Certified Information Systems Auditor (CISA) — Question 367

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Answer options

• A. Transaction log review
• B. Background checks
• C. Mandatory holidays
• D. User awareness training

Correct answer: A

Explanation

The best compensating control in this scenario is a Transaction log review, as it allows for monitoring of actions taken within the system, helping to identify any discrepancies or fraudulent activities. While Background checks, Mandatory holidays, and User awareness training are important, they do not provide the same level of oversight and accountability that transaction log reviews offer in mitigating risks associated with lack of segregation of duties.