In the IT department where segregation of duties is not feasible due to a limited number of resources, a team member is performing the functions of computer operator and reviewer of application logs.
Which of the following would be the IS auditor's BEST recommendation?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Segregation of duties is an important control in information systems to prevent fraud and errors. It involves separating tasks so that one person does not have control over all aspects of a process. However, in some cases, due to limited resources, segregation of duties may not be feasible.
In this scenario, a team member is performing the functions of a computer operator and reviewer of application logs. This presents a risk of potential errors, intentional or unintentional, as the team member has access to both the operational side and the review side of the system.
The IS auditor's best recommendation would be to assign an independent second reviewer to verify the application logs (Option C). This would ensure that there is a separation of duties and an independent check on the logs.
Developing procedures to verify that the application logs are not modified (Option A) is a good control, but it does not address the issue of segregation of duties.
Preventing the operator from performing application development activities (Option B) is also a good control, but it does not address the issue of reviewing the logs.
Restricting the computer operator's access to the production environment (Option D) may help to reduce the risk, but it does not ensure that there is an independent review of the logs.
Therefore, the best option would be to assign an independent second reviewer to verify the application logs.