PrepAway - Latest Free Exam Questions & Answers

The BEST response the auditor can make is to:

An IS auditor reviewing an accounts payable system discovers that audit logs are not being reviewed. When
this issue is raised with management the response is that additional controls are not necessary becauseeffective system access controls are in place. The BEST response the auditor can make is to:

PrepAway - Latest Free Exam Questions & Answers

A.
review the integrity of system access controls.

B.
accept management’s statement that effective access controls are in place.

C.
stress the importance of having a system control framework in place.

D.
review the background checks of the accounts payable staff.

Explanation:
Experience has demonstrated that reliance purely on preventative controls is dangerous. Preventative controls
may not prove to be as strong as anticipated or their effectiveness can deteriorate over time. Evaluating the
cost of controls versus the quantum of risk is a valid management concern. However, in a high-risk system a
comprehensive control framework is needed, intelligent design should permit additional detective and corrective
controls to be established that don’t have high ongoing costs, e.g., automated interrogation of logs to highlight
suspicious individual transactions or data patterns. Effective access controls are, in themselves, a positive but,
for reasons outlined above, may not sufficiently compensate for other control weaknesses. In this situation the
IS auditor needs to be proactive. The IS auditor has a fundamental obligation to point out control weaknesses
that give rise to unacceptable risks to the organization and work with management to have these corrected.
Reviewing background checks on accounts payable staff does not provide evidence that fraud will not occur.


Leave a Reply