An IS auditor reviewing an accounts payable system discovers that audit logs are not being
reviewed. When this issue is raised with management the response is that additional controls are
not necessary because effective system access controls are inplace. The BEST response the
auditor can make is to:

A.
review the integrity of system access controls.

B.
accept management’s statement that effective access controls are in place.

C.
stress the importance of having a system control framework in place.

D.
review the background checks of the accounts payable staff.

Explanation:
Experience has demonstrated that reliance purely on preventative controls is dangerous.
Preventative controls may not prove to be as strong as anticipated or their effectiveness can
deteriorate over time. Evaluating the cost of controls versus the quantum of risk is a valid
management concern. However, in a high-risk system a comprehensive control framework is
needed, intelligent design should permit additional detective and corrective controls to be
established that don’t have high ongoing costs, e.g., automated interrogation of logs to highlight
suspicious individual transactions or data patterns. Effective access controls are, in themselves, a
positive but, for reasons outlined above, may not sufficiently compensate for other control
weaknesses. In this situation the IS auditor needs to be proactive. The IS auditor has a fundamental
obligation to point out control weaknesses that give rise to unacceptable risks to the organization

and work with management to have these corrected. Reviewing background checks on accounts
payable staff does not provide evidence that fraud will not occur.