You are here:
Types of Controls in IT Compliance
IT Compliance supports multiple control types depending on how they operate and how they're validated.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, and Unlimited Editions with Agentforce IT Service. |
Control Types Overview
Compliance controls fall into categories based on when they operate (before, during, or after a non-compliant activity) and how they're validated (automated, manual, or external). Use this table to understand which control type fits each compliance scenario and how to test each type.
| control type | description and validation | Example |
|---|---|---|
| Validation Control | An automated control that runs as part of a validation procedure, checking compliance requirements in real-time as business processes execute. Executed automatically through validation procedures with test results recorded in Compliance Control Version Test Execution records. | A validation control attached to the Incident Close process verifies that every incident marked as Resolved has a root cause analysis documented before closure. If the analysis is missing, the control prevents closure and displays an error message to the incident owner. |
| Non-Validation Control | A manual or external control that operates outside of automated validation procedures. Evidence is logged through the Compliance Logging API or uploaded manually as evidence artifacts. | A quarterly manual review of production access logs to verify no unauthorized access occurred. The IT security team exports access logs, reviews them for anomalies, documents the findings in a report, and uploads the report as an evidence artifact linked to the non-validation control. |
| Preventive Control | A control that stops non-compliant activities before they occur. Tested by attempting to execute the non-compliant activity and verifying that the control blocks it. | A preventive control that blocks change requests from being approved unless they include a completed risk assessment. If a change owner attempts to submit a change without a risk assessment, the control prevents submission and displays a message: "Risk assessment is required for all production changes per Change Management Policy." |
| Detective Control | A control that identifies non-compliant activities after they occur. Tested by creating a non-compliant record and verifying that the control detects it. | A detective control that scans incident records daily for missing root cause analysis on incidents marked as Resolved. When the control detects a violation, it creates a Compliance Finding and notifies the incident owner and compliance team. |
| Corrective Control | A control that fixes non-compliant activities after they're detected. Tested by triggering a non-compliant scenario and verifying that the control corrects it. | A corrective control that automatically escalates incidents without root cause analysis to the compliance team seven days after resolution. The control detects the missing analysis, reassigns the incident to a compliance reviewer, and updates the incident status to Pending Compliance Review. |
Did this article solve your issue?
Let us know so we can improve!
