Certified Information Systems Auditor (CISA) — Question 1371

A small startup organization does not have the resources to implement segregation of duties. Which of the following is the MOST effective compensating control?

Answer options

• A. Rotation of log monitoring and analysis responsibilities
• B. Additional management reviews and reconciliations
• C. Mandatory vacations
• D. Third-party assessments

Correct answer: B

Explanation

The correct answer is B because additional management reviews and reconciliations can help identify and mitigate risks associated with limited segregation of duties. The other options, while beneficial, do not provide the same level of oversight and control as increased management reviews, making them less effective in this scenario.