way, probity shifts from retrospective observer to an active risk prevention partner. When prevention controls are strong, detection operates as a safety net rather than the organisation’s primary defence against risk.
Forensic investigations provide essential backward-looking clarity by reconstructing timelines, identifying breakdowns and establishing responsibility.
However, their real value lies in strengthening future prevention.
Organisations should use forensic insights to:
- Enhance vendor vetting procedures
- Implement independent tax and regulatory verification
- Establish escalation triggers for adverse information
- Improve cross-functional information sharing
- Embed real-time compliance validation before award.
When forensic insight informs system redesign, detection supports prevention rather than merely responding to failure.
Based on our experience, it has been found that governance failures are rarely confined to financial statements. In high-profile procurement matters, concerns have sometimes been raised internally before becoming public controversies. Where prevention controls are weak, institutions often depend on individuals to expose irregularities.
That is not a sustainable governance model as the aim of strong prevention systems should be to protect more than institutional assets. In environments where escalation mechanisms are unclear or ineffective, personal and professional risk can increase for those who raise concerns. Prevention is therefore not only a financial safeguard, it is an institutional protection mechanism with its impact significantly enhanced by effective detection controls.
Strong governance does not eliminate detection controls. Internal audit, forensic investigation, and regulatory oversight remain essential for assurance and accountability. However, they should not be the primary defence.
The most resilient organisations are built on:
- A balanced control environment that integrates both prevention and detection mechanisms
- Early probity involvement
- Integrated risk information sharing
- Continuous monitoring
- Forensic-informed improvement.
In such environments, detection confirms that controls are working rather than compensating for their absence.
An effective control environment relies on a deliberate balance between prevention and detection controls, with early prevention action forming the foundation of effective risk management. While prevention reduces the likelihood of risk materialising, detection remains important as a complementary safeguard.
Organisations that integrate both strategically are better positioned to anticipate, mitigate and respond to potential risks while protecting financial, operational and reputational integrity. By emphasising this balance, organisations can strengthen their controls and enhance overall resilience.
References: TimesLIVE, 2025. How Cat Matlala landed a R360m SAPS tender. 20 November. Available at: https://www.timeslive.co.za/news/south-africa/2025-11-20-how-cat-matlala-landed-a-r360m-saps-tender/.
