Certified Information Systems Auditor (CISA) — Question 1368

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?

Answer options

• A. Require written authorization for all payment transactions.
• B. Review payment transaction history.
• C. Reconcile payment transactions with invoices.
• D. Restrict payment authorization to senior staff members.

Correct answer: A

Explanation

Requiring written authorization for all payment transactions serves as a strong compensating control by ensuring that there is documented approval, reducing the risk of fraud or error. The other options, while useful, do not provide the same level of preventive control; reviewing transaction history and reconciling invoices are more reactive measures, and restricting authorization does not address the initial lack of segregation.