Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?
A.
Require written authorization for all payment transactions.
B.
Review payment transaction history.
C.
Reconcile payment transactions with invoices.
D.
Restrict payment authorization to senior staff members.
The correct answer is C because there is no dual control due to system limitation, the only compensating control here is to reconcile each transaction with the invoice inorder to ensure the accuracy of the transaction processed.
When Segregation of Duties (SoD) cannot be enforced due to system limitations, the IS auditor must recommend a compensating control that reduces the risk of unauthorized or fraudulent payments.
Written authorization for all payment transactions provides a formal approval process that adds a layer of oversight, helping to:
Prevent unauthorized payments,
Provide audit trails, and
Ensure accountability.
This control directly addresses the risk arising from the lack of SoD.
Why not the others?
B. Review payment transaction history
➤ This is a detective control and usually performed after transactions, which is less effective than preventive controls.
C. Reconcile payment transactions with invoices
➤ Important but also detective in nature; it doesn’t prevent unauthorized payments upfront.
D. Restrict payment authorization to senior staff members
➤ Restricting authorization is good but without a formal written approval process, it may lack accountability and evidence.
In system environments where SoD is not possible,
Independent and periodic review of payment history is the most realistic and effective compensation control.
This is useful for detecting user abuse and curbing the occurrence of fraud.
When segregation of duties can't be enforced, the best compensating control is implementing robust and regular reconciliations (option C) to independently verify the accuracy, validity, and authorization of accounts payable transactions.
Reconciliation is typically a post-transaction control and might not catch fraud or errors in the payment process before the transaction is authorized. Hence the answer is A.
I go with A. It says there is a system limitation, meaning they will have to use what they already have. Can't assign more work or responsibility since they got no people. Hence, best option is to create a authorization system in between.
They mentioned that SoD cannot be carried out, hece D cannot be the answer.
upvoted 2 times
...
...
This section is not available anymore. Please use the main Exam Page.CISA Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Pauloludele
Highly Voted 2 years, 9 months agoGreens
Most Recent 3 weeks, 3 days agocisaisff
3 months agoIFBBPROSALCEDO
3 months, 3 weeks agoTranquiRelax
6 months agoNoKev
10 months, 3 weeks agoVeexx
11 months, 2 weeks agoa84n
1 year, 2 months ago5b56aae
1 year, 2 months agoOD1N
1 year, 7 months agoCISA2021
1 year, 5 months agoMunaM
2 years, 10 months agoabeedfarooqui86
1 year, 11 months ago