Certified Information Systems Auditor (CISA) — Question 500

A business unit cannot achieve desired segregation of duties between operations and programming due to size constraints. Which of the following is MOST important for the IS auditor to identify?

Answer options

• A. Unauthorized user controls
• B. Compensating controls
• C. Controls over operational effectiveness
• D. Additional control weaknesses

Correct answer: B

Explanation

The correct answer is B, as compensating controls are essential in situations where segregation of duties cannot be fully achieved. They help mitigate risks associated with combining roles. The other options focus on different aspects of control but do not directly address the need for alternatives in duty segregation.