Certified Information Systems Auditor (CISA) — Question 323

Which of the following is MOST important when duties in a small organization cannot be appropriately segregated?

Answer options

• A. Variance reporting
• B. Exception reporting
• C. Audit trail
• D. Independent reviews

Correct answer: D

Explanation

Independent reviews are essential in a small organization where segregation of duties is limited, as they provide an external check on processes and help prevent fraud or errors. Variance reporting, exception reporting, and audit trails are useful but do not offer the same level of oversight and assurance that independent reviews do.