Certified Internal Auditor (CIA) Part 1: Business Acumen — Question 228

During the annual fraud risk assessment, an organization identified that an employee in the accounts payable department has the ability to both enter a new vendor into the system and process payments to the vendor. Which of the following is a preventative control that an auditor would propose to reduce the risk in this scenario?

Answer options

• A. New vendors may only be added into the vendor management system by employees in the procurement department.
• B. Vendor payments may only be processed by employees in the accounts payable department.
• C. An anonymous employee hotline is established for employees to report any suspicious activity they witness regarding payments to vendors.
• D. The vendor management system activity log is reviewed by management on a weekly basis for suspicious transactions.

Correct answer: B

Explanation

The correct answer, B, establishes a separation of duties by limiting payment processing to accounts payable employees, thereby reducing the risk of fraud. Option A would restrict vendor creation but does not address the payment processing risk. Option C is a reactive measure rather than a preventive control, while option D is more about monitoring than prevention.