Home MCQs CISA Question #6824
Back to Questions
CISA QUESTION #6824
Question 1
An organization implements compensating controls because technical separation of duties is not feasible in a small IT department. What must the auditor verify for these compensating controls to be acceptable?
  • Controls are documented
  • Controls provide equivalent risk mitigation to the original control requirement and are actively monitored✔️
  • Controls are approved by management
  • Controls are less expensive than original controls
Correct Answer Explanation
Compensating controls must provide equivalent risk reduction to the original control and must be actively monitored and enforced. Simply documenting or obtaining approval is insufficient—the controls must demonstrably mitigate the same risks that separation of duties would address.